I’m working with a self-hosted GitLab instance and trying to deploy a package using npm through a CI/CD pipeline to our internal package registry. I followed the official documentation but I’m running into certificate issues.
Initially I got an error saying that provenance generation needed the SIGSTORE_ID_TOKEN with sigstore audience. I fixed that by adding the id_tokens section.
But now I’m getting:
npm error code CA_CREATE_SIGNING_CERTIFICATE_ERROR
npm error error creating signing certificate - (400) There was an error processing the identity token
npm error cause (400) There was an error processing the identity token
The debug output shows it’s trying to connect to fulcio.sigstore.dev/api/v2/signingCert and failing with a 400 error.
Since we use a custom CA certificate for our GitLab setup, I thought the npm_config_cafile setting or disabling strict-ssl would help, but neither worked.
Is there a way to resolve this certificate creation error when working with a private GitLab registry?
This happens because npm tries to generate provenance attestations using Sigstore’s public infrastructure, which breaks with self-hosted GitLab instances that use custom certificates. It’s not your GitLab registry setup - it’s the provenance generation that’s failing. I ran into this exact issue on our corporate GitLab last month. Just disable provenance generation by adding --provenance false to your npm publish command. Your pipeline should look like: script: - npm config set strict-ssl false - npm publish --provenance false. You can also set NPM_CONFIG_PROVENANCE to false in your pipeline variables instead. This skips the Sigstore certificate stuff entirely and your packages will still publish fine to your internal registry.
yeah, this is annoying but totally expected. sigstore only accepts oidc tokens from trusted providers, and self-hosted gitlab isn’t on their allowlist. that 400 error means fulcio straight up rejected your token. just skip provenance with npm publish --no-provenance or add it to your .npmrc file.
This happens because GitLab’s CI job tokens don’t work with Sigstore’s public fulcio service on self-hosted instances. I’ve run into this tons of times in our enterprise setup. Your CI_JOB_TOKEN has claims and issuer info specific to your GitLab instance, but fulcio.sigstore.dev only accepts tokens from recognized public OIDC providers. If you’re using a custom CA or self-signed certs for GitLab, Sigstore can’t verify your instance’s identity, so token validation fails. You could set up your own Sigstore infrastructure if attestations matter for security, but that’s way more work. For most internal stuff, just disable provenance - you probably have other security controls for internal packages anyway.