deps: replace sigstore-verification with sigstore-verify to kill vulns#8064
deps: replace sigstore-verification with sigstore-verify to kill vulns#8064codefromthecrypt merged 1 commit intomainfrom
Conversation
Signed-off-by: Adrian Cole <adrian@tetrate.io>
codefromthecrypt
force-pushed
the
fix/cargo-deny-advisories
branch
from
bcbf574 to
5acfef4
Compare
|
FYI, I raised this on a shared branch as this is a dev zero thing, but I am way over time budget. I hope it helps get the build green soon. whoever can take over and do what they want with this including closing. |
|
AWS dependencies - the gift that keeps on giving. really wish we could drop bedrock for good - can't they just use standard apis? why 100s of transitive deps? |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5acfef40d8
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| } | ||
| }; | ||
|
|
||
| let trusted_root = TrustedRoot::production().context("Failed to load Sigstore trusted root")?; |
There was a problem hiding this comment.
Using TrustedRoot::production() hardcodes the current Sigstore public-good trust anchors into the binary. GitHub’s attestation flow rotates Fulcio/Rekor/CT/TSA keys over time, so after the next routine root update any older goose build will start rejecting legitimately signed releases and goose update becomes a dead end until the user reinstalls manually. The previous verifier path refreshed trust material via TUF; this replacement needs the same online refresh behavior to keep self-updates working long-term.
Useful? React with 👍 / 👎.
|
@michaelneale seems bedrock wants to be openai'ish, so if we have critical mass probably dump it for their openai endpoints? https://aws.amazon.com/about-aws/whats-new/2025/12/amazon-bedrock-responses-api-from-openai/ |
* main: deps: replace sigstore-verification with sigstore-verify to kill vulns (#8064)
3 participants
Summary
Cargo Deny is red on main due to four RustSec advisories.
Three are
cargo updatebumps, the fourth (rsa, Marvin Attack) has no patched release caused bysigstore-verification.This replaces
sigstore-verificationwithsigstore-verifywhich usesaws-lc-rsinstead ofrsa.We get a clean run due to 1k fewer lines of
Cargo.lock. They payment is ~30 lines of reqwest to call GitHub API directly.Type of Change
AI Assistance
Testing
$ GH_TOKEN=$(gh auth token) cargo run -p goose-cli --bin goose -- update Downloading goose-aarch64-apple-darwin.tar.bz2 from stable release... Downloaded 61602128 bytes. Archive SHA-256: bfa03a01b5e9bd97fbdf9f7d635850f46f73f62f74aedbf423fe5aa57bcf17f5 Verifying SLSA provenance via Sigstore... Sigstore provenance verification passed. goose updated successfully (verified with Sigstore SLSA provenance).Related Issues
Fixes the red Cargo Deny CI build
Builds on #7818