A CI pipeline fails with the error 'cosign: error: unable to verify image: no matching signatures' when running 'cosign verify --key pubkey.pem myregistry/myapp:latest'. The image was previously signed with a private key. What is the MOST likely cause?
Overwriting a tag with a new, unsigned image removes the previous signature.
Why this answer
If the image tag was overwritten (e.g., pushed again without signing), the old signatures are lost and the new image is unsigned.