diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go
index b00ed733c75..75dba01b011 100644
--- a/pkg/cosign/verify.go
+++ b/pkg/cosign/verify.go
@@ -753,7 +753,7 @@ func VerifyBundle(ctx context.Context, sig oci.Signature) (bool, error) {
 	if err != nil {
 		return false, err
 	} else if cert == nil {
-		return true, nil
+		return false, errors.New("signature does not include a certificate")
 	}
 
 	// verify the cert against the integrated time