Skip to content

GitLab Container Registry error verifying signing key

I have the following setup:

  • AWS NLB (git.example.com): Handling TLS/SSH for git
  • AWS ALB (registry.example.com): Handling HTTPS for container registry.

Git/SSH work fine. Registry the target group has the hosts Healthy on port 5056.

It looks like everything is working except for actual logging in.

external_url 'https://git.example.com'
registry_external_url 'https://registry.example.com'

nginx['listen_port'] = 80
nginx['listen_https'] = false
nginx['proxy_connect_timeout'] = 600 # 60 default
nginx['proxy_read_timeout'] = 3600 # 3600 default
nginx['proxy_send_timeout'] = 300 # 300 default

registry['enable'] = true
registry_nginx['listen_port'] = '5056'
registry_nginx['listen_https'] = false
registry_nginx['proxy_set_headers'] = {
 "Host" => "$http_host",
 "X-Real-IP" => "$remote_addr",
 "X-Forwarded-For" => "$proxy_add_x_forwarded_for",
 "X-Forwarded-Proto" => "https",
 "X-Forwarded-Ssl" => "on"
}

When trying to authenticate to registry with PAT (scope is read_registry, write_registry):

echo $GITLAB_REGISTRY_TOKEN | docker login registry.example.com -u cdenneen --password-stdin
Error: logging into "registry.example.com": invalid username/password

registry/current:

2025-09-30_19:27:41.80264 time="2025-09-30T19:27:41.802Z" level=info msg="router info" config_http_addr="127.0.0.1:5000" config_http_host= config_http_net= config_http_prefix= config_http_relative_urls=false correlation_id=01K6E1GJQA9XXQT6TMR5GS6S2S environment=production go_version=go1.23.6 instance_id=18aeab73-432e-472e-9836-fc1bcce28fa7 method=GET path=/v2/ root_repo= router=gorilla/mux service=registry version=v4.19.0-gitlab
2025-09-30_19:27:41.80289 time="2025-09-30T19:27:41.802Z" level=error msg="error verifying that signing key is trusted" error="token signed by untrusted key with ID: \"X6GC:TTMO:JCHG:AXA2:73AT:YF2B:TTXT:DPBN:XEQQ:AHQK:5PRP:XMW5\"" go_version=go1.23.6 version=v4.19.0-gitlab
2025-09-30_19:27:41.80290 {"content_type":"application/json","correlation_id":"01K6E1GJQA9XXQT6TMR5GS6S2S","duration_ms":0,"host":"registry.example.com","level":"info","method":"GET","msg":"access","proto":"HTTP/1.1","referrer":"","remote_addr":"127.0.0.1:47044","remote_ip":"127.0.0.1","status":401,"system":"http","time":"2025-09-30T19:27:41.802Z","ttfb_ms":0,"uri":"/v2/","user_agent":"containers/5.35.0 (github.com/containers/image)","written_bytes":87}

Any ideas what's not configured properly?

Edited by Chris Denneen