fix(install): detect github attestations provenance at lock-time#8781
fix(install): detect github attestations provenance at lock-time#8781hoechenberger wants to merge 3 commits intojdx:mainfrom
Conversation
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request enhances the Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
There was a problem hiding this comment.
Code Review
This pull request enhances the mise tool's provenance handling by enabling the detection and recording of github-attestations provenance in the lockfile during the mise lock command. This updates the detect_provenance_type logic in src/backend/aqua.rs to prioritize GithubAttestations over other provenance types like SLSA, Cosign, and Minisign. A new end-to-end test has been added to e2e/lockfile/test_lockfile_github_attestations_provenance to verify that mise lock correctly records github-attestations and that subsequent mise install --locked operations skip redundant attestation verification, improving performance. There is no feedback to provide.
Greptile SummaryThis PR extends Key changes:
Confidence Score: 5/5Safe to merge — the logic change is small, correct, and consistent with existing provenance-detection patterns. No P0 or P1 issues found. The core change correctly mirrors the SLSA/Cosign/Minisign detection approach, the enabled-field guard is consistent with install-time verification, and the priority ordering matches the existing ProvenanceType ordinal values. The only remaining concern (fragile shell quoting in the e2e test) was already flagged in a prior review thread and does not affect production correctness. e2e/lockfile/test_lockfile_github_attestations_provenance — the assert_not_contains shell-quoting issue noted in a prior review comment is still present. Important Files Changed
Sequence DiagramsequenceDiagram
participant User
participant mise
participant AquaRegistry
participant GitHubAPI
Note over User,GitHubAPI: mise lock (before this PR)
User->>mise: mise lock
mise->>AquaRegistry: fetch package metadata
AquaRegistry-->>mise: github_artifact_attestations config
mise->>mise: detect_provenance_type() → None (skipped)
mise-->>User: lockfile with checksum only
Note over User,GitHubAPI: mise install --locked (before this PR)
User->>mise: mise install --locked
mise->>mise: has_lockfile_integrity = false (no provenance)
mise->>GitHubAPI: verify_github_artifact_attestations()
GitHubAPI-->>mise: rate limit error ❌
Note over User,GitHubAPI: mise lock (after this PR)
User->>mise: mise lock
mise->>AquaRegistry: fetch package metadata
AquaRegistry-->>mise: github_artifact_attestations config
mise->>mise: detect_provenance_type() → GithubAttestations ✓
mise-->>User: lockfile with checksum + provenance="github-attestations"
Note over User,GitHubAPI: mise install --locked (after this PR)
User->>mise: mise install --locked
mise->>mise: has_lockfile_integrity = true (checksum + provenance)
mise->>mise: ensure_provenance_setting_enabled()
mise-->>User: install complete (no GitHub API call) ✓
Reviews (4): Last reviewed commit: "Merge branch 'main' into gh-provenance" | Re-trigger Greptile |
Add GithubAttestations to detect_provenance_type() using aqua registry metadata (github_artifact_attestations config). This allows `mise lock` to record provenance for tools like gh, jq, uv that use GitHub artifact attestations, so `mise install --locked` skips redundant API calls (which previously caused rate limit failures). Previously, detect_provenance_type() explicitly skipped GithubAttestations because it "requires downloading the artifact to query the attestation API". However, the aqua registry already has the necessary metadata (enabled flag, signer_workflow) available at lock time — detection does not require verification. This is consistent with how SLSA, cosign, and minisign provenance types are already detected from registry config.
5a563b2 to
b771ef5
Compare
|
@jdx I know you're very busy these days. Please let me know if there's any way in which I can make the PR review easier or help to hopefully get this fix evaluated & merged soon. This one is a really important one that seems to affect a bunch of users using |
|
I'm holding off on merging this until the underlying security issue is resolved. The PR itself doesn't introduce the problem — it follows the same pattern already used by SLSA, cosign, and minisign. But it extends the gap to GitHub attestations, which were previously verified at install-time. The core issue: Provenance is supposed to verify that an artifact was built by a trusted CI pipeline, not just that it hasn't been tampered with since lock-time. If the registry or download source is compromised at lock-time, both the checksum and the unverified provenance field get written to the lockfile without any validation. This needs to be fixed before we add more provenance types to the lock-time detection path. Possible approaches:
Under paranoid mode, we could modify this behavior to:
This comment was generated by Claude Code. |
I’m in favor of that approach. If we adopt it, then during The main motivation for skipping provenance checks at install time is to avoid repeatedly hitting GitHub API endpoints. However, for consumers of the lockfile – in my case, this would be our developers and end users – verifying the checksum should be sufficient, without requiring additional provenance checks. Is there any way in which I can help you resolve this issue, or at least test if and how certain approaches would work in our concrete dev & CI setup? Thank you, |
…attestations at lock time Previously, detect_provenance_type() recorded provenance from registry metadata without cryptographic verification, and mise install --locked skipped verify_provenance() entirely when the lockfile had both checksum and provenance. This meant provenance was never actually verified in the lock→install flow. This adds a locked_verify_provenance setting (default: false, auto-enabled under MISE_PARANOID) that forces re-verification at install time even when the lockfile has provenance. Also enables GitHub artifact attestations as the highest-priority provenance detection at lock time, and applies the same fix to the github backend. Closes the security gap discussed in #8781. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…attestations at lock time (#8901) ## Summary **Lock-time verification (current platform):** - During `mise lock`, for the current platform, downloads the artifact to a temp directory and runs full cryptographic verification (GitHub attestations, SLSA, cosign, minisign) before recording provenance in the lockfile - Cross-platform entries still use detection-only (registry metadata) since we can't easily verify artifacts for other platforms - If verification fails, provenance is not recorded (warning logged) **Install-time re-verification setting:** - Adds `locked_verify_provenance` setting (`MISE_LOCKED_VERIFY_PROVENANCE`, default: false, auto-enabled under `MISE_PARANOID`) that forces provenance re-verification at install time even when the lockfile already has both checksum and provenance **GitHub attestations at lock time:** - Enables GitHub artifact attestations as highest-priority provenance detection in `detect_provenance_type()` (what #8781 intended) - Applies the same `force_verify` logic to both `aqua` and `github` backends **Security context:** Previously, `detect_provenance_type()` recorded provenance from aqua registry metadata without cryptographic verification, and `mise install --locked` skipped `verify_provenance()` entirely when the lockfile had both checksum and provenance. This meant provenance was never actually verified in the `mise lock` → `mise install` flow. Lock-time verification for the current platform closes this gap, and the `locked_verify_provenance` setting provides additional protection for paranoid users. Supersedes #8781 — incorporates the GitHub attestations detection change while addressing the underlying security gap discussed there. ## Test plan - [ ] Verify `cargo check` passes (confirmed locally) - [ ] Verify `mise lock` records `github-attestations` provenance for tools with `github_artifact_attestations` in aqua registry (e.g., `jq >= 1.8.0`) after downloading and verifying the artifact - [ ] Verify `mise lock` logs verification activity for current platform tools with provenance - [ ] Verify `mise install --locked` skips provenance verification by default (existing behavior preserved) - [ ] Verify `MISE_LOCKED_VERIFY_PROVENANCE=1 mise install --locked` re-verifies provenance at install time - [ ] Verify `MISE_PARANOID=1 mise install --locked` also re-verifies provenance - [ ] Verify cross-platform lock entries still get provenance from metadata detection (no download) - [ ] Verify the new setting appears in `mise settings ls` and schema 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Changes tool provenance verification behavior in the `aqua` and `github` backends, including new lock-time artifact downloads and optional install-time re-verification, which could affect install/lock reliability and CI rate limits. > > **Overview** > **Strengthens lockfile provenance semantics.** `mise lock` now *cryptographically verifies* detected provenance for the **current platform** (downloading the artifact to a temp dir) before writing provenance into `mise.lock` for both `aqua` and `github`; if verification fails, provenance is omitted so it will be verified later. > > **Adds an opt-in install-time safety check.** Introduces `locked_verify_provenance` (also enabled by `paranoid`) to force provenance re-verification during `mise install` even when the lockfile already contains checksum+provenance, and updates schema/docs accordingly. > > **Test/docs updates.** E2E tests are adjusted for the new npm package-manager env var and for updated provenance expectations, and the cosign verification test now uses an aqua package with bundle-based cosign verification. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 810ef29. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Add GithubAttestations to detect_provenance_type() using aqua registry metadata (github_artifact_attestations config). This allows
mise lockto record provenance for tools like gh, jq, uv that use GitHub artifact attestations, somise install --lockedskips redundant API calls (which previously caused rate limit failures).Previously, detect_provenance_type() explicitly skipped GithubAttestations because it "requires downloading the artifact to query the attestation API". However, the aqua registry already has the necessary metadata (enabled flag, signer_workflow) available at lock time — detection does not require verification. This is consistent with how SLSA, cosign, and minisign provenance types are already detected from registry config.
Fixes the issue reported in #8677 (reply in thread)
Commit content and message were created with Claude Opus 4.6.