sigstore "certificate identity does not match" on cosign verify in CI
Keyless verification checks that the Fulcio certificate was issued to the identity you expect. A mismatch means the --certificate-identity or --certificate-oidc-issuer you supplied does not equal what actually signed the artifact.
What this error means
cosign verify fails with "none of the expected identities matched what was in the certificate" and prints the expected versus the actual SAN and issuer.
Error: none of the expected identities matched what was in the certificate,
got subjects [https://github.com/acme/app/.github/workflows/release.yml@refs/tags/v1.2.3]
with issuer https://token.actions.githubusercontent.comCommon causes
The identity SAN does not match the workflow that signed
The certificate SAN encodes the exact workflow path and ref. A fixed --certificate-identity breaks when the ref or workflow file differs from what you pinned.
The wrong OIDC issuer
Passing the wrong --certificate-oidc-issuer (for example a generic Sigstore issuer instead of the GitHub Actions issuer) never matches.
How to fix it
Use a regexp identity plus the correct issuer
- Set
--certificate-oidc-issuertohttps://token.actions.githubusercontent.comfor GitHub Actions. - Use
--certificate-identity-regexpto match the workflow path across refs. - Copy the exact "got subjects" value from the error when in doubt.
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github.com/acme/app/.github/workflows/release.yml@refs/tags/.*' \
ghcr.io/acme/app@sha256:...Pin an exact identity for a fixed release workflow
For a single release workflow and ref, an exact --certificate-identity is stricter and clearer than a regexp.
--certificate-identity https://github.com/acme/app/.github/workflows/release.yml@refs/tags/v1.2.3How to prevent it
- Set the OIDC issuer to the GitHub Actions issuer for keyless verify.
- Use an identity regexp that tolerates the refs you release from.
- Read the "got subjects" line to see the exact identity to expect.