This release partially mitigates GitHub attestation verification failures that were causing tool installations to fail (e.g., gh, and other aqua-backed tools with attestations enabled). See #8142 for details.
What happened
GitHub silently changed their attestations API to externalize bundle storage to Azure Blob Storage (tmaproduction.blob.core.windows.net) using Snappy compression, rather than returning bundles inline as JSON. The gh CLI had already been updated to handle this (cli/cli#10185), but third-party tools like mise were not yet aware of the new format, causing "error decoding response body" failures.
What this release does
Bumps sigstore-verification to 0.2, which splits the reqwest dependency version from mise's (0.13 vs 0.12). This avoids Cargo feature unification that was causing mise's gzip feature to be applied to attestation requests, interfering with the Snappy-compressed responses.
Note: A full fix with proper Snappy decompression support and auth token scoping landed in sigstore-verification v0.2.1 (#22, #23) — expect a follow-up mise release with that bump.
If you are still hitting issues, set settings.aqua.github_attestations = false as a workaround.
Dependency Updates
- Bumped
sigstore-verificationto 0.2 (e8897c9)