You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
gh attestation verify downloads Sigstore's trusted root, which since
Rekor v2 GA contains an Ed25519 (PKIX_ED25519) tlog key. gh builds
older than 2.56.0 bundle a sigstore-go that cannot parse it and error
out. The installer was fail-closed, so this aborted the whole install
even though the sha256 checksum had already matched (END-609).
Make the attestation a best-effort layer on top of the mandatory
sha256: an unusable verifier (old gh, absent, rate-limited, offline, or
no attestation published) now warns and continues with an
"upgrade gh >= 2.56.0" hint, while a genuine provenance mismatch still
fails closed. Also drop the `gh auth status` gate, since verifying a
public repo's attestation needs no login. Set
GGSHIELD_REQUIRE_ATTESTATION=1 to restore strict, fail-closed behavior.
Refs: END-609
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- The `curl | bash` installer no longer aborts when an outdated `gh` cannot verify the build provenance attestation (for example a `gh` older than 2.56.0, which fails to parse Sigstore's Ed25519 trusted-root key). Provenance is now best-effort on top of the mandatory sha256 checksum: an unusable verifier warns and continues, while a genuine provenance mismatch still fails the install. Set `GGSHIELD_REQUIRE_ATTESTATION=1` to treat any attestation problem as fatal.
0 commit comments