Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gh attestation verify JSON output includes incorrectly-formatted in-toto attestation #10114

Open
codysoyland opened this issue Dec 20, 2024 · 1 comment · May be fixed by #10309
Open

gh attestation verify JSON output includes incorrectly-formatted in-toto attestation #10114

codysoyland opened this issue Dec 20, 2024 · 1 comment · May be fixed by #10309
Assignees
@phillmv @malancas
Labels
bug Something isn't working gh-attestation related to the gh attestation command

Comments

@codysoyland
Copy link
Contributor

Describe the bug

The output of gh attestation verify with the --format json flag produces a result structure with an incorrectly-formatted in-toto attestation.

For example, the field predicateType is called predicate_type in the output, which isn't correct according to the spec.

This can be observed using this command:

gh attestation verify oci://ghcr.io/github/artifact-attestations-helm-charts/trust-policies:v0.6.2 --owner github --format json --jq .[0].verificationResult.statement

gh version:

 ▶ gh --version
gh version 2.59.0 (2024-10-15)
https://github.com/cli/cli/releases/tag/v2.59.0

The root cause is a problem with JSON encoding described in this issue: in-toto/attestation#363

Related issue in sigstore-go: sigstore/sigstore-go#365

This should be fixed by sigstore/sigstore-go#366. After it is merged, a release will be cut, and gh may update to that version of sigstore-go.

Steps to reproduce the behavior

  1. Type this '...'
  2. View the output '....'
  3. See error

Expected vs actual behavior

A clear and concise description of what you expected to happen and what actually happened.

Logs

Paste the activity from your command line. Redact if needed.
@codysoyland codysoyland added the bug Something isn't working label Dec 20, 2024
@cliAutomation cliAutomation added the needs-triage needs to be reviewed label Dec 20, 2024
@phillmv phillmv added gh-attestation related to the gh attestation command and removed needs-triage needs to be reviewed labels Dec 20, 2024
@codysoyland
Copy link
Contributor Author

Quick update: sigstore-go was updated to fix the root cause here: sigstore/sigstore-go#366

We just need to make a new release of sigstore-go and update the CLI to reference the latest release.

codysoyland added a commit that referenced this issue Jan 24, 2025
@codysoyland
Upgrade sigstore-go to v0.7.0: fixes #10114 formatting issue
b582b58 
Signed-off-by: Cody Soyland <[email protected]>
@codysoyland codysoyland linked a pull request Jan 24, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@phillmv phillmv

@malancas malancas

Labels
bug Something isn't working gh-attestation related to the gh attestation command
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrade sigstore-go to v0.7.0: fixes #10114 formatting issue cli/cli
4 participants
@phillmv @codysoyland @malancas @cliAutomation