diff --git a/pkg/provenance/sign.go b/pkg/provenance/sign.go
index 5e23c2dda685908bd51b05114cf1f17a1856efa2..5a7626424b9a921f4735671b6010672ce4d289c7 100644
--- a/pkg/provenance/sign.go
+++ b/pkg/provenance/sign.go
@@ -404,6 +404,8 @@ func DigestFile(filename string) (string, error) {
 // Helm uses SHA256 as its default hash for all non-cryptographic applications.
 func Digest(in io.Reader) (string, error) {
 	hash := crypto.SHA256.New()
-	io.Copy(hash, in)
+	if _, err := io.Copy(hash, in); err != nil {
+		return "", nil
+	}
 	return hex.EncodeToString(hash.Sum(nil)), nil
 }