sigstore-js
sigstore-js copied to clipboard
Sigstore v1.9 not compatible with previous v.1.8 integration
Description
Hi! In slsa-github-generator, we use Sigstore to generate and verify our signing tokens. Our workflows were working with Sigstore v1.8
, however, when we upgraded to v1.9
, we experienced issues with the generation and verification of the signing tokens. We were curious if this backwards incompatibility was intentional or not.
The first issue for us lies within the sign
function. In this workflow, we see that in v1.9, our sigstore.sign
function fails, not identifying that it is in a GHA workflow.
However, the attest
function also has the same issue. In this workflow run, we use v1.8 version of sign
but use the v1.9 version of sigstore.attest
, and have the same issue of the not identifying that it is in a GHA workflow on a later job.
Is this functionality the intended behavior? Thank you!
Version Issues with Sigstore v1.9 Expected behavior with Sigstore v1.8