Provenance "unverified" blocking a policy gate in CI
A release gate that requires verified SLSA provenance blocks the deploy when the artifact has no provenance, or its provenance does not verify against the expected builder and source. The gate is doing its job; the provenance chain is the gap.
What this error means
A deploy or admission step reports the artifact provenance as "unverified" or "provenance verification failed" and refuses to promote the image.
policy check: provenance for ghcr.io/acme/app@sha256:... is UNVERIFIED
(no provenance from expected builder github.com/acme/app)Common causes
The build never produced provenance
The attest or SLSA generator step was skipped or failed, so there is nothing for the gate to verify.
The provenance does not match the expected builder/source
Provenance exists but was produced by a different builder or references a different source, so it fails the policy expectations.
How to fix it
Produce provenance and verify it before the gate
- Add the attest/provenance step to the build so every image ships provenance.
- Verify provenance in CI with the same builder and source the gate expects.
- Only promote images that pass verification.
slsa-verifier verify-image ghcr.io/acme/app@sha256:... \
--source-uri github.com/acme/app \
--builder-id https://github.com/acme/app/.github/workflows/release.yml@refs/tags/v1.2.3Align the gate expectations with the real builder
Set the policy expected builder-id and source to match what actually produces provenance, so legitimate builds are not rejected.
How to prevent it
- Attach provenance to every release artifact.
- Verify provenance in CI before the promotion gate runs.
- Keep the policy expected builder and source in sync with the pipeline.