Describe the bug
The output of gh attestation verify with the --format json flag produces a result structure with an incorrectly-formatted in-toto attestation.
For example, the field predicateType is called predicate_type in the output, which isn't correct according to the spec.
This can be observed using this command:
gh attestation verify oci://ghcr.io/github/artifact-attestations-helm-charts/trust-policies:v0.6.2 --owner github --format json --jq .[0].verificationResult.statement
gh version:
▶ gh --version
gh version 2.59.0 (2024-10-15)
https://github.com/cli/cli/releases/tag/v2.59.0
The root cause is a problem with JSON encoding described in this issue: in-toto/attestation#363
Related issue in sigstore-go: sigstore/sigstore-go#365
This should be fixed by sigstore/sigstore-go#366. After it is merged, a release will be cut, and gh may update to that version of sigstore-go.
Steps to reproduce the behavior
- Type this '...'
- View the output '....'
- See error
Expected vs actual behavior
A clear and concise description of what you expected to happen and what actually happened.
Logs
Paste the activity from your command line. Redact if needed.
Describe the bug
The output of
gh attestation verifywith the--format jsonflag produces a result structure with an incorrectly-formatted in-toto attestation.For example, the field
predicateTypeis calledpredicate_typein the output, which isn't correct according to the spec.This can be observed using this command:
gh version:
The root cause is a problem with JSON encoding described in this issue: in-toto/attestation#363
Related issue in sigstore-go: sigstore/sigstore-go#365
This should be fixed by sigstore/sigstore-go#366. After it is merged, a release will be cut, and
ghmay update to that version of sigstore-go.Steps to reproduce the behavior
Expected vs actual behavior
A clear and concise description of what you expected to happen and what actually happened.
Logs
Paste the activity from your command line. Redact if needed.