Skip to content
Latchkey

GoReleaser cosign signing failed in CI

GoReleaser can sign artifacts and images with cosign. Keyless signing needs the workflow to have id-token: write so cosign can get an OIDC token; key-based signing needs the key and its password provided.

What this error means

GoReleaser fails at the cosign step with "signing failed" and an error about a missing OIDC token, missing key, or "getting key: no such file".

Terminal
  ⨯ sign failed  error=cosign: signing failed: getting signer:
  reading key: open cosign.key: no such file or directory

Common causes

Keyless signing lacks id-token permission

Without permissions: id-token: write, cosign cannot obtain the OIDC token needed for keyless (Fulcio) signing.

A key file or password is missing

Key-based signing needs the private key present and its password set, or cosign cannot load the signer.

How to fix it

Grant id-token for keyless signing

Add the permission so cosign can request an OIDC token for keyless signing.

.github/workflows/release.yml
permissions:
  contents: write
  id-token: write

Provide the key and password for key-based signing

  1. Write the cosign key from a secret to a file in a setup step.
  2. Set COSIGN_PASSWORD from a secret in the step env.
  3. Reference the key path in the signs config.
.goreleaser.yaml
signs:
  - cmd: cosign
    args: ["sign-blob", "--key=cosign.key", "--output-signature=${signature}", "${artifact}"]
    artifacts: all

How to prevent it

  • Add id-token: write when using keyless cosign signing.
  • Store cosign keys and passwords in secrets.
  • Test the sign step with a snapshot build before releasing.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →