Skip to content
Latchkey

OpenTofu provider signature verification error in CI

OpenTofu verifies each provider package against a signature published by the registry. This error means the signature could not be validated, usually because a mirror served an unsigned package or the signing key is not trusted.

What this error means

tofu init fails with an error about the provider package signature, for example "the signature ... could not be verified" or "unable to verify the cryptographic signature" for a provider from a mirror.

tofu
Error: Failed to install provider

Error while installing hashicorp/aws v5.60.0: the authenticity of the provider
package could not be verified: the signature could not be verified using the
keys provided by the registry.

Common causes

A mirror served a package without a valid signature

A network or filesystem mirror provided a provider whose signature does not match a key the OpenTofu registry vouches for.

The registry entry lacks the expected signing key

For a self-hosted or third-party provider, the registry did not supply a signing key OpenTofu trusts, so verification fails.

How to fix it

Install from the OpenTofu registry directly

  1. Temporarily bypass the mirror to confirm the official registry package verifies.
  2. If it does, the mirror is serving a bad or unsigned artifact; refresh the mirror.
  3. Re-run tofu init against the corrected source.
Terminal
tofu init -upgrade

Provide the signing key for a private provider

For an internal provider, ensure its registry entry publishes the GPG public key that signed the release so tofu can verify it.

How to prevent it

  • Serve only signed provider packages from internal mirrors.
  • Publish signing keys for private providers in the registry entry.
  • Regenerate the lock so recorded checksums match verified packages.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →