Policy-controller with `cosign generate-key-pair` is not working with DockerHub

[betorvs]

Description

Tested policy-controller with k3d and cosign and it fails.

I did the following:

k3d cluster create cosign --image rancher/k3s:v1.35.2-k3s1
kubectl create ns cosign-system
helm install policy-controller -n cosign-system sigstore/policy-controller --devel
kubectl create -f cluster-image-policy.yaml
kubectl create -f ns.yaml
kubectl apply -f deployment.yaml
Error from server (BadRequest): error when creating "demo-app/deployment.yaml": admission webhook "policy.sigstore.dev" denied the request: validation failed: failed policy: verify-image-signature: spec.template.spec.containers[0].image
index.docker.io/betorvs/nginx:1.29.5@sha256:f676e65a102e4eb6b30ca6ece7300e1ad72bdd60758b8e4e5072c45b86979916 signature key validation failed for authority authority-0 for index.docker.io/betorvs/nginx@sha256:f676e65a102e4eb6b30ca6ece7300e1ad72bdd60758b8e4e5072c45b86979916: no signatures found

logs from policy-controller:

policy-controller-webhook-74d569988f-9pdnc policy-controller-webhook {"level":"error","ts":"2026-03-06T17:28:51.999Z","logger":"policy-controller","caller":"validation/validation_admit.go:183","msg":"Failed the resource specific validation","commit":"ccbb37f-dirty","knative.dev/kind":"apps/v1, Kind=Deployment","knative.dev/namespace":"app","knative.dev/name":"demo-nginx","knative.dev/operation":"CREATE","knative.dev/resource":"apps/v1, Resource=deployments","knative.dev/subresource":"","knative.dev/userinfo":"system:admin","stacktrace":"knative.dev/pkg/webhook/resourcesemantics/validation.validate\n\tknative.dev/pkg@v0.0.0-20230612155445-74c4be5e935e/webhook/resourcesemantics/validation/validation_admit.go:183\nknative.dev/pkg/webhook/resourcesemantics/validation.(*reconciler).Admit\n\tknative.dev/pkg@v0.0.0-20230612155445-74c4be5e935e/webhook/resourcesemantics/validation/validation_admit.go:79\nknative.dev/pkg/webhook.New.admissionHandler.func4\n\tknative.dev/pkg@v0.0.0-20230612155445-74c4be5e935e/webhook/admission.go:123\nnet/http.HandlerFunc.ServeHTTP\n\tnet/http/server.go:2294\nnet/http.(*ServeMux).ServeHTTP\n\tnet/http/server.go:2822\nknative.dev/pkg/webhook.(*Webhook).ServeHTTP\n\tknative.dev/pkg@v0.0.0-20230612155445-74c4be5e935e/webhook/webhook.go:302\nknative.dev/pkg/network/handlers.(*Drainer).ServeHTTP\n\tknative.dev/pkg@v0.0.0-20230612155445-74c4be5e935e/network/handlers/drain.go:113\nnet/http.serverHandler.ServeHTTP\n\tnet/http/server.go:3301\nnet/http.(*conn).serve\n\tnet/http/server.go:2102"}
policy-controller-webhook-74d569988f-9pdnc policy-controller-webhook {"level":"info","ts":"2026-03-06T17:28:51.999Z","logger":"policy-controller","caller":"webhook/admission.go:151","msg":"remote admission controller audit annotations=map[string]string(nil)","commit":"ccbb37f-dirty","knative.dev/kind":"apps/v1, Kind=Deployment","knative.dev/namespace":"app","knative.dev/name":"demo-nginx","knative.dev/operation":"CREATE","knative.dev/resource":"apps/v1, Resource=deployments","knative.dev/subresource":"","knative.dev/userinfo":"system:admin","admissionreview/uid":"eef08de1-42c6-4f3f-a8eb-4bdcad95bf27","admissionreview/allowed":false,"admissionreview/result":"&Status{ListMeta:ListMeta{SelfLink:,ResourceVersion:,Continue:,RemainingItemCount:nil,},Status:Failure,Message:validation failed: failed policy: verify-image-signature: spec.template.spec.containers[0].image\nindex.docker.io/betorvs/nginx:1.29.5@sha256:f676e65a102e4eb6b30ca6ece7300e1ad72bdd60758b8e4e5072c45b86979916 signature key validation failed for authority authority-0 for index.docker.io/betorvs/nginx@sha256:f676e65a102e4eb6b30ca6ece7300e1ad72bdd60758b8e4e5072c45b86979916: no signatures found,Reason:BadRequest,Details:nil,Code:400,}"}

cosign verify:

cosign verify --key cosign.pub betorvs/nginx:1.29.5

Verification for index.docker.io/betorvs/nginx:1.29.5 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"index.docker.io/betorvs/nginx:1.29.5"},"image":{"docker-manifest-digest":"sha256:f676e65a102e4eb6b30ca6ece7300e1ad72bdd60758b8e4e5072c45b86979916"},"type":"https://sigstore.dev/cosign/sign/v1"},"optional":{}}]

cluster-image-policy.yaml

---
apiVersion: v1
kind: Secret
metadata:
  name: signing-key
  namespace: cosign-system
type: Opaque
stringData:
  publicKey: |
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXBC/tG86ZkNXCMSODNnqWSv94czb
    QwYxG2qpcX90HRs3amRFfKMFcKWDNf3AmFmGRVySxvZYZ6ZR7WqYRTMm5Q==
    -----END PUBLIC KEY-----
---
apiVersion: policy.sigstore.dev/v1alpha1
kind: ClusterImagePolicy
metadata:
  name: verify-image-signature
spec:
  images:
  - glob: "index.docker.io/betorvs/*"
  authorities:
  - key:
      secretRef:
        name: signing-key

ns.yaml:

apiVersion: v1
kind: Namespace
metadata:
  labels:
    policy.sigstore.dev/include: "true"
    kubernetes.io/metadata.name: app
  name: app
spec:
  finalizers:
  - kubernetes

deployment.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo-nginx
  namespace: app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: demo-nginx
  template:
    metadata:
      labels:
        app: demo-nginx
    spec:
      containers:
      - name: nginx
        image: betorvs/nginx:1.29.5

Anything that I'm missing here?

Version

helm version: 0.10.6
app version: 0.13.1