Skip to content
Discussion options

You must be logged in to vote

Thanks for the detailed report. I was able to reproduce this and track it down.

This is caused by the GitHub TSA cert rotation not being present in the embedded GitHub trusted root bundled with the sigstore crates used by mise 2026.6.14. The opencode attestation timestamp is signed by GitHub TSA cert serial 1733DBD6E9FE0EFA1FA853F3017881E6C9473352 (valid from 2026-06-12), but the embedded GitHub trusted root in sigstore-trust-root 0.8.0 does not include that cert.

sigstore-verify / sigstore-trust-root 0.10.0 does include the new TSA cert. I tested current main after #10677 with an isolated install of github:anomalyco/opencode@1.17.12, and the attestation step now succeeds:

INFO github:ano…

Replies: 2 comments

Comment options

You must be logged in to vote
0 replies
Answer selected by yg-codes
Comment options

You must be logged in to vote
0 replies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
2 participants