feat(aqua): integrate native sigstore-verification for security verification#6332
Merged
feat(aqua): integrate native sigstore-verification for security verification#6332
Conversation
…ication Replace external CLI dependencies (cosign, slsa-verifier, gh attestation verify) with native Rust implementation using sigstore-verification crate. This provides better performance, reliability, and integration. Key changes: - Add native Cosign signature verification with keyless and key-based verification - Add native SLSA provenance verification supporting levels 1 and 2 - Add native GitHub artifact attestations verification - Replace CLI tool dependencies with async Rust implementations - Add comprehensive e2e tests for each verification method - Use ProgressReport for user-facing verification status messages - Support DSSE envelope format and in-toto v0.1/v1 statements 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR integrates native Rust-based sigstore verification into the aqua backend, replacing external CLI dependencies (cosign, slsa-verifier, gh attestation verify) with the sigstore-verification crate. This improves performance, reliability, and reduces external dependencies while maintaining the same security verification capabilities.
- Native implementation of Cosign, SLSA, and GitHub attestations verification using Rust
- Async/await pattern replacing blocking CLI calls for better performance
- New configuration option for GitHub attestations verification with comprehensive test coverage
Reviewed Changes
Copilot reviewed 12 out of 13 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/backend/aqua.rs | Core implementation of native verification methods with async patterns |
| crates/aqua-registry/src/types.rs | Added GitHub attestations configuration structure |
| settings.toml | New GitHub attestations verification setting |
| schema/mise.json | JSON schema update for new setting |
| e2e/backend/test_aqua_* | End-to-end tests for each verification method |
| docs/dev-tools/backends/aqua.md | Documentation for security verification features |
| src/path.rs | Minor refactoring for string reference handling |
| src/cli/tool_stub.rs | Minor refactoring for string reference handling |
| Cargo.toml | Added sigstore-verification dependency |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
src/backend/aqua.rs
Outdated
Comment on lines
+615
to
+621
| if e.to_string().contains("No attestations") { | ||
| warn!("No SLSA attestations found for {tv}: {e}"); | ||
| // For backward compatibility, we might want to allow this to pass | ||
| // depending on the package configuration | ||
| } else { | ||
| return Err(eyre!("SLSA verification error for {tv}: {e}")); | ||
| } |
There was a problem hiding this comment.
String matching on error messages is fragile and could break if the error message format changes. Consider using proper error types or error codes from the sigstore-verification crate instead of string matching.
| "GitHub attestations verification returned false for {tv}" | ||
| )); | ||
| } | ||
| Err(sigstore_verification::AttestationError::NoAttestations) => { |
There was a problem hiding this comment.
This shows proper error type matching for GitHub attestations. The SLSA verification error handling should follow the same pattern instead of string matching on error messages.
- Enhanced aqua.md with comprehensive native verification documentation - Updated SECURITY.md to reflect native implementation vs external CLI tools - Updated tips-and-tricks.md to reflect no external tool dependencies needed - Updated roadmap.md to show native verification is implemented - Updated comparison-to-asdf.md to mention native verification - Added troubleshooting section for verification failures - Clarified that cosign, slsa-verifier, gh CLI tools are no longer needed for aqua 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Add OpenSSL license to allowed licenses list for aws-lc-sys crate - Ignore RUSTSEC-2024-0370 (proc-macro-error unmaintained) from sigstore dependencies - Ignore RUSTSEC-2023-0071 (rsa Marvin attack) from sigstore dependencies These security advisories are from transitive dependencies in the sigstore crate ecosystem. No safe upgrades are currently available upstream. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
Temporarily use the local sigstore-verification crate to test fixes for Sigstore Bundle v0.3 format support. This enables testing of the enhanced SLSA verification that can handle both the older direct DSSE envelope format and the newer Sigstore Bundle v0.3 format used by tools like osv-scanner. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Remove the temporary local path override for sigstore-verification. The Bundle v0.3 format fix should be applied separately and the dependency updated through proper channels. This keeps the PR focused on the core native verification integration without temporary development artifacts. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.9.12 x -- echo |
19.2 ± 0.3 | 18.7 | 21.8 | 1.00 |
mise x -- echo |
19.5 ± 0.3 | 18.9 | 22.6 | 1.02 ± 0.02 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.9.12 env |
18.6 ± 0.5 | 18.0 | 22.8 | 1.00 |
mise env |
18.9 ± 0.4 | 18.3 | 21.2 | 1.01 ± 0.03 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.9.12 hook-env |
18.3 ± 0.3 | 17.7 | 20.3 | 1.00 |
mise hook-env |
18.6 ± 0.5 | 17.9 | 22.5 | 1.02 ± 0.03 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.9.12 ls |
16.1 ± 0.3 | 15.6 | 17.5 | 1.00 |
mise ls |
16.3 ± 0.3 | 15.7 | 18.5 | 1.02 ± 0.03 |
xtasks/test/perf
| Command | mise-2025.9.12 | mise | Variance |
|---|---|---|---|
| install (cached) | 164ms | ✅ 102ms | +60% |
| ls (cached) | 62ms | 62ms | +0% |
| bin-paths (cached) | 67ms | 68ms | -1% |
| task-ls (cached) | 465ms | 475ms | -2% |
✅ Performance improvement: install cached is 60%
…at support Updates sigstore-verification dependency to version 0.1.1, which includes enhanced parsing support for Sigstore Bundle v0.3 format used by modern tools like osv-scanner, flux2, and sops. The Bundle v0.3 format enhancement enables verification of tools that use the newer nested dsseEnvelope structure while maintaining backward compatibility with existing DSSE envelope formats. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Security improvements to SLSA verification: 1. **Fix SLSA security bypass**: When a package explicitly configures slsa_provenance but no attestations are found, now fails verification instead of logging a warning and continuing. This prevents packages from installing without proper SLSA validation when it's expected. 2. **Replace fragile string matching**: Use proper AttestationError::NoAttestations error type matching instead of string contains checks, making the code more robust and less likely to break with upstream changes. 3. **Align with GitHub attestations behavior**: SLSA verification now follows the same strict security model as GitHub attestations verification. This ensures that when aqua registry configuration indicates security verification should be performed, it's actually enforced rather than bypassed. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 16 out of 17 changed files in this pull request and generated 4 comments.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Comment on lines
+577
to
+579
| let provenance_filename = | ||
| url.split('/').next_back().unwrap_or("provenance.json"); | ||
| let path = tv.download_path().join(provenance_filename); |
There was a problem hiding this comment.
Using unwrap_or with a default filename 'provenance.json' could lead to confusing behavior if multiple tools use HTTP-based SLSA provenance. Consider using a more specific default like 'provenance-{tool}-{version}.json' or handling the case where the URL doesn't contain a valid filename more explicitly.
Suggested change
| let provenance_filename = | |
| url.split('/').next_back().unwrap_or("provenance.json"); | |
| let path = tv.download_path().join(provenance_filename); | |
| let provenance_filename = url | |
| .split('/') | |
| .next_back() | |
| .filter(|s| !s.is_empty()) | |
| .map(|s| s.to_string()) | |
| .unwrap_or_else(|| format!("provenance-{}-{}.json", pkg.name, v)); | |
| let path = tv.download_path().join(&provenance_filename); |
| if !key_arg.is_empty() { | ||
| // Download or locate the public key | ||
| let key_path = if key_arg.starts_with("http") { | ||
| let key_filename = key_arg.split('/').next_back().unwrap_or("cosign.pub"); |
There was a problem hiding this comment.
Similar to the provenance filename issue, using a generic default 'cosign.pub' could cause filename conflicts when multiple tools use key-based verification. Consider using a more specific default that includes the tool name or version.
Suggested change
| let key_filename = key_arg.split('/').next_back().unwrap_or("cosign.pub"); | |
| let key_filename = key_arg | |
| .split('/') | |
| .next_back() | |
| .filter(|s| !s.is_empty()) | |
| .map(|s| s.to_string()) | |
| .unwrap_or_else(|| format!("{}-{}-cosign.pub", pkg.name, v.version)); |
| if !sig_arg.is_empty() { | ||
| if sig_arg.starts_with("http") { | ||
| let sig_filename = | ||
| sig_arg.split('/').next_back().unwrap_or("checksum.sig"); |
There was a problem hiding this comment.
The default signature filename 'checksum.sig' is too generic and could cause conflicts. Consider using a more specific naming pattern that includes the tool name or a unique identifier.
Suggested change
| sig_arg.split('/').next_back().unwrap_or("checksum.sig"); | |
| sig_arg.split('/').next_back().unwrap_or(&format!("{}_{}_checksum.sig", pkg.name, v)); |
| let bundle_arg = bundle.arg(pkg, v, os(), arch())?; | ||
| if !bundle_arg.is_empty() { | ||
| let bundle_path = if bundle_arg.starts_with("http") { | ||
| let filename = bundle_arg.split('/').next_back().unwrap_or("bundle.json"); |
There was a problem hiding this comment.
The default bundle filename 'bundle.json' is too generic and could cause conflicts between different tools. Consider using a more specific naming pattern.
Suggested change
| let filename = bundle_arg.split('/').next_back().unwrap_or("bundle.json"); | |
| let filename = bundle_arg | |
| .split('/') | |
| .next_back() | |
| .filter(|f| !f.is_empty()) | |
| .map(|f| f.to_string()) | |
| .unwrap_or_else(|| format!("{}-{}-bundle.json", pkg, v)); |
- Sync version with latest sigstore-verification release - Includes TLS backend configurability and traditional Cosign bundle support
jdx
added a commit
that referenced
this pull request
Sep 19, 2025
### 📦 Registry - remove deprecated virtualos by @jdx in [166379f](166379f) - add trufflehog ([aqua:trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog)) by @risu729 in [#6316](#6316) ### 🚀 Features - **(aqua)** integrate native sigstore-verification for security verification by @jdx in [#6332](#6332) - **(docs)** improve search result readability with lighter teal background by @jdx in [#6328](#6328) - **(ui)** update logo as favicon and fix hover transitions by @jdx in [#6325](#6325) - **(vfox)** add file.read lua function by @malept in [#6333](#6333) - add documentation for "Environment in tasks" #5134 #5638 by @Its-Just-Nans in [#6329](#6329) ### 🐛 Bug Fixes - **(github)** correctly paginate releases/tags for private repos by @malept in [#6318](#6318) - **(hk)** exclude aqua-registry from prettier linting by @jdx in [#6327](#6327) - **(ui)** improve GitHub star badge layout and alignment by @jdx in [#6326](#6326) ### 📚 Documentation - change 'hello.py' to 'main.py' in python.md by @my1e5 in [#6319](#6319) - customize VitePress theme with unique branding by @jdx in [#6324](#6324) ### 📦️ Dependency Updates - update taiki-e/install-action digest to 0aa4f22 by @renovate[bot] in [#6334](#6334) - update rust crate comfy-table to v7.2.1 by @renovate[bot] in [#6335](#6335) - update rust crate console to v0.16.1 by @renovate[bot] in [#6336](#6336) - update rust crate indexmap to v2.11.4 by @renovate[bot] in [#6337](#6337) ### Chore - fixing typos by @Its-Just-Nans in [#6331](#6331) ### New Contributors - @Its-Just-Nans made their first contribution in [#6331](#6331) - @my1e5 made their first contribution in [#6319](#6319) --------- Co-authored-by: mise-en-dev <release@mise.jdx.dev> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
This was referenced Sep 22, 2025
jdx
pushed a commit
that referenced
this pull request
Sep 22, 2025
`cosign.experimental` was removed in aquaproj/aqua#2757. No registries are using it. The implementation for experimental in #6332 is never used, so I believe it's fine to remove it.
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
Sep 24, 2025
## [2025.9.16](https://github.com/jdx/mise/compare/v2025.9.15..v2025.9.16) - 2025-09-22 ### 📦 Registry - use npm backend for zbctl by @risu729 in [#6379](jdx/mise#6379) ### 🐛 Bug Fixes - **(aqua)** remove blake3 support from aqua checksum algorithms by @risu729 in [#6370](jdx/mise#6370) - **(aqua)** remove cosign and slsa-verifier dependencies by @risu729 in [#6371](jdx/mise#6371) - **(aqua)** remove cosign.experimental by @risu729 in [#6376](jdx/mise#6376) ### 📚 Documentation - minisign doesn't require cli by @risu729 in [#6369](jdx/mise#6369) ### Chore - ignore renovate new bot name by @risu729 in [#6364](jdx/mise#6364) ## [2025.9.15](https://github.com/jdx/mise/compare/v2025.9.14..v2025.9.15) - 2025-09-21 ### 📦 Registry - add missing cargo backends by @jayvdb in [#6307](jdx/mise#6307) ### 🚀 Features - add env propagation by @Its-Just-Nans in [#6342](jdx/mise#6342) ### 🐛 Bug Fixes - **(aqua)** improve GitHub token handling for sigstore verification by @jdx in [#6351](jdx/mise#6351) - **(backend)** change dependency checks to warnings instead of errors by @jdx in [#6363](jdx/mise#6363) - **(npm)** improve error message when npm/bun is not installed by @jdx in [#6359](jdx/mise#6359) - **(vfox)** enable TLS support for reqwest to fix CI tests by @jdx in [#6356](jdx/mise#6356) ### 🚜 Refactor - **(registry)** convert to nested TOML sections format by @jdx in [#6361](jdx/mise#6361) ### 🧪 Testing - **(e2e)** resolve mise via PATH in backend missing deps test by @jdx in [#6362](jdx/mise#6362) - **(vfox)** replace flaky external HTTP tests with local mock server by @jdx in [#6354](jdx/mise#6354) ### 📦️ Dependency Updates - pin dependencies by @renovate[bot] in [#6243](jdx/mise#6243) ### Chore - **(install.sh)** add `MISE_INSTALL_MUSL` to force installing musl variants on Linux by @malept in [#6355](jdx/mise#6355) ## [2025.9.14](https://github.com/jdx/mise/compare/v2025.9.13..v2025.9.14) - 2025-09-20 ### 🐛 Bug Fixes - fix an issue where Swift could not be installed on arm64 Ubuntu by @lish82 in [#6348](jdx/mise#6348) ### Chore - use cross to build on linux by @jdx in [#6346](jdx/mise#6346) ### New Contributors - @lish82 made their first contribution in [#6348](jdx/mise#6348) ## [2025.9.13](https://github.com/jdx/mise/compare/v2025.9.12..v2025.9.13) - 2025-09-19 ### 📦 Registry - remove deprecated virtualos by @jdx in [166379f](jdx/mise@166379f) - add trufflehog ([aqua:trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog)) by @risu729 in [#6316](jdx/mise#6316) ### 🚀 Features - **(aqua)** integrate native sigstore-verification for security verification by @jdx in [#6332](jdx/mise#6332) - **(docs)** improve search result readability with lighter teal background by @jdx in [#6328](jdx/mise#6328) - **(ui)** update logo as favicon and fix hover transitions by @jdx in [#6325](jdx/mise#6325) - **(vfox)** add file.read lua function by @malept in [#6333](jdx/mise#6333) - add documentation for "Environment in tasks" #5134 #5638 by @Its-Just-Nans in [#6329](jdx/mise#6329) ### 🐛 Bug Fixes - **(github)** correctly paginate releases/tags for private repos by @malept in [#6318](jdx/mise#6318) - **(hk)** exclude aqua-registry from prettier linting by @jdx in [#6327](jdx/mise#6327) - **(ui)** improve GitHub star badge layout and alignment by @jdx in [#6326](jdx/mise#6326) ### 📚 Documentation - change 'hello.py' to 'main.py' in python.md by @my1e5 in [#6319](jdx/mise#6319) - customize VitePress theme with unique branding by @jdx in [#6324](jdx/mise#6324) ### 📦️ Dependency Updates - update taiki-e/install-action digest to 0aa4f22 by @renovate[bot] in [#6334](jdx/mise#6334) - update rust crate comfy-table to v7.2.1 by @renovate[bot] in [#6335](jdx/mise#6335) - update rust crate console to v0.16.1 by @renovate[bot] in [#6336](jdx/mise#6336) - update rust crate indexmap to v2.11.4 by @renovate[bot] in [#6337](jdx/mise#6337) ### Chore - fixing typos by @Its-Just-Nans in [#6331](jdx/mise#6331) ### New Contributors - @Its-Just-Nans made their first contribution in [#6331](jdx/mise#6331) - @my1e5 made their first contribution in [#6319](jdx/mise#6319)
riastradh
pushed a commit
to riastradh/pkgsrc-test20250901
that referenced
this pull request
Feb 8, 2026
## [2025.9.16](https://github.com/jdx/mise/compare/v2025.9.15..v2025.9.16) - 2025-09-22 ### 📦 Registry - use npm backend for zbctl by @risu729 in [#6379](jdx/mise#6379) ### 🐛 Bug Fixes - **(aqua)** remove blake3 support from aqua checksum algorithms by @risu729 in [#6370](jdx/mise#6370) - **(aqua)** remove cosign and slsa-verifier dependencies by @risu729 in [#6371](jdx/mise#6371) - **(aqua)** remove cosign.experimental by @risu729 in [#6376](jdx/mise#6376) ### 📚 Documentation - minisign doesn't require cli by @risu729 in [#6369](jdx/mise#6369) ### Chore - ignore renovate new bot name by @risu729 in [#6364](jdx/mise#6364) ## [2025.9.15](https://github.com/jdx/mise/compare/v2025.9.14..v2025.9.15) - 2025-09-21 ### 📦 Registry - add missing cargo backends by @jayvdb in [#6307](jdx/mise#6307) ### 🚀 Features - add env propagation by @Its-Just-Nans in [#6342](jdx/mise#6342) ### 🐛 Bug Fixes - **(aqua)** improve GitHub token handling for sigstore verification by @jdx in [#6351](jdx/mise#6351) - **(backend)** change dependency checks to warnings instead of errors by @jdx in [#6363](jdx/mise#6363) - **(npm)** improve error message when npm/bun is not installed by @jdx in [#6359](jdx/mise#6359) - **(vfox)** enable TLS support for reqwest to fix CI tests by @jdx in [#6356](jdx/mise#6356) ### 🚜 Refactor - **(registry)** convert to nested TOML sections format by @jdx in [#6361](jdx/mise#6361) ### 🧪 Testing - **(e2e)** resolve mise via PATH in backend missing deps test by @jdx in [#6362](jdx/mise#6362) - **(vfox)** replace flaky external HTTP tests with local mock server by @jdx in [#6354](jdx/mise#6354) ### 📦️ Dependency Updates - pin dependencies by @renovate[bot] in [#6243](jdx/mise#6243) ### Chore - **(install.sh)** add `MISE_INSTALL_MUSL` to force installing musl variants on Linux by @malept in [#6355](jdx/mise#6355) ## [2025.9.14](https://github.com/jdx/mise/compare/v2025.9.13..v2025.9.14) - 2025-09-20 ### 🐛 Bug Fixes - fix an issue where Swift could not be installed on arm64 Ubuntu by @lish82 in [#6348](jdx/mise#6348) ### Chore - use cross to build on linux by @jdx in [#6346](jdx/mise#6346) ### New Contributors - @lish82 made their first contribution in [#6348](jdx/mise#6348) ## [2025.9.13](https://github.com/jdx/mise/compare/v2025.9.12..v2025.9.13) - 2025-09-19 ### 📦 Registry - remove deprecated virtualos by @jdx in [166379f](jdx/mise@166379f) - add trufflehog ([aqua:trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog)) by @risu729 in [#6316](jdx/mise#6316) ### 🚀 Features - **(aqua)** integrate native sigstore-verification for security verification by @jdx in [#6332](jdx/mise#6332) - **(docs)** improve search result readability with lighter teal background by @jdx in [#6328](jdx/mise#6328) - **(ui)** update logo as favicon and fix hover transitions by @jdx in [#6325](jdx/mise#6325) - **(vfox)** add file.read lua function by @malept in [#6333](jdx/mise#6333) - add documentation for "Environment in tasks" #5134 #5638 by @Its-Just-Nans in [#6329](jdx/mise#6329) ### 🐛 Bug Fixes - **(github)** correctly paginate releases/tags for private repos by @malept in [#6318](jdx/mise#6318) - **(hk)** exclude aqua-registry from prettier linting by @jdx in [#6327](jdx/mise#6327) - **(ui)** improve GitHub star badge layout and alignment by @jdx in [#6326](jdx/mise#6326) ### 📚 Documentation - change 'hello.py' to 'main.py' in python.md by @my1e5 in [#6319](jdx/mise#6319) - customize VitePress theme with unique branding by @jdx in [#6324](jdx/mise#6324) ### 📦️ Dependency Updates - update taiki-e/install-action digest to 0aa4f22 by @renovate[bot] in [#6334](jdx/mise#6334) - update rust crate comfy-table to v7.2.1 by @renovate[bot] in [#6335](jdx/mise#6335) - update rust crate console to v0.16.1 by @renovate[bot] in [#6336](jdx/mise#6336) - update rust crate indexmap to v2.11.4 by @renovate[bot] in [#6337](jdx/mise#6337) ### Chore - fixing typos by @Its-Just-Nans in [#6331](jdx/mise#6331) ### New Contributors - @Its-Just-Nans made their first contribution in [#6331](jdx/mise#6331) - @my1e5 made their first contribution in [#6319](jdx/mise#6319)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replace external CLI dependencies (cosign, slsa-verifier, gh attestation verify) with native Rust implementation using the sigstore-verification crate. This provides better performance, reliability, and integration while reducing external tool dependencies.
Key Changes
Technical Details
~/src/sigstore-verificationRuntime::new().block_on()callsTest Coverage
test_aqua_cosign: Tests native Cosign signature verificationtest_aqua_slsa: Tests native SLSA provenance verificationtest_aqua_github_attestations: Tests native GitHub attestations verificationAll tests verify that the native implementation is being used by checking for specific log messages during package installation.
🤖 Generated with Claude Code