OpenTofu provider signature verification error in CI
OpenTofu verifies each provider package against a signature published by the registry. This error means the signature could not be validated, usually because a mirror served an unsigned package or the signing key is not trusted.
What this error means
tofu init fails with an error about the provider package signature, for example "the signature ... could not be verified" or "unable to verify the cryptographic signature" for a provider from a mirror.
Error: Failed to install provider
Error while installing hashicorp/aws v5.60.0: the authenticity of the provider
package could not be verified: the signature could not be verified using the
keys provided by the registry.Common causes
A mirror served a package without a valid signature
A network or filesystem mirror provided a provider whose signature does not match a key the OpenTofu registry vouches for.
The registry entry lacks the expected signing key
For a self-hosted or third-party provider, the registry did not supply a signing key OpenTofu trusts, so verification fails.
How to fix it
Install from the OpenTofu registry directly
- Temporarily bypass the mirror to confirm the official registry package verifies.
- If it does, the mirror is serving a bad or unsigned artifact; refresh the mirror.
- Re-run
tofu initagainst the corrected source.
tofu init -upgradeProvide the signing key for a private provider
For an internal provider, ensure its registry entry publishes the GPG public key that signed the release so tofu can verify it.
How to prevent it
- Serve only signed provider packages from internal mirrors.
- Publish signing keys for private providers in the registry entry.
- Regenerate the lock so recorded checksums match verified packages.