Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull Request Overview
Clarify that minisign verification is native (no CLI required), and refine GitHub attestation handling and registry merging.
- Add an enabled flag for GitHub attestations and adjust verification flow to honor it.
- Improve override merging for GitHub attestation config; update docs to remove CLI requirements for minisign and add related env var.
- Minor cleanup/removals (optional dependencies function, checksum algorithm list).
Reviewed Changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| src/backend/aqua.rs | Honor github_attestations.enabled and skip verification when disabled; stop opportunistic verification when not configured. |
| docs/tips-and-tricks.md | Document minisign as native and add MISE_AQUA_MINISIGN toggle. |
| docs/dev-tools/comparison-to-asdf.md | Update verification capabilities list to include Minisign without CLI. |
| docs/dev-tools/backends/aqua.md | Remove mention of minisign CLI; add checksums list; add a TODO comment in user docs. |
| crates/aqua-registry/src/types.rs | Add enabled to AquaGithubArtifactAttestations; change override merging to merge instead of replace; remove Blake3 variant; add merge impl. |
| SECURITY.md | Reflect native minisign verification and remove CLI tool requirements in docs. |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
risu729
force-pushed
the
no-minisign-cli
branch
from
039ba46 to
7511e77
Compare
Contributor
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
jdx
added a commit
that referenced
this pull request
Sep 22, 2025
### 📦 Registry - use npm backend for zbctl by @risu729 in [#6379](#6379) ### 🐛 Bug Fixes - **(aqua)** remove blake3 support from aqua checksum algorithms by @risu729 in [#6370](#6370) - **(aqua)** remove cosign and slsa-verifier dependencies by @risu729 in [#6371](#6371) - **(aqua)** remove cosign.experimental by @risu729 in [#6376](#6376) ### 📚 Documentation - minisign doesn't require cli by @risu729 in [#6369](#6369) ### Chore - ignore renovate new bot name by @risu729 in [#6364](#6364) Co-authored-by: mise-en-dev <release@mise.jdx.dev>
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
Sep 24, 2025
## [2025.9.16](https://github.com/jdx/mise/compare/v2025.9.15..v2025.9.16) - 2025-09-22 ### 📦 Registry - use npm backend for zbctl by @risu729 in [#6379](jdx/mise#6379) ### 🐛 Bug Fixes - **(aqua)** remove blake3 support from aqua checksum algorithms by @risu729 in [#6370](jdx/mise#6370) - **(aqua)** remove cosign and slsa-verifier dependencies by @risu729 in [#6371](jdx/mise#6371) - **(aqua)** remove cosign.experimental by @risu729 in [#6376](jdx/mise#6376) ### 📚 Documentation - minisign doesn't require cli by @risu729 in [#6369](jdx/mise#6369) ### Chore - ignore renovate new bot name by @risu729 in [#6364](jdx/mise#6364) ## [2025.9.15](https://github.com/jdx/mise/compare/v2025.9.14..v2025.9.15) - 2025-09-21 ### 📦 Registry - add missing cargo backends by @jayvdb in [#6307](jdx/mise#6307) ### 🚀 Features - add env propagation by @Its-Just-Nans in [#6342](jdx/mise#6342) ### 🐛 Bug Fixes - **(aqua)** improve GitHub token handling for sigstore verification by @jdx in [#6351](jdx/mise#6351) - **(backend)** change dependency checks to warnings instead of errors by @jdx in [#6363](jdx/mise#6363) - **(npm)** improve error message when npm/bun is not installed by @jdx in [#6359](jdx/mise#6359) - **(vfox)** enable TLS support for reqwest to fix CI tests by @jdx in [#6356](jdx/mise#6356) ### 🚜 Refactor - **(registry)** convert to nested TOML sections format by @jdx in [#6361](jdx/mise#6361) ### 🧪 Testing - **(e2e)** resolve mise via PATH in backend missing deps test by @jdx in [#6362](jdx/mise#6362) - **(vfox)** replace flaky external HTTP tests with local mock server by @jdx in [#6354](jdx/mise#6354) ### 📦️ Dependency Updates - pin dependencies by @renovate[bot] in [#6243](jdx/mise#6243) ### Chore - **(install.sh)** add `MISE_INSTALL_MUSL` to force installing musl variants on Linux by @malept in [#6355](jdx/mise#6355) ## [2025.9.14](https://github.com/jdx/mise/compare/v2025.9.13..v2025.9.14) - 2025-09-20 ### 🐛 Bug Fixes - fix an issue where Swift could not be installed on arm64 Ubuntu by @lish82 in [#6348](jdx/mise#6348) ### Chore - use cross to build on linux by @jdx in [#6346](jdx/mise#6346) ### New Contributors - @lish82 made their first contribution in [#6348](jdx/mise#6348) ## [2025.9.13](https://github.com/jdx/mise/compare/v2025.9.12..v2025.9.13) - 2025-09-19 ### 📦 Registry - remove deprecated virtualos by @jdx in [166379f](jdx/mise@166379f) - add trufflehog ([aqua:trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog)) by @risu729 in [#6316](jdx/mise#6316) ### 🚀 Features - **(aqua)** integrate native sigstore-verification for security verification by @jdx in [#6332](jdx/mise#6332) - **(docs)** improve search result readability with lighter teal background by @jdx in [#6328](jdx/mise#6328) - **(ui)** update logo as favicon and fix hover transitions by @jdx in [#6325](jdx/mise#6325) - **(vfox)** add file.read lua function by @malept in [#6333](jdx/mise#6333) - add documentation for "Environment in tasks" #5134 #5638 by @Its-Just-Nans in [#6329](jdx/mise#6329) ### 🐛 Bug Fixes - **(github)** correctly paginate releases/tags for private repos by @malept in [#6318](jdx/mise#6318) - **(hk)** exclude aqua-registry from prettier linting by @jdx in [#6327](jdx/mise#6327) - **(ui)** improve GitHub star badge layout and alignment by @jdx in [#6326](jdx/mise#6326) ### 📚 Documentation - change 'hello.py' to 'main.py' in python.md by @my1e5 in [#6319](jdx/mise#6319) - customize VitePress theme with unique branding by @jdx in [#6324](jdx/mise#6324) ### 📦️ Dependency Updates - update taiki-e/install-action digest to 0aa4f22 by @renovate[bot] in [#6334](jdx/mise#6334) - update rust crate comfy-table to v7.2.1 by @renovate[bot] in [#6335](jdx/mise#6335) - update rust crate console to v0.16.1 by @renovate[bot] in [#6336](jdx/mise#6336) - update rust crate indexmap to v2.11.4 by @renovate[bot] in [#6337](jdx/mise#6337) ### Chore - fixing typos by @Its-Just-Nans in [#6331](jdx/mise#6331) ### New Contributors - @Its-Just-Nans made their first contribution in [#6331](jdx/mise#6331) - @my1e5 made their first contribution in [#6319](jdx/mise#6319)
riastradh
pushed a commit
to riastradh/pkgsrc-test20250901
that referenced
this pull request
Feb 8, 2026
## [2025.9.16](https://github.com/jdx/mise/compare/v2025.9.15..v2025.9.16) - 2025-09-22 ### 📦 Registry - use npm backend for zbctl by @risu729 in [#6379](jdx/mise#6379) ### 🐛 Bug Fixes - **(aqua)** remove blake3 support from aqua checksum algorithms by @risu729 in [#6370](jdx/mise#6370) - **(aqua)** remove cosign and slsa-verifier dependencies by @risu729 in [#6371](jdx/mise#6371) - **(aqua)** remove cosign.experimental by @risu729 in [#6376](jdx/mise#6376) ### 📚 Documentation - minisign doesn't require cli by @risu729 in [#6369](jdx/mise#6369) ### Chore - ignore renovate new bot name by @risu729 in [#6364](jdx/mise#6364) ## [2025.9.15](https://github.com/jdx/mise/compare/v2025.9.14..v2025.9.15) - 2025-09-21 ### 📦 Registry - add missing cargo backends by @jayvdb in [#6307](jdx/mise#6307) ### 🚀 Features - add env propagation by @Its-Just-Nans in [#6342](jdx/mise#6342) ### 🐛 Bug Fixes - **(aqua)** improve GitHub token handling for sigstore verification by @jdx in [#6351](jdx/mise#6351) - **(backend)** change dependency checks to warnings instead of errors by @jdx in [#6363](jdx/mise#6363) - **(npm)** improve error message when npm/bun is not installed by @jdx in [#6359](jdx/mise#6359) - **(vfox)** enable TLS support for reqwest to fix CI tests by @jdx in [#6356](jdx/mise#6356) ### 🚜 Refactor - **(registry)** convert to nested TOML sections format by @jdx in [#6361](jdx/mise#6361) ### 🧪 Testing - **(e2e)** resolve mise via PATH in backend missing deps test by @jdx in [#6362](jdx/mise#6362) - **(vfox)** replace flaky external HTTP tests with local mock server by @jdx in [#6354](jdx/mise#6354) ### 📦️ Dependency Updates - pin dependencies by @renovate[bot] in [#6243](jdx/mise#6243) ### Chore - **(install.sh)** add `MISE_INSTALL_MUSL` to force installing musl variants on Linux by @malept in [#6355](jdx/mise#6355) ## [2025.9.14](https://github.com/jdx/mise/compare/v2025.9.13..v2025.9.14) - 2025-09-20 ### 🐛 Bug Fixes - fix an issue where Swift could not be installed on arm64 Ubuntu by @lish82 in [#6348](jdx/mise#6348) ### Chore - use cross to build on linux by @jdx in [#6346](jdx/mise#6346) ### New Contributors - @lish82 made their first contribution in [#6348](jdx/mise#6348) ## [2025.9.13](https://github.com/jdx/mise/compare/v2025.9.12..v2025.9.13) - 2025-09-19 ### 📦 Registry - remove deprecated virtualos by @jdx in [166379f](jdx/mise@166379f) - add trufflehog ([aqua:trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog)) by @risu729 in [#6316](jdx/mise#6316) ### 🚀 Features - **(aqua)** integrate native sigstore-verification for security verification by @jdx in [#6332](jdx/mise#6332) - **(docs)** improve search result readability with lighter teal background by @jdx in [#6328](jdx/mise#6328) - **(ui)** update logo as favicon and fix hover transitions by @jdx in [#6325](jdx/mise#6325) - **(vfox)** add file.read lua function by @malept in [#6333](jdx/mise#6333) - add documentation for "Environment in tasks" #5134 #5638 by @Its-Just-Nans in [#6329](jdx/mise#6329) ### 🐛 Bug Fixes - **(github)** correctly paginate releases/tags for private repos by @malept in [#6318](jdx/mise#6318) - **(hk)** exclude aqua-registry from prettier linting by @jdx in [#6327](jdx/mise#6327) - **(ui)** improve GitHub star badge layout and alignment by @jdx in [#6326](jdx/mise#6326) ### 📚 Documentation - change 'hello.py' to 'main.py' in python.md by @my1e5 in [#6319](jdx/mise#6319) - customize VitePress theme with unique branding by @jdx in [#6324](jdx/mise#6324) ### 📦️ Dependency Updates - update taiki-e/install-action digest to 0aa4f22 by @renovate[bot] in [#6334](jdx/mise#6334) - update rust crate comfy-table to v7.2.1 by @renovate[bot] in [#6335](jdx/mise#6335) - update rust crate console to v0.16.1 by @renovate[bot] in [#6336](jdx/mise#6336) - update rust crate indexmap to v2.11.4 by @renovate[bot] in [#6337](jdx/mise#6337) ### Chore - fixing typos by @Its-Just-Nans in [#6331](jdx/mise#6331) ### New Contributors - @Its-Just-Nans made their first contribution in [#6331](jdx/mise#6331) - @my1e5 made their first contribution in [#6319](jdx/mise#6319)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
It's already native using https://crates.io/crates/minisign-verify.