Skip to content
Latchkey

sigstore "certificate identity does not match" on cosign verify in CI

Keyless verification checks that the Fulcio certificate was issued to the identity you expect. A mismatch means the --certificate-identity or --certificate-oidc-issuer you supplied does not equal what actually signed the artifact.

What this error means

cosign verify fails with "none of the expected identities matched what was in the certificate" and prints the expected versus the actual SAN and issuer.

cosign
Error: none of the expected identities matched what was in the certificate,
got subjects [https://github.com/acme/app/.github/workflows/release.yml@refs/tags/v1.2.3]
with issuer https://token.actions.githubusercontent.com

Common causes

The identity SAN does not match the workflow that signed

The certificate SAN encodes the exact workflow path and ref. A fixed --certificate-identity breaks when the ref or workflow file differs from what you pinned.

The wrong OIDC issuer

Passing the wrong --certificate-oidc-issuer (for example a generic Sigstore issuer instead of the GitHub Actions issuer) never matches.

How to fix it

Use a regexp identity plus the correct issuer

  1. Set --certificate-oidc-issuer to https://token.actions.githubusercontent.com for GitHub Actions.
  2. Use --certificate-identity-regexp to match the workflow path across refs.
  3. Copy the exact "got subjects" value from the error when in doubt.
Terminal
cosign verify \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate-identity-regexp '^https://github.com/acme/app/.github/workflows/release.yml@refs/tags/.*' \
  ghcr.io/acme/app@sha256:...

Pin an exact identity for a fixed release workflow

For a single release workflow and ref, an exact --certificate-identity is stricter and clearer than a regexp.

Terminal
--certificate-identity https://github.com/acme/app/.github/workflows/release.yml@refs/tags/v1.2.3

How to prevent it

  • Set the OIDC issuer to the GitHub Actions issuer for keyless verify.
  • Use an identity regexp that tolerates the refs you release from.
  • Read the "got subjects" line to see the exact identity to expect.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →