fix: SLSA for in-toto statement with no signatures#8094
Merged
Conversation
This fixes the following issue with github:docker/buildx@0.31.1: DEBUG No GitHub attestations found for github:docker/buildx@0.31.1, trying SLSA INFO github:docker/buildx@0.31.1 [2/3] verify SLSA provenance INFO github:docker/buildx@0.31.1 [2/3] download buildx-v0.31.1.linux-amd64.provenance.json DEBUG GET Downloading https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64.provenance.json to /mise/downloads/github-docker-buildx/0.31.1/buildx-v0.31.1.linux-amd64.provenance.json DEBUG GET https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64.provenance.json DEBUG reuse idle connection for ("https", github.com) DEBUG pooling idle connection for ("https", github.com) DEBUG reuse idle connection for ("https", release-assets.githubusercontent.com) DEBUG GET https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64.provenance.json 200 OK DEBUG pooling idle connection for ("https", release-assets.githubusercontent.com) INFO github:docker/buildx@0.31.1 [2/3] verify SLSA provenance Error: 0: Failed to install github:docker/buildx@0.31: SLSA verification error for github:docker/buildx@0.31.1: Verification failed: File does not contain valid attestations or SLSA provenance Location: src/toolset/toolset_install.rs:230 Version: 2026.2.9 linux-x64 (2026-02-10) Before this fix: 1. verify_slsa_provenance() is called with the buildx raw provenance file 2. The sigstore crate can't parse it as a sigstore bundle/DSSE envelope — it's just a raw in-toto statement with no signatures 3. Returns AttestationError::Verification("File does not contain valid attestations or SLSA provenance") 4. The old code at line 1261 mapped this to Err(VerificationStatus::Error(e.to_string())) which becomes "Verification failed: File does not contain valid attestations or SLSA provenance" 5. That propagated to line 1112: "SLSA verification error for github:docker/buildx@0.31.1: Verification failed: File does not contain valid attestations or SLSA provenance" — the exact error in error.txt After this fix: 1. Same as above — AttestationError::Verification("File does not contain valid attestations or SLSA provenance") 2. is_slsa_format_issue() checks msg.contains("does not contain valid attestations") → matches 3. Returns Err(VerificationStatus::NoAttestations) instead, which is the graceful fallback path (installation proceeds without provenance verification) The buildx provenance file confirms why — it's a raw BuildKit in-toto Statement (v0.1) with SLSA v1 provenance predicate, but has no sigstore signatures, no DSSE envelope, no certificates. It's provenance metadata, not a cryptographically signed attestation bundle. Some provenance files (e.g., BuildKit raw provenance) exist but aren't in a sigstore-verifiable format. After this fix: COLORBT_SHOW_HIDDEN=1 RUST_BACKTRACE=1 mise use github:docker/buildx@0.31.1 --verbose DEBUG ARGS: mise use github:docker/buildx@0.31.1 --verbose DEBUG [vfox] Getting metadata for yarn DEBUG config: /mise/config.toml DEBUG [vfox] Getting metadata for yarn DEBUG GET https://api.github.com/repos/docker/buildx/releases DEBUG starting new connection: https://api.github.com/ DEBUG connecting to 20.26.156.210:443 DEBUG connected to 20.26.156.210:443 DEBUG GET https://api.github.com/repos/docker/buildx/releases 200 OK DEBUG pooling idle connection for ("https", api.github.com) INFO github:docker/buildx@0.31.1 [1/3] install DEBUG GET https://api.github.com/repos/docker/buildx/releases/tags/v0.31.1 DEBUG reuse idle connection for ("https", api.github.com) DEBUG GET https://api.github.com/repos/docker/buildx/releases/tags/v0.31.1 200 OK DEBUG pooling idle connection for ("https", api.github.com) DEBUG using GitHub API digest for checksum verification DEBUG HEAD https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64 DEBUG starting new connection: https://github.com/ DEBUG connecting to 20.26.156.215:443 DEBUG connected to 20.26.156.215:443 DEBUG pooling idle connection for ("https", github.com) DEBUG starting new connection: https://release-assets.githubusercontent.com/ DEBUG connecting to 185.199.111.133:443 DEBUG connected to 185.199.111.133:443 DEBUG pooling idle connection for ("https", release-assets.githubusercontent.com) DEBUG HEAD https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64 200 OK INFO github:docker/buildx@0.31.1 [1/3] download buildx-v0.31.1.linux-amd64 DEBUG GET Downloading https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64 to /mise/downloads/github-docker-buildx/0.31.1/buildx-v0.31.1.linux-amd64 DEBUG GET https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64 DEBUG reuse idle connection for ("https", github.com) DEBUG pooling idle connection for ("https", github.com) DEBUG reuse idle connection for ("https", release-assets.githubusercontent.com) DEBUG GET https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64 200 OK DEBUG pooling idle connection for ("https", release-assets.githubusercontent.com) INFO github:docker/buildx@0.31.1 [2/3] checksum buildx-v0.31.1.linux-amd64 INFO github:docker/buildx@0.31.1 [2/3] verify GitHub attestations DEBUG starting new connection: https://api.github.com/ DEBUG connecting to 20.26.156.210:443 DEBUG connected to 20.26.156.210:443 DEBUG pooling idle connection for ("https", api.github.com) DEBUG No GitHub attestations found for github:docker/buildx@0.31.1, trying SLSA INFO github:docker/buildx@0.31.1 [2/3] verify SLSA provenance INFO github:docker/buildx@0.31.1 [2/3] download buildx-v0.31.1.linux-amd64.provenance.json DEBUG GET Downloading https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64.provenance.json to /mise/downloads/github-docker-buildx/0.31.1/buildx-v0.31.1.linux-amd64.provenance.json DEBUG GET https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64.provenance.json DEBUG reuse idle connection for ("https", github.com) DEBUG pooling idle connection for ("https", github.com) DEBUG reuse idle connection for ("https", release-assets.githubusercontent.com) DEBUG GET https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64.provenance.json 200 OK DEBUG pooling idle connection for ("https", release-assets.githubusercontent.com) INFO github:docker/buildx@0.31.1 [2/3] verify SLSA provenance DEBUG SLSA provenance file not in verifiable format for github:docker/buildx@0.31.1: Verification failed: File does not contain valid attestations or SLSA provenance DEBUG No SLSA provenance found for github:docker/buildx@0.31.1 INFO github:docker/buildx@0.31.1 ✓ installed DEBUG [vfox] Getting metadata for yarn DEBUG config: /mise/config.toml DEBUG [github:docker/buildx@0.31.1] list_bin_paths: ["/mise/installs/github-docker-buildx/0.31.1"] DEBUG [vfox] Getting metadata for yarn DEBUG [vfox] Getting metadata for yarn DEBUG config: /mise/mise.toml DEBUG config: /mise/config.toml DEBUG updating 1 lockfiles Signed-off-by: Gerhard Lazu <gerhardlazu@loopholelabs.io>
Contributor
Summary of ChangesHello @gerhard, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request resolves an issue where SLSA provenance verification would erroneously fail for valid provenance files that are not structured in a sigstore-verifiable format. By introducing a mechanism to differentiate between actual verification failures and issues related to the provenance file's format, the system can now gracefully handle these cases, allowing tools to install even when cryptographic attestations are not present or parsable in the expected format. This enhances the flexibility and robustness of provenance handling. Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
Contributor
There was a problem hiding this comment.
Code Review
This pull request introduces a fix for SLSA provenance verification when encountering in-toto statements that lack signatures, such as those produced by BuildKit. The core of the change is a new helper function, is_slsa_format_issue, which identifies specific error messages from the sigstore-verification crate that indicate a file format issue rather than a cryptographic verification failure. This allows the system to gracefully fall back and treat these cases as if no attestations were found, instead of failing the installation with a hard error. The changes are well-contained within the github backend, and the new logic is thoroughly covered by unit tests, ensuring both the new graceful fallback path and existing hard failure paths for genuine verification errors are correctly handled. The implementation is clean and the fix is directly aligned with the problem described.
jdx
pushed a commit
that referenced
this pull request
Feb 12, 2026
### 🚀 Features - **(activate)** add shims directory as fallback when auto-install is enabled by @ctaintor in [#8106](#8106) - **(env)** add `tools` variable to tera template context by @jdx in [#8108](#8108) - **(set)** add --stdin flag for multiline environment variables by @jdx in [#8110](#8110) ### 🐛 Bug Fixes - **(backend)** improve conda patchelf and dependency resolution for complex packages by @jdx in [#8087](#8087) - **(ci)** fix validate-new-tools grep pattern for test field by @jdx in [#8100](#8100) - **(config)** make MISE_OFFLINE work correctly by gracefully skipping network calls by @jdx in [#8109](#8109) - **(github)** skip v prefix for "latest" version by @jdx in [#8105](#8105) - **(gitlab)** resolve tool options from config for aliased tools by @jdx in [#8084](#8084) - **(install)** use version_expr for Flutter to fix version resolution by @jdx in [#8081](#8081) - **(registry)** add Linux support for tuist by @fortmarek in [#8102](#8102) - **(release)** write release notes to file instead of capturing stdout by @jdx in [#8086](#8086) - **(upgrade)** tools are not uninstalled properly due to outdated symlink by @roele in [#8099](#8099) - **(upgrade)** ensure uninstallation failure does not leave invalid symlinks by @roele in [#8101](#8101) - SLSA for in-toto statement with no signatures by @gerhard in [#8094](#8094) - Vfox Plugin Auto-Installation for Environment Directives by @pose in [#8035](#8035) ### 📚 Documentation - use mise activate for PowerShell in getting-started by @rileychh in [#8112](#8112) ### 📦 Registry - add conda backend for mysql by @jdx in [#8080](#8080) - add conda backends for 10 asdf-only tools by @jdx in [#8083](#8083) - added podman-tui by @tony-sol in [#8098](#8098) ### Chore - sort settings.toml alphabetically and add test by @jdx in [#8111](#8111) ### New Contributors - @ctaintor made their first contribution in [#8106](#8106) - @rileychh made their first contribution in [#8112](#8112) - @fortmarek made their first contribution in [#8102](#8102) - @pose made their first contribution in [#8035](#8035) - @gerhard made their first contribution in [#8094](#8094) ## 📦 Aqua Registry Updates #### New Packages (2) - [`entireio/cli`](https://github.com/entireio/cli) - [`rmitchellscott/reManager`](https://github.com/rmitchellscott/reManager) #### Updated Packages (1) - [`atuinsh/atuin`](https://github.com/atuinsh/atuin)
jdx
pushed a commit
that referenced
this pull request
Feb 12, 2026
### 🚀 Features - **(activate)** add shims directory as fallback when auto-install is enabled by @ctaintor in [#8106](#8106) - **(env)** add `tools` variable to tera template context by @jdx in [#8108](#8108) - **(set)** add --stdin flag for multiline environment variables by @jdx in [#8110](#8110) ### 🐛 Bug Fixes - **(backend)** improve conda patchelf and dependency resolution for complex packages by @jdx in [#8087](#8087) - **(ci)** fix validate-new-tools grep pattern for test field by @jdx in [#8100](#8100) - **(config)** make MISE_OFFLINE work correctly by gracefully skipping network calls by @jdx in [#8109](#8109) - **(github)** skip v prefix for "latest" version by @jdx in [#8105](#8105) - **(gitlab)** resolve tool options from config for aliased tools by @jdx in [#8084](#8084) - **(install)** use version_expr for Flutter to fix version resolution by @jdx in [#8081](#8081) - **(registry)** add Linux support for tuist by @fortmarek in [#8102](#8102) - **(release)** write release notes to file instead of capturing stdout by @jdx in [#8086](#8086) - **(upgrade)** tools are not uninstalled properly due to outdated symlink by @roele in [#8099](#8099) - **(upgrade)** ensure uninstallation failure does not leave invalid symlinks by @roele in [#8101](#8101) - SLSA for in-toto statement with no signatures by @gerhard in [#8094](#8094) - Vfox Plugin Auto-Installation for Environment Directives by @pose in [#8035](#8035) ### 📚 Documentation - use mise activate for PowerShell in getting-started by @rileychh in [#8112](#8112) ### 📦 Registry - add conda backend for mysql by @jdx in [#8080](#8080) - add conda backends for 10 asdf-only tools by @jdx in [#8083](#8083) - added podman-tui by @tony-sol in [#8098](#8098) ### Chore - sort settings.toml alphabetically and add test by @jdx in [#8111](#8111) ### New Contributors - @ctaintor made their first contribution in [#8106](#8106) - @rileychh made their first contribution in [#8112](#8112) - @fortmarek made their first contribution in [#8102](#8102) - @pose made their first contribution in [#8035](#8035) - @gerhard made their first contribution in [#8094](#8094) ## 📦 Aqua Registry Updates #### New Packages (2) - [`entireio/cli`](https://github.com/entireio/cli) - [`rmitchellscott/reManager`](https://github.com/rmitchellscott/reManager) #### Updated Packages (1) - [`atuinsh/atuin`](https://github.com/atuinsh/atuin)
lucasew
pushed a commit
to lucasew/CONTRIB-mise
that referenced
this pull request
Feb 18, 2026
This fixes the following issue with github:docker/buildx@0.31.1: DEBUG No GitHub attestations found for github:docker/buildx@0.31.1, trying SLSA INFO github:docker/buildx@0.31.1 [2/3] verify SLSA provenance INFO github:docker/buildx@0.31.1 [2/3] download buildx-v0.31.1.linux-amd64.provenance.json DEBUG GET Downloading https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64.provenance.json to /mise/downloads/github-docker-buildx/0.31.1/buildx-v0.31.1.linux-amd64.provenance.json DEBUG GET https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64.provenance.json DEBUG reuse idle connection for ("https", github.com) DEBUG pooling idle connection for ("https", github.com) DEBUG reuse idle connection for ("https", release-assets.githubusercontent.com) DEBUG GET https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64.provenance.json 200 OK DEBUG pooling idle connection for ("https", release-assets.githubusercontent.com) INFO github:docker/buildx@0.31.1 [2/3] verify SLSA provenance Error: 0: Failed to install github:docker/buildx@0.31: SLSA verification error for github:docker/buildx@0.31.1: Verification failed: File does not contain valid attestations or SLSA provenance Location: src/toolset/toolset_install.rs:230 Version: 2026.2.9 linux-x64 (2026-02-10) Before this fix: 1. verify_slsa_provenance() is called with the buildx raw provenance file 2. The sigstore crate can't parse it as a sigstore bundle/DSSE envelope — it's just a raw in-toto statement with no signatures 3. Returns AttestationError::Verification("File does not contain valid attestations or SLSA provenance") 4. The old code at line 1261 mapped this to Err(VerificationStatus::Error(e.to_string())) which becomes "Verification failed: File does not contain valid attestations or SLSA provenance" 5. That propagated to line 1112: "SLSA verification error for github:docker/buildx@0.31.1: Verification failed: File does not contain valid attestations or SLSA provenance" — the exact error in error.txt After this fix: 1. Same as above — AttestationError::Verification("File does not contain valid attestations or SLSA provenance") 2. is_slsa_format_issue() checks msg.contains("does not contain valid attestations") → matches 3. Returns Err(VerificationStatus::NoAttestations) instead, which is the graceful fallback path (installation proceeds without provenance verification) The buildx provenance file confirms why — it's a raw BuildKit in-toto Statement (v0.1) with SLSA v1 provenance predicate, but has no sigstore signatures, no DSSE envelope, no certificates. It's provenance metadata, not a cryptographically signed attestation bundle. Some provenance files (e.g., BuildKit raw provenance) exist but aren't in a sigstore-verifiable format. After this fix: COLORBT_SHOW_HIDDEN=1 RUST_BACKTRACE=1 mise use github:docker/buildx@0.31.1 --verbose DEBUG ARGS: mise use github:docker/buildx@0.31.1 --verbose DEBUG [vfox] Getting metadata for yarn DEBUG config: /mise/config.toml DEBUG [vfox] Getting metadata for yarn DEBUG GET https://api.github.com/repos/docker/buildx/releases DEBUG starting new connection: https://api.github.com/ DEBUG connecting to 20.26.156.210:443 DEBUG connected to 20.26.156.210:443 DEBUG GET https://api.github.com/repos/docker/buildx/releases 200 OK DEBUG pooling idle connection for ("https", api.github.com) INFO github:docker/buildx@0.31.1 [1/3] install DEBUG GET https://api.github.com/repos/docker/buildx/releases/tags/v0.31.1 DEBUG reuse idle connection for ("https", api.github.com) DEBUG GET https://api.github.com/repos/docker/buildx/releases/tags/v0.31.1 200 OK DEBUG pooling idle connection for ("https", api.github.com) DEBUG using GitHub API digest for checksum verification DEBUG HEAD https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64 DEBUG starting new connection: https://github.com/ DEBUG connecting to 20.26.156.215:443 DEBUG connected to 20.26.156.215:443 DEBUG pooling idle connection for ("https", github.com) DEBUG starting new connection: https://release-assets.githubusercontent.com/ DEBUG connecting to 185.199.111.133:443 DEBUG connected to 185.199.111.133:443 DEBUG pooling idle connection for ("https", release-assets.githubusercontent.com) DEBUG HEAD https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64 200 OK INFO github:docker/buildx@0.31.1 [1/3] download buildx-v0.31.1.linux-amd64 DEBUG GET Downloading https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64 to /mise/downloads/github-docker-buildx/0.31.1/buildx-v0.31.1.linux-amd64 DEBUG GET https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64 DEBUG reuse idle connection for ("https", github.com) DEBUG pooling idle connection for ("https", github.com) DEBUG reuse idle connection for ("https", release-assets.githubusercontent.com) DEBUG GET https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64 200 OK DEBUG pooling idle connection for ("https", release-assets.githubusercontent.com) INFO github:docker/buildx@0.31.1 [2/3] checksum buildx-v0.31.1.linux-amd64 INFO github:docker/buildx@0.31.1 [2/3] verify GitHub attestations DEBUG starting new connection: https://api.github.com/ DEBUG connecting to 20.26.156.210:443 DEBUG connected to 20.26.156.210:443 DEBUG pooling idle connection for ("https", api.github.com) DEBUG No GitHub attestations found for github:docker/buildx@0.31.1, trying SLSA INFO github:docker/buildx@0.31.1 [2/3] verify SLSA provenance INFO github:docker/buildx@0.31.1 [2/3] download buildx-v0.31.1.linux-amd64.provenance.json DEBUG GET Downloading https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64.provenance.json to /mise/downloads/github-docker-buildx/0.31.1/buildx-v0.31.1.linux-amd64.provenance.json DEBUG GET https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64.provenance.json DEBUG reuse idle connection for ("https", github.com) DEBUG pooling idle connection for ("https", github.com) DEBUG reuse idle connection for ("https", release-assets.githubusercontent.com) DEBUG GET https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64.provenance.json 200 OK DEBUG pooling idle connection for ("https", release-assets.githubusercontent.com) INFO github:docker/buildx@0.31.1 [2/3] verify SLSA provenance DEBUG SLSA provenance file not in verifiable format for github:docker/buildx@0.31.1: Verification failed: File does not contain valid attestations or SLSA provenance DEBUG No SLSA provenance found for github:docker/buildx@0.31.1 INFO github:docker/buildx@0.31.1 ✓ installed DEBUG [vfox] Getting metadata for yarn DEBUG config: /mise/config.toml DEBUG [github:docker/buildx@0.31.1] list_bin_paths: ["/mise/installs/github-docker-buildx/0.31.1"] DEBUG [vfox] Getting metadata for yarn DEBUG [vfox] Getting metadata for yarn DEBUG config: /mise/mise.toml DEBUG config: /mise/config.toml DEBUG updating 1 lockfiles --- Resolves: - jdx#8093 Signed-off-by: Gerhard Lazu <gerhardlazu@loopholelabs.io>
lucasew
pushed a commit
to lucasew/CONTRIB-mise
that referenced
this pull request
Feb 18, 2026
### 🚀 Features - **(activate)** add shims directory as fallback when auto-install is enabled by @ctaintor in [jdx#8106](jdx#8106) - **(env)** add `tools` variable to tera template context by @jdx in [jdx#8108](jdx#8108) - **(set)** add --stdin flag for multiline environment variables by @jdx in [jdx#8110](jdx#8110) ### 🐛 Bug Fixes - **(backend)** improve conda patchelf and dependency resolution for complex packages by @jdx in [jdx#8087](jdx#8087) - **(ci)** fix validate-new-tools grep pattern for test field by @jdx in [jdx#8100](jdx#8100) - **(config)** make MISE_OFFLINE work correctly by gracefully skipping network calls by @jdx in [jdx#8109](jdx#8109) - **(github)** skip v prefix for "latest" version by @jdx in [jdx#8105](jdx#8105) - **(gitlab)** resolve tool options from config for aliased tools by @jdx in [jdx#8084](jdx#8084) - **(install)** use version_expr for Flutter to fix version resolution by @jdx in [jdx#8081](jdx#8081) - **(registry)** add Linux support for tuist by @fortmarek in [jdx#8102](jdx#8102) - **(release)** write release notes to file instead of capturing stdout by @jdx in [jdx#8086](jdx#8086) - **(upgrade)** tools are not uninstalled properly due to outdated symlink by @roele in [jdx#8099](jdx#8099) - **(upgrade)** ensure uninstallation failure does not leave invalid symlinks by @roele in [jdx#8101](jdx#8101) - SLSA for in-toto statement with no signatures by @gerhard in [jdx#8094](jdx#8094) - Vfox Plugin Auto-Installation for Environment Directives by @pose in [jdx#8035](jdx#8035) ### 📚 Documentation - use mise activate for PowerShell in getting-started by @rileychh in [jdx#8112](jdx#8112) ### 📦 Registry - add conda backend for mysql by @jdx in [jdx#8080](jdx#8080) - add conda backends for 10 asdf-only tools by @jdx in [jdx#8083](jdx#8083) - added podman-tui by @tony-sol in [jdx#8098](jdx#8098) ### Chore - sort settings.toml alphabetically and add test by @jdx in [jdx#8111](jdx#8111) ### New Contributors - @ctaintor made their first contribution in [jdx#8106](jdx#8106) - @rileychh made their first contribution in [jdx#8112](jdx#8112) - @fortmarek made their first contribution in [jdx#8102](jdx#8102) - @pose made their first contribution in [jdx#8035](jdx#8035) - @gerhard made their first contribution in [jdx#8094](jdx#8094) ## 📦 Aqua Registry Updates #### New Packages (2) - [`entireio/cli`](https://github.com/entireio/cli) - [`rmitchellscott/reManager`](https://github.com/rmitchellscott/reManager) #### Updated Packages (1) - [`atuinsh/atuin`](https://github.com/atuinsh/atuin)
lucasew
pushed a commit
to lucasew/CONTRIB-mise
that referenced
this pull request
Feb 18, 2026
### 🚀 Features - **(activate)** add shims directory as fallback when auto-install is enabled by @ctaintor in [jdx#8106](jdx#8106) - **(env)** add `tools` variable to tera template context by @jdx in [jdx#8108](jdx#8108) - **(set)** add --stdin flag for multiline environment variables by @jdx in [jdx#8110](jdx#8110) ### 🐛 Bug Fixes - **(backend)** improve conda patchelf and dependency resolution for complex packages by @jdx in [jdx#8087](jdx#8087) - **(ci)** fix validate-new-tools grep pattern for test field by @jdx in [jdx#8100](jdx#8100) - **(config)** make MISE_OFFLINE work correctly by gracefully skipping network calls by @jdx in [jdx#8109](jdx#8109) - **(github)** skip v prefix for "latest" version by @jdx in [jdx#8105](jdx#8105) - **(gitlab)** resolve tool options from config for aliased tools by @jdx in [jdx#8084](jdx#8084) - **(install)** use version_expr for Flutter to fix version resolution by @jdx in [jdx#8081](jdx#8081) - **(registry)** add Linux support for tuist by @fortmarek in [jdx#8102](jdx#8102) - **(release)** write release notes to file instead of capturing stdout by @jdx in [jdx#8086](jdx#8086) - **(upgrade)** tools are not uninstalled properly due to outdated symlink by @roele in [jdx#8099](jdx#8099) - **(upgrade)** ensure uninstallation failure does not leave invalid symlinks by @roele in [jdx#8101](jdx#8101) - SLSA for in-toto statement with no signatures by @gerhard in [jdx#8094](jdx#8094) - Vfox Plugin Auto-Installation for Environment Directives by @pose in [jdx#8035](jdx#8035) ### 📚 Documentation - use mise activate for PowerShell in getting-started by @rileychh in [jdx#8112](jdx#8112) ### 📦 Registry - add conda backend for mysql by @jdx in [jdx#8080](jdx#8080) - add conda backends for 10 asdf-only tools by @jdx in [jdx#8083](jdx#8083) - added podman-tui by @tony-sol in [jdx#8098](jdx#8098) ### Chore - sort settings.toml alphabetically and add test by @jdx in [jdx#8111](jdx#8111) ### New Contributors - @ctaintor made their first contribution in [jdx#8106](jdx#8106) - @rileychh made their first contribution in [jdx#8112](jdx#8112) - @fortmarek made their first contribution in [jdx#8102](jdx#8102) - @pose made their first contribution in [jdx#8035](jdx#8035) - @gerhard made their first contribution in [jdx#8094](jdx#8094) ## 📦 Aqua Registry Updates #### New Packages (2) - [`entireio/cli`](https://github.com/entireio/cli) - [`rmitchellscott/reManager`](https://github.com/rmitchellscott/reManager) #### Updated Packages (1) - [`atuinsh/atuin`](https://github.com/atuinsh/atuin)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This fixes the following issue with github:docker/buildx@0.31.1:
Before this fix:
After this fix:
The buildx provenance file confirms why — it's a raw BuildKit in-toto Statement (v0.1) with SLSA v1 provenance predicate, but has no sigstore signatures, no DSSE envelope, no certificates. It's provenance metadata, not a cryptographically signed attestation bundle.
Some provenance files (e.g., BuildKit raw provenance) exist but aren't in a sigstore-verifiable format.
After this fix:
Resolves: