Attestation API returned contents not quite right #6098
Description
Steps to Reproduce
- Download gem with attestation:
$ wget https://rubygems.org/downloads/faraday-2.14.0.gem
$ curl https://rubygems.org/api/v1/attestations/faraday-2.14.0 | jq ".[0]" > faraday-2.14.0.sigstore.json
- Use cosign v3.0.2 to attempt to verify:
$ cosign verify-blob --bundle faraday-2.14.0.sigstore.json --certificate-identity-regexp "https://github.com/lostisland/faraday/.github/workflows/publish.yml@refs/tags/v2.14.0" --certificate-oidc-issuer "https://token.actions.githubusercontent.com" faraday-2.14.0.gem
Error: bundle does not contain cert for verification, please provide public key
error during command execution: bundle does not contain cert for verification, please provide public key
Expected Behavior
It should verify!
Current Behavior
It does not verify.
Possible Solution
There are two problems with the content:
verificationMaterial.tlogEntriesis missingkindVersion:
"kindVersion": {
"kind": "dsse",
"version": "0.0.1"
},
- The
verificationMaterial.certificate.rawBytesis base64-encoded twice instead of once.
When those two things are fixed, the bundle verified:
$ cosign verify-blob --bundle faraday-2.14.0-fixed.sigstore.json --certificate-identity-regexp "https://github.com/lostisland/faraday/.github/workflows/publish.yml@refs/tags/v2.14.0" --certificate-oidc-issuer "https://token.actions.githubusercontent.com" faraday-2.14.0.gem
Verified OK
Environment
Browser and its version: any
RubyGems version: I accessed https://rubygems.org/ to test this issue on 2025/11/13
Additional Context
Happy to answer any questions or provide additional debugging context!