Skip to content

v0.13.1 — issue #56 fixes for users

Latest

Choose a tag to compare

@Mickdownunder Mickdownunder released this 12 Jul 11:28
672d3f5

Fixed

  • Provenance no longer deadlocks the install that brings its own verifier. A fresh checkout with provenance active could not install its own sigstore (the tool provenance needs). tooling-unavailable now degrades the tool-absent case to a loud warning while a genuinely invalid bundle still blocks fail-closed. The residual (an attacker deleting sigstore) is a first-class Attack Lab known-gap, not silently swallowed.
  • Clearer guard block message for a package-manager word inside shell substitution — explains the non-install case instead of the misleading 'rewrite the install' text. Parser unchanged, still fail-closed.

First release guarded by the new SECURITY.md supported-versions test. Published with Sigstore provenance from CI; dist reproduces byte-identically from the v0.13.1 tag.