Keyless signing with cosign fails for ECR images due to Fulcio certificate error

zoea · July 15, 2025, 4:04pm

I’m having trouble with cosign while attempting to sign my container images in keyless mode. It used to work flawlessly, but now I’m facing issues. The problem seems to be linked to the Fulcio certificate and the synchronization of TUF metadata.

Here’s the error I encountered:

failed to get signer: issue with Fulcio key retrieval: error fetching CTFE public keys: trouble syncing local metadata: TUF remote mirror update failed: key validation error
remote information:{
    "mirror": "https://sigstore-tuf-root.storage.googleapis.com",
    "metadata": {
        "root.json": {
            "version": 9,
            "length": 6766,
            "expires": "12 Sep 24 06:53 UTC",
            "message": ""
        },
        "snapshot.json": {
            "version": 132,
            "length": 2302,
            "expires": "09 Apr 24 16:16 UTC",
            "message": ""
        },
        "targets.json": {
            "version": 9,
            "length": 5478,
            "expires": "12 Sep 24 06:13 UTC",
            "message": ""
        },
        "timestamp.json": {
            "version": 169,
            "length": 723,
            "expires": "26 Mar 24 16:16 UTC",
            "message": ""
        }
    }
}

I’m utilizing GitHub repository certificates along with a git reference for the signing. Has anyone else run into similar issues with TUF metadata and cosign lately?

Luke_Brilliant · July 23, 2025, 3:57pm

Had this exact issue last week. It’s def the TUF root expiration - sigstore’s been having metadata refresh probs lately. Quick fix that worked for me: set the SIGSTORE_TUF_ROOT env var to force a re-download. Also try rm -rf ~/.sigstore then retry signing. Should pull fresh certs from fulcio.

miat · July 21, 2025, 1:12pm

I encountered a similar issue recently and found it was caused by outdated TUF metadata along with a local cache problem. It appears that your timestamp.json expired on March 26 while the snapshot is still valid until April 9, indicating a sync issue. To resolve this, you should clear the TUF cache directory, typically located at ~/.sigstore/root. After deleting it, cosign will retrieve up-to-date metadata when you attempt to sign again. Additionally, ensure that your connection isn’t hindered by a corporate proxy that might block access to the googleapis.com TUF mirror, as that could also lead to the key validation errors you are seeing.

charlottew · July 21, 2025, 10:19am

This TUF metadata error happens when your local and remote trust root info don’t match. That expired timestamp.json means your local metadata is stale. Try running cosign initialize to force a fresh download of all metadata files - this usually fixes it.

I’ve seen this a lot with ECR when the system clock is way off. TUF depends heavily on timestamp validation, so check that your system time is synced properly. If you’re in CI, make sure your runner has time sync configured.

Sometimes just updating cosign fixes it too - newer versions handle TUF metadata refresh much better.

Noah_Fire · July 20, 2025, 8:53am

This looks like a TUF metadata sync failure - your local cache has expired metadata files. Cosign can’t do keyless signing because it can’t validate the Fulcio certificate authority through the TUF trust root with that expired timestamp.json blocking validation. Beyond clearing the cache like others said, check your network connection to sigstore infrastructure. I’ve hit similar issues running behind restrictive firewalls that randomly block HTTPS requests to googleapis.com. Try switching to a different network temporarily to rule out connectivity problems. If you’re running this in CI/CD, add retry logic - sigstore services go down sometimes and cause these TUF sync failures.