cosign icon indicating copy to clipboard operation
cosign copied to clipboard
verified publisher icon sigstore

Cosign fails to sign container image in gitlab container registry

Open augjoh opened this issue 4 months ago • 1 comments

Description

After upgrading from cosign 2.6.1 to cogisn 3.0.2, signing a container image in gitlab registry fails:

$ cosign sign "${CI_REGISTRY_IMAGE}@${digest}"
Signing artifact...
Error: signing [registry.gitlab.com/platynum/certification-authority/container@sha256:20b959ad5960230b65a77b746bdbf5d991ade4d7a129c2554e167acdcc990531]: signing digest: HEAD https://registry.gitlab.com/v2/platynum/certification-authority/container/manifests/sha256:20b959ad5960230b65a77b746bdbf5d991ade4d7a129c2554e167acdcc990531: unexpected status code 404 Not Found (HEAD responses have no body, use GET for details)

Version

3.0.2

augjoh avatar Dec 08 '25 21:12 augjoh

cc @steiza

Hayden-IO avatar Dec 09 '25 01:12 Hayden-IO

https://github.com/sigstore/cosign/discussions/4610

I face the same problem

13567436138 avatar Dec 23 '25 08:12 13567436138

I also have a problem after upgrading to v3, signatures aren't being pushed to the repository anymore.

It worked just fine with v2.6.0: https://github.com/AlmaLinux/atomic-desktop/actions/runs/19255085292/job/55048900807#step:4:432

After the upgrade to v3.0.2, the signature was not pushed to the repo, but the process seems to complete successfully. The last line simply says "Signing artifact..." and then nothing else happens: https://github.com/AlmaLinux/atomic-desktop/actions/runs/19701840699/job/56441283894#step:4:470

As a workaround, I've downgraded to v2.6.2, and that's working fine: https://github.com/AlmaLinux/atomic-desktop/actions/runs/21708816804/job/62608324256#step:4:480

alexiri avatar Feb 05 '26 11:02 alexiri