gh attestation verify JSON output includes incorrectly-formatted in-toto attestation

[codysoyland]

Describe the bug

The output of gh attestation verify with the --format json flag produces a result structure with an incorrectly-formatted in-toto attestation.

For example, the field predicateType is called predicate_type in the output, which isn't correct according to the spec.

This can be observed using this command:

gh attestation verify oci://ghcr.io/github/artifact-attestations-helm-charts/trust-policies:v0.6.2 --owner github --format json --jq .[0].verificationResult.statement

gh version:

 ▶ gh --version
gh version 2.59.0 (2024-10-15)
https://github.com/cli/cli/releases/tag/v2.59.0

The root cause is a problem with JSON encoding described in this issue: in-toto/attestation#363

Related issue in sigstore-go: sigstore/sigstore-go#365

This should be fixed by sigstore/sigstore-go#366. After it is merged, a release will be cut, and gh may update to that version of sigstore-go.

Steps to reproduce the behavior

1. Type this '...'
2. View the output '....'
3. See error

Expected vs actual behavior

A clear and concise description of what you expected to happen and what actually happened.

Logs

Paste the activity from your command line. Redact if needed.

[codysoyland]

Quick update: sigstore-go was updated to fix the root cause here: sigstore/sigstore-go#366

We just need to make a new release of sigstore-go and update the CLI to reference the latest release.