Cosign Verify fails with azure akv intermittent

[suryabaiarava]

Hi Team,

We're encountering intermittent errors while using cosign verify in our container CICD pipelines. Where cosign verify fails, we receive the following error message:

main.go:69: error during command execution: no matching signatures: failed with vault verification.

Despite the error, we've noticed that the image digest value (SHA) remains unmodified, and the corresponding .sig file exists.

As a temporary workaround, resigning the image resolves the issue. However, we'd like to troubleshoot and resolve the underlying cause.

Cosign Version: v2.2.3
CLI Syntax: cosign verify --key azurekms:///keyname acrimage/repo:sha256:fdkkdkfdkfd

Could anyone provide guidance on how to troubleshoot this issue effectively?

Any assistance would be greatly appreciated.

Thank you!

[t-settle]

@suryabaiarava I noticed the same thing today using the hashivault KMS provider. I even pulled down and built Cosign from @ HEAD because I was seeing an issue related to sigstore/sigstore#1735. Wasn't sure if this was similarly related. But even the latest Cosign I am getting same error:

% cosign --key hashivault://cosign verify my-private-repo/thomas@$DIGEST Error: no matching signatures: failed vault verification failed vault verification main.go:69: error during command execution: no matching signatures: failed vault verification failed vault verification