fix(github): select platform-matching provenance file for SLSA verification#7853
Merged
fix(github): select platform-matching provenance file for SLSA verification#7853
Conversation
…cation When verifying SLSA provenance, the github backend was using .find() to select the first provenance file in the release assets, regardless of platform. This caused verification failures when multiple provenance files exist (e.g., darwin, linux, windows) and the wrong one was selected. Now uses AssetPicker::pick_best_provenance() to score provenance files by OS and architecture match, selecting the one that matches the current platform. Fixes: #7462 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes a bug in SLSA provenance verification where the GitHub backend was selecting the first available provenance file instead of the one matching the target platform. The fix reuses the existing AssetPicker infrastructure to score and select the correct provenance file based on OS and architecture matching.
Changes:
- Modified
UnifiedGitBackend::verify_slsa_attestationto useAssetPicker::pick_best_provenance()for platform-aware provenance file selection - Added
pick_best_provenance()method toAssetPickerthat scores provenance files by OS/arch match - Added comprehensive unit tests covering Linux, macOS, Windows, and edge cases
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/backend/github.rs | Updated SLSA verification to use platform-aware provenance selection instead of .find() |
| src/backend/asset_matcher.rs | Added pick_best_provenance() method and comprehensive test coverage |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| .assets | ||
| .iter() | ||
| .find(|a| a.name == provenance_name) | ||
| .expect("provenance asset should exist since we found its name"); |
There was a problem hiding this comment.
The error message should be more descriptive to aid debugging. Consider explaining what state led to this unexpected condition, e.g., 'provenance asset not found in release assets after being selected by picker'.
Suggested change
| .expect("provenance asset should exist since we found its name"); | |
| .unwrap_or_else(|| { | |
| panic!( | |
| "provenance asset '{}' not found in release assets after being selected by picker; available assets: {:?}", | |
| provenance_name, | |
| asset_names | |
| ) | |
| }); |
Contributor
There was a problem hiding this comment.
+1 for a more descriptive error.
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.1.8 x -- echo |
20.1 ± 0.3 | 19.4 | 22.5 | 1.00 |
mise x -- echo |
20.5 ± 0.6 | 19.5 | 24.8 | 1.02 ± 0.03 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.1.8 env |
19.7 ± 0.6 | 18.8 | 25.7 | 1.00 |
mise env |
20.4 ± 0.8 | 19.1 | 22.6 | 1.04 ± 0.05 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.1.8 hook-env |
19.8 ± 0.5 | 18.8 | 21.2 | 1.00 |
mise hook-env |
20.7 ± 0.6 | 19.8 | 25.5 | 1.04 ± 0.04 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.1.8 ls |
17.7 ± 0.3 | 17.2 | 19.9 | 1.00 |
mise ls |
19.1 ± 0.7 | 17.7 | 24.0 | 1.08 ± 0.04 |
xtasks/test/perf
| Command | mise-2026.1.8 | mise | Variance |
|---|---|---|---|
| install (cached) | 109ms | 110ms | +0% |
| ls (cached) | 67ms | 66ms | +1% |
| bin-paths (cached) | 71ms | 72ms | -1% |
| task-ls (cached) | 2268ms | 2265ms | +0% |
mise-en-dev
added a commit
that referenced
this pull request
Jan 28, 2026
### 🚀 Features - **(doctor)** add backend mismatch warnings by @jdx in [#7847](#7847) - **(http)** add rename_exe support for archive extraction by @jdx in [#7874](#7874) - **(http)** send x-mise-ci header for CI environment tracking by @jdx in [#7875](#7875) - **(install)** auto-install plugins from [plugins] config section by @jdx in [#7856](#7856) - **(registry)** add vercel by @mikecurtis in [#7844](#7844) - **(task)** support glob patterns in task_config.includes by @jdx in [#7870](#7870) - **(task)** add task templates for reusable task definitions by @jdx in [#7873](#7873) ### 🐛 Bug Fixes - **(backend)** change registry mismatch log from info to debug by @jdx in [#7858](#7858) - **(ci)** use squash merge for auto-merge-release workflow by @jdx in [7e5e71e](7e5e71e) - **(ci)** remove --auto flag to merge immediately when CI passes by @jdx in [23ed2ed](23ed2ed) - **(github)** select platform-matching provenance file for SLSA verification by @jdx in [#7853](#7853) - **(go)** filter out version "1" from available versions by @jdx in [#7871](#7871) - **(install)** skip CurDir components when detecting archive structure by @jdx in [#7868](#7868) - **(pipx)** ensure Python minor version symlink exists for postinstall hooks by @jdx in [#7869](#7869) - **(registry)** prevent duplicate -stable suffix in Flutter download URLs by @jdx in [#7872](#7872) - **(task)** pass env to usage parser for env-backed arguments by @jdx in [#7848](#7848) - **(task)** propagate MISE_ENV to child tasks when using -E flag by @jdx in [06ee776](06ee776) - **(vfox-dotnet)** use os.execute() to fix Windows installation by @prodrigues1912 in [#7843](#7843) ### 📚 Documentation - update cache-behavior with env_cache information by @jdx in [#7849](#7849) ###◀️ Revert - remove task inheritance from parent configs in monorepos by @jdx in [#7851](#7851) - Revert "fix(ci): remove --auto flag to merge immediately when CI passes" by @jdx in [0606187](0606187) ### 📦 Registry - add mago ([aqua:carthage-software/mago](https://github.com/carthage-software/mago)) by @scop in [#7845](#7845) ### Chore - **(ci)** auto-merge release branch into main daily at 4am CST by @jdx in [#7852](#7852) ### New Contributors - @mikecurtis made their first contribution in [#7844](#7844) - @prodrigues1912 made their first contribution in [#7843](#7843)
1 task
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
AssetPicker::pick_best_provenance()to score provenance files by OS and architecture matchProblem
When verifying SLSA provenance, the github backend was using
.find()to select the first provenance file in the release assets, regardless of platform. This caused verification failures when multiple provenance files exist for different platforms.For example, when installing
buildx-v0.30.1.linux-amd64, the code would downloadbuildx-v0.30.1.darwin-amd64.provenance.jsonif it appeared first in the assets list, causing SLSA verification to fail.Solution
Reuses the existing
AssetPickerinfrastructure fromasset_matcher.rsto score provenance files by platform match:The highest-scoring provenance file is selected, ensuring the correct platform match.
Test plan
pick_best_provenance()covering Linux, macOS, Windows targetsFixes: #7462
🤖 Generated with Claude Code
Note
Ensures SLSA verification uses the correct provenance file for the current platform.
AssetPicker::pick_best_provenance()to filter provenance assets (.intoto.jsonl,provenance,.attestation) and score by OS/arch match onlyAssetPickerto select the best provenance asset name before downloading.intoto.jsonl, single-file/no-provenance casesWritten by Cursor Bugbot for commit da18c4e. This will update automatically on new commits. Configure here.