GitHub artifact attestations verification fails: TSA timestamp verification failed — no certificate matches issuer and serial number (github:anomalyco/opencode) #10680
-
SummaryInstalling ErrorEnvironment
Reproducemise uninstall github:anomalyco/opencode@1.17.12 2>/dev/null
mise install github:anomalyco/opencode@1.17.12
# → fails at [2/3] verify GitHub artifact attestationsWhat worksMISE_GITHUB_ATTESTATIONS=false mise install github:anomalyco/opencode@1.17.12 # ✓ installsNote: a per-tool AnalysisThe error string ("no certificate matches issuer and serial number") indicates the TSA (Time-Stamp Authority) certificate referenced by issuer+serial in opencode's Sigstore bundle does not match anything in mise's bundled TUF trust root. This points to a TUF-root coverage gap rather than a malformed attestation:
A web search for the literal strings "TSA timestamp verification failed" and "no certificate matches issuer and serial number" returns zero hits, suggesting this TUF-root mismatch is not yet tracked. Questions / possible directions
Happy to provide |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
Thanks for the detailed report. I was able to reproduce this and track it down. This is caused by the GitHub TSA cert rotation not being present in the embedded GitHub trusted root bundled with the sigstore crates used by mise
So this should be fixed in the next mise release that includes #10677. Until then, the workaround is to disable GitHub artifact attestations, either globally with Longer term, we may want to load GitHub's trusted root via GitHub TUF rather than only from the embedded snapshot, so future TSA rotations do not require a dependency bump before verification works again. This comment was generated by an AI coding assistant. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the fast and thorough diagnosis — and for confirming the root cause with the exact missing cert ( Two quick follow-ups, no action expected — just to close the loop:
Appreciate the tool. Nothing else needed from me here — marking this resolved on my side. |
Beta Was this translation helpful? Give feedback.
Thanks for the detailed report. I was able to reproduce this and track it down.
This is caused by the GitHub TSA cert rotation not being present in the embedded GitHub trusted root bundled with the sigstore crates used by mise
2026.6.14. The opencode attestation timestamp is signed by GitHub TSA cert serial1733DBD6E9FE0EFA1FA853F3017881E6C9473352(valid from2026-06-12), but the embedded GitHub trusted root insigstore-trust-root 0.8.0does not include that cert.sigstore-verify/sigstore-trust-root 0.10.0does include the new TSA cert. I tested currentmainafter #10677 with an isolated install ofgithub:anomalyco/opencode@1.17.12, and the attestation step now succeeds: