Failed to verify the artifact: failed to fetch attestations for subject

[DL6ER]

Describe the bug

We just added attestation building to our workflow to join the beta.

Steps to reproduce the behavior

1. Added steps to build job as described in the docs (pi-hole/FTL@633b825)
2. Job built fine and resulted in an attestation as expected: https://github.com/pi-hole/FTL/attestations/793098
3. Downloading the binary and running gh attestation verify pihole-FTL-amd64 is expected to work, but we get

   Failed to verify the artifact: failed to fetch attestations for subject: sha256:...
   

4. Also tried downloading the JSON from the attestations page above and validating using this file but the same error occurs.

Expected vs actual behavior

Expect attestation to be validated. The sha256sum of the built and downloaded binaries match:

67e7d2451a29ff3cd21c4a7c489ac4b1d43993f4a69bf9fbe989dda47f24685e  pihole-FTL-amd64

Logs

# gh attestation verify pihole-FTL-amd64 --owner pi-hole
Verifying attestations for the artifact found at file://pihole-FTL-amd64
Failed to verify the artifact: failed to fetch attestations for subject: sha256:67e7d2451a29ff3cd21c4a7c489ac4b1d43993f4a69bf9fbe989dda47f24685e

# gh attestation verify pihole-FTL-amd64 --repo pi-hole/FTL
Verifying attestations for the artifact found at file://pihole-FTL-amd64
Failed to verify the artifact: failed to fetch attestations for subject: sha256:67e7d2451a29ff3cd21c4a7c489ac4b1d43993f4a69bf9fbe989dda47f24685e

gh attestation verify pihole-FTL-amd64 --owner pi-hole --bundle ./pi-hole-FTL-attestation-793098.sigstore.json
Verifying attestations for the artifact found at file://pihole-FTL-amd64
Failed to verify the artifact: failed to fetch attestations for subject: sha256:67e7d2451a29ff3cd21c4a7c489ac4b1d43993f4a69bf9fbe989dda47f24685e

Files for reproduction

• pihole-FTL-amd64
• pi-hole-FTL-attestation-793098.sigstore.json

[kommendorkapten]

I believe this is due to an older version of gh being used. See below for my local attempt:

$ gh attestation verify pihole-FTL-amd64 --owner pi-hole --bundle ./pi-hole-FTL-attestation-793098.sigstore.json
Loaded digest sha256:67e7d2451a29ff3cd21c4a7c489ac4b1d43993f4a69bf9fbe989dda47f24685e for file://pihole-FTL-amd64
Loaded 1 attestation from pi-hole-FTL-attestation-793098.sigstore.json
✓ Verification succeeded!

sha256:67e7d2451a29ff3cd21c4a7c489ac4b1d43993f4a69bf9fbe989dda47f24685e was attested by:
REPO         PREDICATE_TYPE                  WORKFLOW
pi-hole/FTL  https://slsa.dev/provenance/v1  .github/workflows/build.yml@refs/heads/new/artifact_attestations
$ gh version
gh version 2.49.0 (2024-04-30)
https://github.com/cli/cli/releases/tag/v2.49.0

[DL6ER]

Good to know. I've been trying with github-cli@community on alpine which promised to be (more) recent. I'll soon retest with a more recent version...

[DL6ER]

Confirmed working locally with v2.49.2