[TRIAGE] The bottle for $foo has an invalid build provenance attestation

[noelleleigh]

brew gist-logs <formula> link OR brew config AND brew doctor output

brew config

HOMEBREW_VERSION: 4.3.9-227-gd4f808f
ORIGIN: https://github.com/Homebrew/brew
HEAD: d4f808ffb56cf47d8ee96b973bb15afd48cf8ba2
Last commit: 14 minutes ago
Core tap JSON: 15 Jul 13:58 UTC
Core cask tap JSON: 15 Jul 13:58 UTC
HOMEBREW_PREFIX: /usr/local
HOMEBREW_CASK_OPTS: []
HOMEBREW_EDITOR: code
HOMEBREW_MAKE_JOBS: 16
HOMEBREW_SORBET_RUNTIME: set
Homebrew Ruby: 3.3.4 => /usr/local/Homebrew/Library/Homebrew/vendor/portable-ruby/3.3.4/bin/ruby
CPU: 16-core 64-bit kabylake
Clang: 15.0.0 build 1500
Git: 2.45.2 => /usr/local/bin/git
Curl: 8.6.0 => /usr/bin/curl
macOS: 14.5-x86_64
CLT: 15.3.0.0.1.1708646388
Xcode: N/A

brew doctor

Your system is ready to brew.

Verification

• My brew doctor output says Your system is ready to brew. and am still able to reproduce my issue.
• I ran brew update and am still able to reproduce my issue.
• I have resolved all warnings from brew doctor and that did not fix my problem.
• I searched for recent similar issues at https://github.com/Homebrew/homebrew-core/issues?q=is%3Aissue and found no duplicates.

What were you trying to do (and why)?

Upgrade nano from 8.0 to 8.1

What happened (include all command output)?

> % brew upgrade nano  
==> Downloading https://formulae.brew.sh/api/formula.jws.json

==> Downloading https://formulae.brew.sh/api/cask.jws.json

Warning: Treating nano as a formula. For the cask, use homebrew/cask/nano or specify the `--cask` flag.
==> Upgrading 1 outdated package:
nano 8.0 -> 8.1
==> Downloading https://ghcr.io/v2/homebrew/core/nano/manifests/8.1
Already downloaded: /Users/noelle/Library/Caches/Homebrew/downloads/c235906dbe78ab367ac80fa098363c4312bc50c3945eb8154535b340d8394f94--nano-8.1.bottle_manifest.json
==> Fetching nano
==> Downloading https://ghcr.io/v2/homebrew/core/nano/blobs/sha256:78947cd54c0938695fd01dd784f3f0033c0af0532627
Already downloaded: /Users/noelle/Library/Caches/Homebrew/downloads/ac5e4929fdb43b3e506e55e05d011b7f77c9148f1abc5f20f9927bd46f1ce721--nano--8.1.sonoma.bottle.tar.gz
==> Upgrading nano
  8.0 -> 8.1 
==> Verifying attestation for nano
Error: The bottle for nano has an invalid build provenance attestation.

This may indicate that the bottle was not produced by the expected
tap, or was maliciously inserted into the expected tap's bottle
storage.

Additional context:

attestation verification failed: Failure while executing; `/usr/bin/env GH_TOKEN=****** /usr/local/bin/gh attestation verify /Users/noelle/Library/Caches/Homebrew/downloads/ac5e4929fdb43b3e506e55e05d011b7f77c9148f1abc5f20f9927bd46f1ce721--nano--8.1.sonoma.bottle.tar.gz --repo trailofbits/homebrew-brew-verify --format json` exited with 1. Here's the output:

Error: failed to fetch attestations from trailofbits/homebrew-brew-verify: HTTP 401: Bad credentials (https://api.github.com/repos/trailofbits/homebrew-brew-verify/attestations/sha256:78947cd54c0938695fd01dd784f3f0033c0af053262712e2d34bef6cd7653513?per_page=30)

What did you expect to happen?

Install without error

Step-by-step reproduction instructions (by running brew commands)

brew upgrade nano

[woodruffw]

Thanks for the report @noelleleigh! Could you attempt to run the following for me locally?

gh auth status

...that should help me determine why the GitHub API call failed to authenticate here.

[woodruffw]

In the mean time as well: you can disable this feature (it's in beta, but you're receiving it because you have developer mode enabled) by setting HOMEBREW_NO_VERIFY_ATTESTATIONS=1.

[mitchblank]

I had the same issue, and a gh auth login fixed it.

It seems that the attestation-checking code is sensitive to a stale gh token in a way that other parts of brew upgrade are not.

Also the way the error surfaces isn't very helpful

[woodruffw]

Also the way the error surfaces isn't very helpful

Agreed; we rolled this out to people with developer mode enabled to discover exactly these kinds of rough edges. I'll look into improving this error message.

[lblackstone]

I encountered a similar error for the goreleaser package:

Error: failed to fetch attestations from trailofbits/homebrew-brew-verify: HTTP 401: Bad credentials (https://api.github.com/repos/trailofbits/homebrew-brew-verify/attestations/sha256:2a5e4f6a0352af1989c5516ad2b742e132bf5112e2574190b6b706f7b1697f35?per_page=30)

Running gh auth login did not fix it, but HOMEBREW_NO_VERIFY_ATTESTATIONS=1 worked as suggested.

I'm using the SSH git protocol if that makes a difference.

[woodruffw]

Using SSH for git shouldn't make a difference 🙂

@lblackstone could you run gh auth status and post the output here?

[lblackstone]

$ gh auth status

github.com
  ✓ Logged in to github.com account lblackstone (/Users/levi/.config/gh/hosts.yml)
  - Active account: true
  - Git operations protocol: ssh
  - Token: gho_************************************
  - Token scopes: 'admin:public_key', 'gist', 'read:org', 'repo'

[woodruffw]

Thanks. That looks pretty close to what I have, so I don't think that's the source of problems here. It's possible that there's another (stale) credential elsewhere that Homebrew is giving priority to; I'll look into that.

Edit: @lblackstone do you happen to have a different API credential configured via HOMEBREW_GITHUB_API_TOKEN? That's the one credential source that has priority over the gh-held token.

[lblackstone]

do you happen to have a different API credential configured via HOMEBREW_GITHUB_API_TOKEN? That's the one credential source that has priority over the gh-held token.

Ah, sure enough. It looks like my ~/.zshrc file was setting that, but I don't see the token on my GH settings. I assume it expired since I used it awhile back.

[woodruffw]

Yep, that'll do it. I'll look into improving the error message on that case as well. In the mean time, you should be able to re-enable attestations and delete that old env var (Homebrew will use your gh token).

[noelleleigh]

Thanks for the report @noelleleigh! Could you attempt to run the following for me locally?

gh auth status

...that should help me determine why the GitHub API call failed to authenticate here.

Sorry for the delay:

$ gh auth status
github.com
  X Failed to log in to github.com account noelleleigh (keyring)
  - Active account: true
  - The token in keyring is invalid.
  - To re-authenticate, run: gh auth login -h github.com
  - To forget about this account, run: gh auth logout -h github.com -u noelleleigh

[woodruffw]

No problem, thanks for checking. Could you try running gh auth login and seeing if the command works after that?

(This feature won't require this kind of auth flow once it's out of beta; you can leave the beta either by disabling Homebrew's developer mode or by explicitly setting HOMEBREW_NO_VERIFY_ATTESTATIONS=1.)

[woodruffw]

Hi, I'm trying to install otf2bdf and I'm getting a similar error, but a 404 instead of a 401. Is this related?

That's unrelated, but thank you for raising it. You can use the same HOMEBREW_NO_VERIFY_ATTESTATIONS=1 env var mentioned above to disable that failing check.

Edit: I've kicked off a rebottle for otf2bdf that should resolve the above.

Edit 2: The rebottle has completed and otf2bdf's bottles should now be attested. Thank you @jackson-57!

[noelleleigh]

No problem, thanks for checking. Could you try running gh auth login and seeing if the command works after that?

After completing the gh auth login flow, I can now upgrade nano successfully. Thanks!

[angelus2014]

I use set HOMEBREW_NO_VERIFY_ATTESTATIONS 1 in fish and a check with env shows me that it's set.

[woodruffw]

Thanks @mistydemeo! Yeah, this is the best place to keep track of these for now -- there are more of them than I was expecting, so my plan in the coming days is to collect all remaining non-attested :all bottles and rebottle them in bulk, and then close this out. But until then I'll keep triaging here 🙂

(I've dispatched a rebottle for rapidjson.)

Edit: FYI @RupeshJey you don't need to "+1" comments by saying me too -- if you're experiencing an issue with the same bottle, please just react to it with a 👍 and I'll know it affects more than one person. Responding with "me too"s makes it harder for me to track what I have remaining to triage 🙂

[woodruffw]

@mmrwoods Thanks for reporting -- yeah, this is a known issue. We actually did have a version check before, but performing it reliably in the context of bootstrapping gh is actually somewhat difficult given Homebrew's architecture. You can see some context for that here: Homebrew/brew#17899, Homebrew/brew#17727

With that being said, I can definitely improve the error messaging there to indicate that the user needs to manually run brew upgrade gh. I'll look at making a PR for that today.

[denniscote]

Hi, I resolved the problem by adding HOMEBREW_NO_VERIFY_ATTESTATIONS=1 to my .zprofile to disable the attestation checks. To further your testing, I uninstalled neofetch, reverted the changes to my .zprofile, and started a new shell. When I try to install neofetch I get the following output from homebrew: ❯ brew install neofetch ==> Auto-updating Homebrew... Adjust how often this is run with HOMEBREW_AUTO_UPDATE_SECS or disable with HOMEBREW_NO_AUTO_UPDATE. Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`). ==> Auto-updated Homebrew! ==> Updated Homebrew from 0ded3157f to 53e363258. No changes to formulae or casks. Warning: neofetch has been deprecated because it has an archived upstream repository! It will be disabled on 2025-05-04. ==> Downloading https://ghcr.io/v2/homebrew/core/neofetch/manifests/7.1.0-2 Already downloaded: /Users/dennis/Library/Caches/Homebrew/downloads/5974da48e91e7a26f3b39e956baeb5020ddd1c47387be365e035d1b062f2ab39--neofetch-7.1.0-2.bottle_manifest.json ==> Fetching dependencies for neofetch: screenresolution ==> Downloading https://ghcr.io/v2/homebrew/core/screenresolution/manifests/1.6 Already downloaded: /Users/dennis/Library/Caches/Homebrew/downloads/298712553713fe4c5c2d3cad5fb6d00a14d7d22b549e11b3247c78e46f208b24--screenresolution-1.6.bottle_manifest.json ==> Fetching screenresolution ==> Downloading https://ghcr.io/v2/homebrew/core/screenresolution/blobs/sha256:25f283268c93a7d6be4fa71f4eb08c0f618206a3b Already downloaded: /Users/dennis/Library/Caches/Homebrew/downloads/d3293b52581c9ca5aa61de3ada9a76b0a3444df4aad07654bc3ec7e5e95b45df--screenresolution--1.6.ventura.bottle.tar.gz ==> Fetching neofetch ==> Downloading https://ghcr.io/v2/homebrew/core/neofetch/blobs/sha256:78eb3e99dfde7f5fb1c3b192804a6d345f428c9effa6ea6ba Already downloaded: /Users/dennis/Library/Caches/Homebrew/downloads/86418164e451fde9cba3c5a3dd1fe247b3cb068f24dcc08c1a6de86b8e8337dc--neofetch--7.1.0.all.bottle.2.tar.gz ==> Installing dependencies for neofetch: screenresolution ==> Installing neofetch dependency: screenresolution ==> Downloading https://ghcr.io/v2/homebrew/core/screenresolution/manifests/1.6 Already downloaded: /Users/dennis/Library/Caches/Homebrew/downloads/298712553713fe4c5c2d3cad5fb6d00a14d7d22b549e11b3247c78e46f208b24--screenresolution-1.6.bottle_manifest.json ==> Verifying attestation for screenresolution ==> Pouring screenresolution--1.6.ventura.bottle.tar.gz 🍺 /usr/local/Cellar/screenresolution/1.6: 6 files, 60KB ==> Installing neofetch ==> Verifying attestation for neofetch Error: The bottle for neofetch has an invalid build provenance attestation. This may indicate that the bottle was not produced by the expected tap, or was maliciously inserted into the expected tap's bottle storage. Additional context: no attestation matches subject: 86418164e451fde9cba3c5a3dd1fe247b3cb068f24dcc08c1a6de86b8e8337dc--neofetch--7.1.0.all.bottle.2.tar.gz I hope that helps. I will return to disabling the attestation checks since they seem to have caused nothing but problems for my updates so far. Will there be an announcement when the beta testing is considered done?

…

On Aug 1, 2024, at 8:33 AM, William Woodruff ***@***.***> wrote: I saw the same issue with neofetch Please post the exact error message you're seeing. I can't triage your issue without that. — Reply to this email directly, view it on GitHub <#177384 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAWPKI6GAWEZEEP7EKHQRPLZPJBK7AVCNFSM6AAAAABK4UGB7CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRTGIZTCNBQGM>. You are receiving this because you commented.

[woodruffw]

I hope that helps.

Thank you, this is the context I generally need for these kinds of triage. FWIW, I've rebottled neofetch here: #179305 and the fixed attestation should be available once that PR is merged.

[ChristopherHammond13]

This is probably a known issue, but FWIW after a recent brew update I ran into a gh cli error re missing attestation command...

==> Verifying attestation for gettext
attestation verification failed: Failure while executing; `/usr/bin/env GH_TOKEN=****** GH_HOST=github.com /opt/homebrew/bin/gh attestation verify /Users/mwoods/Library/Caches/Homebrew/downloads/7fa27fef64d0e791859cc145b153c3f95043f3803ff4c60e6835bdaaae740589--gettext--0.22.5.arm64_ventura.bottle.tar.gz --repo Homebrew/homebrew-core --format json` exited with 1. Here's the output:
unknown command "attestation" for "gh"

brew upgrade gh fixed this, this moving me from version 2.42.1 to 2.53.0. Seems the attestation command was only added in version 2.49.0, which was only released on April 30th, but the code to check whether to enable attestations now checks for any gh version (Homebrew/brew@b8ff4b3).

I'm not sure how much trouble if would be to change that code to check for version 2.49.0 or later, but it seems like it would avoid the missing attestation gh cli command error.

Performing a brew upgrade gh fixed the issue for me, too (a re-login did not help, however). The package I had an issue with which was blocking my upgrade due to an attestation error was pcre2. Now that the gh package is up to date, everything seems to be ticking along nicely.

Thank you for the tip, @mmrwoods!

[heuermh]

==> Upgrading brewsci/bio/edirect
  16.2 -> 22.1
==> Installing dependencies for brewsci/bio/edirect: cpanminus
==> Installing brewsci/bio/edirect dependency: cpanminus
==> Downloading https://ghcr.io/v2/homebrew/core/cpanminus/manifests/1.7047
Already downloaded: /Users/foo/Library/Caches/Homebrew/downloads/9e80d7eedcbf4589a593353f480729057df8c1f14c30b111fb294cd2e68d1163--cpanminus-1.7047.bottle_manifest.json
==> Verifying attestation for cpanminus
Error: The bottle for cpanminus has an invalid build provenance attestation.

This may indicate that the bottle was not produced by the expected
tap, or was maliciously inserted into the expected tap's bottle
storage.

Additional context:

no attestation matches subject: 715cc29abc1757470860a4ad0acb9d07701ef8c46399c905353954df33d5b769--cpanminus--1.7047.monterey.bottle.tar.gz

[woodruffw]

Thanks @heuermh, I can confirm that the monterey bottle is missing an attestation:

$ brew verify cpanminus --bottle-tag monterey
==> Downloading https://ghcr.io/v2/homebrew/core/cpanminus/blobs/sha256:f20737479b4b5d7d2945aa09b8b25e91d09205725b2a0a3858a37c1eeb282f92
###################################################################################################################################################### 100.0%
Error: Failed to verify cpanminus--1.7047.monterey.bottle.tar.gz with tag monterey due to error:

no attestation matches subject: 715cc29abc1757470860a4ad0acb9d07701ef8c46399c905353954df33d5b769--cpanminus--1.7047.monterey.bottle.tar.gz

I'm triggering a rebottle to fix it now.

[andrioli]

I'm facing this issue with pass.

Here the output when trying to install on macOS Monterey:

 brew install pass
==> Downloading https://formulae.brew.sh/api/formula.jws.json
####################################################################################################################################################### 100.0%
==> Downloading https://formulae.brew.sh/api/cask.jws.json
####################################################################################################################################################### 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/pass/manifests/1.7.4
Already downloaded: /Users/raraujo/Library/Caches/Homebrew/downloads/260588ef35ce97fb9455eadd2fa605c0af26dd2d53a534d18bb5334e887bfdc6--pass-1.7.4.bottle_manifest.json
==> Fetching pass
==> Downloading https://ghcr.io/v2/homebrew/core/pass/blobs/sha256:d667e58dae216055777c9780d522b68c6868d7b23f9f712c09c29b1daf215b35
Already downloaded: /Users/raraujo/Library/Caches/Homebrew/downloads/f6f65aad4c36d5c1eb50c70b3db88bc9f25e2c1a3f00f7fe278d108ea3f5ad4e--pass--1.7.4.monterey.bottle.tar.gz
==> Verifying attestation for pass
Error: The bottle for pass has an invalid build provenance attestation.

This may indicate that the bottle was not produced by the expected
tap, or was maliciously inserted into the expected tap's bottle
storage.

Additional context:

no attestation matches subject: f6f65aad4c36d5c1eb50c70b3db88bc9f25e2c1a3f00f7fe278d108ea3f5ad4e--pass--1.7.4.monterey.bottle.tar.gz

[woodruffw]

Thanks @andrioli. I can confirm this bug -- it looks like we accidentally skipped pass's old bottles during the attestation backfill. I'm triggering a rebottle to fix it now.

Edit: Dispatched: https://github.com/Homebrew/homebrew-core/actions/runs/10474173618

Edit 2: Rebottle failed due to an upstream checksum change. Triaging this with the upstream now.

Edit 3: The bottle build has been corrected and the rebottle has completed.

[woodruffw]

@maxbritto Please provide the full error you're seeing, like with other responses in this thread! It's much harder to triage the exact underlying cause if I don't know why the attestation failed.

[andrioli]

Rebottle failed due to an upstream checksum change. Triaging this with the upstream now.

@woodruffw this is weird. There's any open issue to tackle this with upstream ?

No new releases since 3 years:

And the checksums for the last two versions didn't match

~/Downloads ➜ sha256sum password-store-1.7.*
007816862dd8a2668842bf43b4e98c4c9b5aeaf7a868e101075dfd91eb657bb4  password-store-1.7.3.tar.xz
4c2d0a8b99df8915a87099607a8d912fd05d30651b6f014745c14e4ca8dbbfb7  password-store-1.7.4.tar.xz

Compare with the values of this commit.

Edit: Just wondering, maybe cgit is generating those source bundles (.tar.xz) at runtime and something changed there!

[woodruffw]

@andrioli Yep -- see #181795 for the results of our triage on this.

TL;DR the digest change was caused by a git archive change most likely, which has been a source of digest stability problems in the past. We confirmed that no files within the archive actually changed, nor did the underlying .tar container, only the compression layer.

[maxbritto]

@maxbritto Please provide the full error you're seeing, like with other responses in this thread! It's much harder to triage the exact underlying cause if I don't know why the attestation failed.

Sorry I removed my post a few seconds after posting it, you've been too fast :) I needed to upgrade gh (brew upgrade gh) and then it worked

[tdsmith]

A colleague ran into an issue running brew upgrade when an older, non-Homebrew gh (from our conda monorepo package set) without an attestation subcommand was first on PATH.

He received the message:

==> Verifying attestation for ca-certificates
Error: The bottle for ca-certificates has an invalid build provenance attestation.

This may indicate that the bottle was not produced by the expected
tap, or was maliciously inserted into the expected tap's bottle
storage.

Additional context:

attestation verification failed: Failure while executing; `/usr/bin/env GH_TOKEN=****** GH_HOST=github.com /Users/.../current/abcd/.conda/bin/gh attestation verify /Users/.../Library/Caches/Homebrew/downloads/9af01538d558e40dd9cf236c9e9d04f265bd12b0e10d9ee3881ca667e043acd9--ca-certificates--2024-07-02.all.bottle.tar.gz --repo Homebrew/homebrew-core --format json` exited with 1. Here's the output:
unknown command "attestation" for "gh"

Deactivating our monorepo (i.e. removing the foreign gh from PATH) allowed the upgrade to succeed.

Please let me know if more context would be helpful!

[jalavosus]

@woodruffw Since this issue is still open, hoping you could take a look into lz4:

==> Upgrading lz4
  1.9.4 -> 1.10.0 
==> Verifying attestation for lz4
Error: The bottle for lz4 has an invalid build provenance attestation.

This may indicate that the bottle was not produced by the expected
tap, or was maliciously inserted into the expected tap's bottle
storage.

Additional context:

attestation verification failed: Failure while executing; `/usr/bin/env GH_TOKEN=****** GH_HOST=github.com /usr/local/bin/gh attestation verify /Users/james/Library/Caches/Homebrew/downloads/2dd0dd84b1009e5f0bd351bad100f4cb013c8d9887234b63777c2430fe6d9007--lz4--1.10.0.monterey.bottle.1.tar.gz --repo Homebrew/homebrew-core --format json` exited with 1. Here's the output:
Failed to verify the artifact: failed to fetch attestations for subject: sha256:f78cc448808d04a0c31b108d7da962020e062179e29c7d0a2303db7866d8e449

I've run gh auth login (which ended up being a good thing, the CLI was disconnected from GH for awhile) and re-run brew update + brew upgrade.

OS version: macOS 12.6 (21G115)
brew --version output:

Homebrew 4.3.18-79-g76543a9
Homebrew/homebrew-core (git revision 9d56b5acf0c; last commit 2024-08-30)
Homebrew/homebrew-cask (git revision 8aec80d8bf0; last commit 2024-08-30)

[laytan]

I am seeing a 404 error installing lm-sensors:

$ brew --version
Homebrew 4.3.19-40-g9659b57
Homebrew/homebrew-cask (git revision 348fb7496b2; last commit 2024-09-04)

$ brew install lm-sensors
==> Downloading https://ghcr.io/v2/homebrew/core/lm-sensors/manifests/3.6.0
Already downloaded: /home/laytan/.cache/Homebrew/downloads/8cdb949c52dc07e99e98df315647bbf6d80b93993283087caf5c49f93f98c811--lm-sensors-3.6.0.bottle_manifest.json
==> Fetching lm-sensors
==> Downloading https://ghcr.io/v2/homebrew/core/lm-sensors/blobs/sha256:9cab2dd7da319a2eda20dffe27d52292f3e66926
Already downloaded: /home/laytan/.cache/Homebrew/downloads/254371a742c8eff51baccc13ed195f25e5ba0c1c1a3963ebca9d7328ef0ca4bf--lm-sensors--3.6.0.x86_64_linux.bottle.tar.gz
==> Verifying attestation for lm-sensors
Error: The bottle for lm-sensors has an invalid build provenance attestation.

This may indicate that the bottle was not produced by the expected
tap, or was maliciously inserted into the expected tap's bottle
storage.

Additional context:

attestation not found: Failure while executing; `/usr/bin/env GH_TOKEN=****** GH_HOST=github.com /usr/bin/gh attestation verify /home/laytan/.cache/Homebrew/downloads/254371a742c8eff51baccc13ed195f25e5ba0c1c1a3963ebca9d7328ef0ca4bf--lm-sensors--3.6.0.x86_64_linux.bottle.tar.gz --repo trailofbits/homebrew-brew-verify --format json` exited with 1. Here's the output:

Error: failed to fetch attestations from trailofbits/homebrew-brew-verify: HTTP 404: Not Found (https://api.github.com/repos/trailofbits/homebrew-brew-verify/attestations/sha256:9cab2dd7da319a2eda20dffe27d52292f3e66926fabba8ac1f2204fa0885af3d?per_page=30)

[woodruffw]

Sorry for the delay here.

---

Deactivating our monorepo (i.e. removing the foreign gh from PATH) allowed the upgrade to succeed.

Thanks @tdsmith, this is useful! I'll look at making more fixes to the precedence of the discovered gh (I could have sworn we only use the brewed gh, but there may be edge cases).

---

@jalavosus could you attempt to reproduce this again? I'm unable to reproduce this locally:

$ brew verify lz4 --bottle-tag=monterey
==> Downloading https://ghcr.io/v2/homebrew/core/lz4/blobs/sha256:f78cc448808d04a0c31b108d7da962020e062179e29c7d0a2303db7866d8e449
###################################################################################################################################################### 100.0%
==> lz4--1.10.0.monterey.bottle.1.tar.gz has a valid attestation

---

@laytan thanks, I can confirm that this one is missing an attestation. I'll dispatch a rebottle now.

Edit: dispatched: https://github.com/Homebrew/homebrew-core/actions/runs/10704760272

Edit 2: Done.

[GV14982]

Hi, I'm getting this error when installing docker-completion:

❯ brew install docker-completion
==> Downloading https://formulae.brew.sh/api/formula.jws.json
############################################################################################################################################# 100.0%
==> Downloading https://formulae.brew.sh/api/cask.jws.json

==> Downloading https://ghcr.io/v2/homebrew/core/docker-completion/manifests/27.2.1
Already downloaded: /Users/gvqz/Library/Caches/Homebrew/downloads/9367c959881a99177bc7ba3102e4296be97dffb50244787892a84f8da6d62095--docker-completion-27.2.1.bottle_manifest.json
==> Fetching docker-completion
==> Downloading https://ghcr.io/v2/homebrew/core/docker-completion/blobs/sha256:4d749c41af20db8f943d3415cf57d55cc932f3301af10aca65cf8cda90e67b23
Already downloaded: /Users/gvqz/Library/Caches/Homebrew/downloads/fd870c24d58b2f79315a896753b873cb0fbc6d57ff79f4d5185df8d348766c18--docker-completion--27.2.1.all.bottle.tar.gz
==> Verifying attestation for docker-completion
Error: The bottle for docker-completion has an invalid build provenance attestation.

This may indicate that the bottle was not produced by the expected
tap, or was maliciously inserted into the expected tap's bottle
storage.

Additional context:

attestation verification failed: Failure while executing; `/usr/bin/env GH_TOKEN=****** GH_HOST=github.com /opt/homebrew/bin/gh attestation verify /Users/gvqz/Library/Caches/Homebrew/downloads/fd870c24d58b2f79315a896753b873cb0fbc6d57ff79f4d5185df8d348766c18--docker-completion--27.2.1.all.bottle.tar.gz --repo Homebrew/homebrew-core --format json` exited with 1. Here's the output:
Failed to verify the artifact: failed to fetch attestations for subject: sha256:4d749c41af20db8f943d3415cf57d55cc932f3301af10aca65cf8cda90e67b23

I have refreshed my gh cli token, but still get the same issue.

[woodruffw]

Thanks for the report @GV14982. I'm currently unable to reproduce this:

$ brew verify docker-completion
==> Downloading https://ghcr.io/v2/homebrew/core/docker-completion/blobs/sha256:4d749c41af20db8f943d3415cf57d55cc932f3301af10aca65cf8cda90e67b23
############################################################################################################################################################# 100.0%
==> docker-completion--27.2.1.all.bottle.tar.gz has a valid attestation

Could you confirm that your local brew installation is up-to-date?

[GV14982]

Here is the output from running brew update:

❯ brew update
==> Updating Homebrew...
==> Updated Homebrew from 9042eb9347 to fd7f2bb3b1.
No changes to formulae or casks.

And brew -v

❯ brew -v
Homebrew 4.3.21-4-gfd7f2bb

[thomaswitt]

Same problems here with libxml2, ripgrep, python@3.11, ollama, etc… (brew update & brew upgrade run)

==> Upgrading ollama
  0.3.9 -> 0.3.10
==> Verifying attestation for ollama
Error: The bottle for ollama has an invalid build provenance attestation.

This may indicate that the bottle was not produced by the expected
tap, or was maliciously inserted into the expected tap's bottle
storage.

Additional context:

attestation verification failed: Failure while executing; `/usr/bin/env GH_TOKEN=****** GH_HOST=github.com /opt/homebrew/bin/gh attestation verify /Users/thomas/Library/Caches/Homebrew/downloads/4f1ea492d5a0182cac71715ef4278cce9759dc013bad9e742a07ff8ed5f3a829--ollama--0.3.10.arm64_sonoma.bottle.tar.gz --repo Homebrew/homebrew-core --format json` exited with 1. Here's the output:

Error: failed to find recognized issuer from bundle content: failed to create Public Good Sigstore verifier: failed to create TUF client: tuf refresh failed: Get "https://tuf-repo-cdn.sigstore.dev/10.root.json": dial tcp 127.0.0.1:443: connect: connection refused