fix(lockfile): don't pre-set provenance before verification succeeds

jdx · claude · jdx · commit 196d5029ea4e · 2026-03-07T21:42:13.000Z
- zig.rs: remove premature minisign provenance from resolve_lock_info;
  provenance is recorded in install_version_ after download() confirms
  minisign verification succeeded
- github.rs: add defense-in-depth checks that verify the provenance type
  returned by successful verification matches the lockfile expectation,
  preventing silent type switches between mechanisms

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/src/backend/github.rs b/src/backend/github.rs
@@ -1178,10 +1178,10 @@ impl UnifiedGitBackend {
     ) -> Result<Option<ProvenanceType>> {
         let settings = Settings::get();
 
-        // Read the expected provenance from the lockfile. Unlike aqua's .take() approach,
-        // we use .clone() here because tv is &ToolVersion. The caller unconditionally
-        // overwrites platform_info.provenance with the returned value, so stale data
-        // cannot persist after a successful call.
+        // Read the expected provenance from the lockfile. We use .clone() because tv is
+        // &ToolVersion. The result is validated against this expectation at every return
+        // point: successful verification checks type match, and no-verification triggers
+        // a downgrade error.
         let platform_key = self.get_platform_key();
         let locked_provenance = tv
             .lock_platforms
@@ -1213,6 +1213,15 @@ impl UnifiedGitBackend {
                 .await
             {
                 Ok(true) => {
+                    // Defense-in-depth: verify the result matches the lockfile expectation
+                    if let Some(ref expected) = locked_provenance
+                        && !expected.is_github_attestations()
+                    {
+                        return Err(eyre::eyre!(
+                            "Lockfile requires {expected} provenance for {tv} but github-attestations was verified. \
+                             This may indicate a provenance type mismatch."
+                        ));
+                    }
                     return Ok(Some(ProvenanceType::GithubAttestations));
                 }
                 Ok(false) => {
@@ -1238,6 +1247,15 @@ impl UnifiedGitBackend {
         if !skip_slsa && settings.slsa && settings.github.slsa {
             match self.try_verify_slsa(ctx, tv, file_path).await {
                 Ok((true, provenance_url)) => {
+                    // Defense-in-depth: verify the result matches the lockfile expectation
+                    if let Some(ref expected) = locked_provenance
+                        && !expected.is_slsa()
+                    {
+                        return Err(eyre::eyre!(
+                            "Lockfile requires {expected} provenance for {tv} but slsa was verified. \
+                             This may indicate a provenance type mismatch."
+                        ));
+                    }
                     return Ok(Some(ProvenanceType::Slsa {
                         url: provenance_url,
                     }));
@@ -1258,7 +1276,7 @@ impl UnifiedGitBackend {
         }
 
         // If lockfile recorded provenance but no verification succeeded, it's a downgrade attack
-        if let Some(expected) = locked_provenance {
+        if let Some(ref expected) = locked_provenance {
             return Err(eyre::eyre!(
                 "Lockfile requires {expected} provenance for {tv} but verification was not performed. \
                  This may indicate a downgrade attack. Enable the corresponding verification setting \
diff --git a/src/plugins/core/zig.rs b/src/plugins/core/zig.rs
@@ -422,6 +422,9 @@ impl Backend for ZigPlugin {
         };
 
         // Try to get full info from JSON (includes checksum and size)
+        // Don't pre-set provenance at lock time — minisign verification hasn't run yet.
+        // Provenance is recorded in install_version_ after download() confirms minisign
+        // verification succeeded.
         match self
             .get_download_info_from_json(json_url, version, arch, os)
             .await
@@ -430,7 +433,6 @@ impl Backend for ZigPlugin {
                 url: Some(url),
                 checksum,
                 size,
-                provenance: Some(ProvenanceType::Minisign),
                 ..Default::default()
             }),
             Err(_) if regex!(r"^\d+\.\d+\.\d+$").is_match(&tv.version) => {
