GoReleaser cosign signing failed in CI
GoReleaser can sign artifacts and images with cosign. Keyless signing needs the workflow to have id-token: write so cosign can get an OIDC token; key-based signing needs the key and its password provided.
What this error means
GoReleaser fails at the cosign step with "signing failed" and an error about a missing OIDC token, missing key, or "getting key: no such file".
Terminal
⨯ sign failed error=cosign: signing failed: getting signer:
reading key: open cosign.key: no such file or directoryCommon causes
Keyless signing lacks id-token permission
Without permissions: id-token: write, cosign cannot obtain the OIDC token needed for keyless (Fulcio) signing.
A key file or password is missing
Key-based signing needs the private key present and its password set, or cosign cannot load the signer.
How to fix it
Grant id-token for keyless signing
Add the permission so cosign can request an OIDC token for keyless signing.
.github/workflows/release.yml
permissions:
contents: write
id-token: writeProvide the key and password for key-based signing
- Write the cosign key from a secret to a file in a setup step.
- Set
COSIGN_PASSWORDfrom a secret in the step env. - Reference the key path in the signs config.
.goreleaser.yaml
signs:
- cmd: cosign
args: ["sign-blob", "--key=cosign.key", "--output-signature=${signature}", "${artifact}"]
artifacts: allHow to prevent it
- Add
id-token: writewhen using keyless cosign signing. - Store cosign keys and passwords in secrets.
- Test the sign step with a snapshot build before releasing.
Related guides
GoReleaser GPG "signing failed" in CIFix GoReleaser GPG signing failures in CI - the signing key is not imported, or gpg cannot run non-interactiv…
GoReleaser "failed to build/push docker image" in CIFix GoReleaser Docker image build and push failures in CI - the registry login is missing, so the push is den…
GoReleaser announce step token/auth failed in CIFix GoReleaser announce failures in CI - posting the release to Slack, Discord, or Twitter fails when the web…