cosign sign -d --key azurekms://b41kvtest.vault.azure.net/test-key-2 boomer41/infra:latest@sha256:5f0d3080e1c37933da5b53b8ff40e4f01067d25af1b20e8ea7fc3a75b23af026
2026/06/03 20:58:38 --> GET https://index.docker.io/v2/
2026/06/03 20:58:38 GET /v2/ HTTP/1.1
Host: index.docker.io
User-Agent: cosign/v3.0.6+dirty (linux; amd64) go-containerregistry/v0.21.3
Accept-Encoding: gzip
2026/06/03 20:58:38 <-- 401 https://index.docker.io/v2/ (320.587862ms)
2026/06/03 20:58:38 HTTP/2.0 401 Unauthorized
Content-Length: 87
Content-Type: application/json
Date: Wed, 03 Jun 2026 18:58:38 GMT
Docker-Distribution-Api-Version: registry/2.0
Strict-Transport-Security: max-age=31536000
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io"
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}
2026/06/03 20:58:38 --> GET https://auth.docker.io/token?scope=repository%3Aboomer41%2Finfra%3Apull&service=registry.docker.io [body redacted: basic token response contains credentials]
2026/06/03 20:58:38 GET /token?scope=repository%3Aboomer41%2Finfra%3Apull&service=registry.docker.io HTTP/1.1
Host: auth.docker.io
User-Agent: cosign/v3.0.6+dirty (linux; amd64) go-containerregistry/v0.21.3
Authorization: <redacted>
Accept-Encoding: gzip
2026/06/03 20:58:39 <-- 200 https://auth.docker.io/token?scope=repository%3Aboomer41%2Finfra%3Apull&service=registry.docker.io (158.598109ms) [body redacted: basic token response contains credentials]
2026/06/03 20:58:39 HTTP/2.0 200 OK
Connection: close
Cf-Cache-Status: DYNAMIC
Cf-Ray: a060ee31dcfed395-FRA
Content-Type: application/json
Date: Wed, 03 Jun 2026 18:58:39 GMT
Server: cloudflare
Set-Cookie: __cf_bm=Ob9w89p.NYWK5gFAucS8raEKVRTiA82i59.G_JyMnO0-1780513119.016106-1.0.1.1-A1jl6Rx17I5fVpqrTBicbmVZq9bEI1Qr.Z1nTGFWEQ3YU10kQSn574phO_GgcalAEv1pxu90g51rv7CCwEVdGTrH4AuqJ3dznBYwZHGchNglRmlwHNuFUB2MVnTDPyf9; HttpOnly; SameSite=None; Secure; Path=/; Domain=auth.docker.io; Expires=Wed, 03 Jun 2026 19:28:39 GMT
Strict-Transport-Security: max-age=31536000
X-Trace-Id: ebddf155779f88811565b0a067c88f7e
X-Trace-Sampled: true
2026/06/03 20:58:39 --> GET https://index.docker.io/v2/boomer41/infra/manifests/sha256:5f0d3080e1c37933da5b53b8ff40e4f01067d25af1b20e8ea7fc3a75b23af026
2026/06/03 20:58:39 GET /v2/boomer41/infra/manifests/sha256:5f0d3080e1c37933da5b53b8ff40e4f01067d25af1b20e8ea7fc3a75b23af026 HTTP/1.1
Host: index.docker.io
User-Agent: cosign/v3.0.6+dirty (linux; amd64) go-containerregistry/v0.21.3
Accept: application/vnd.docker.distribution.manifest.v1+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v2+json,application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.oci.image.index.v1+json
Authorization: <redacted>
Accept-Encoding: gzip
2026/06/03 20:58:39 <-- 200 https://index.docker.io/v2/boomer41/infra/manifests/sha256:5f0d3080e1c37933da5b53b8ff40e4f01067d25af1b20e8ea7fc3a75b23af026 (160.489494ms)
2026/06/03 20:58:39 HTTP/2.0 200 OK
Content-Length: 1609
Content-Type: application/vnd.oci.image.index.v1+json
Date: Wed, 03 Jun 2026 18:58:39 GMT
Docker-Content-Digest: sha256:5f0d3080e1c37933da5b53b8ff40e4f01067d25af1b20e8ea7fc3a75b23af026
Docker-Distribution-Api-Version: registry/2.0
Docker-Ratelimit-Source: ae230181-1087-4a2b-bb65-46b2e884be1e
Etag: "sha256:5f0d3080e1c37933da5b53b8ff40e4f01067d25af1b20e8ea7fc3a75b23af026"
Ratelimit-Limit: 200;w=21600
Ratelimit-Remaining: 189;w=21600
Strict-Transport-Security: max-age=31536000
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.index.v1+json",
"manifests": [
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:4299cf70d4727a8301672998fd770e90fc6a5bd9b9703bc62917c2e1185f0497",
"size": 1254,
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:e5b6ebb560bbfdf2e24984820b4e319591b536bb966d0f714ddf6d4349d55543",
"size": 1254,
"platform": {
"architecture": "arm64",
"os": "linux"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:49fca692dafdf8ffdd047d3fb22399c259dc823d1af5520301846b41cb93f939",
"size": 839,
"annotations": {
"vnd.docker.reference.digest": "sha256:4299cf70d4727a8301672998fd770e90fc6a5bd9b9703bc62917c2e1185f0497",
"vnd.docker.reference.type": "attestation-manifest"
},
"platform": {
"architecture": "unknown",
"os": "unknown"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:9dd64d8f4452a73d814ab9f104eb33643a19da41518d641c0d2f46080cf97ab0",
"size": 839,
"annotations": {
"vnd.docker.reference.digest": "sha256:e5b6ebb560bbfdf2e24984820b4e319591b536bb966d0f714ddf6d4349d55543",
"vnd.docker.reference.type": "attestation-manifest"
},
"platform": {
"architecture": "unknown",
"os": "unknown"
}
}
]
}
Signing artifact... - Error: signing [boomer41/infra:latest@sha256:5f0d3080e1c37933da5b53b8ff40e4f01067d25af1b20e8ea7fc3a75b23af026]: signing digest: signing bundle: error signing bundle: could not verify envelope: accepted signatures do not match threshold, Found: 0, Expected 1
error during command execution: signing [boomer41/infra:latest@sha256:5f0d3080e1c37933da5b53b8ff40e4f01067d25af1b20e8ea7fc3a75b23af026]: signing digest: signing bundle: error signing bundle: could not verify envelope: accepted signatures do not match threshold, Found: 0, Expected 1
Description
I have a RSA-2048 key stored in Azure Key Vault. The type does not matter, as RSA and RSA-HSM behave the same.
Then I want to sign my image with the following command:
I expect the signature to work, as using Azure Key Vault as a key backend is supported.
However, I receive this:
I did not manage to make it work with Azure KMS.
If I use
cosign generate-key-pairand use that key, signing works.Debug logs
Version
Please note: I'm using the version Arch Linux bundles in their repository, that would explain the +dirty flag: https://archlinux.org/packages/extra/x86_64/cosign/