deps: replace sigstore-verification with sigstore-verify to kill vulns#8064
deps: replace sigstore-verification with sigstore-verify to kill vulns#8064codefromthecrypt merged 1 commit intomainfrom
Conversation
Signed-off-by: Adrian Cole <[email protected]>
codefromthecrypt
force-pushed
the
fix/cargo-deny-advisories
branch
from
bcbf574 to
5acfef4
Compare
|
FYI, I raised this on a shared branch as this is a dev zero thing, but I am way over time budget. I hope it helps get the build green soon. whoever can take over and do what they want with this including closing. |
|
AWS dependencies - the gift that keeps on giving. really wish we could drop bedrock for good - can't they just use standard apis? why 100s of transitive deps? |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5acfef40d8
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| } | ||
| }; | ||
|
|
||
| let trusted_root = TrustedRoot::production().context("Failed to load Sigstore trusted root")?; |
There was a problem hiding this comment.
Using TrustedRoot::production() hardcodes the current Sigstore public-good trust anchors into the binary. GitHub’s attestation flow rotates Fulcio/Rekor/CT/TSA keys over time, so after the next routine root update any older goose build will start rejecting legitimately signed releases and goose update becomes a dead end until the user reinstalls manually. The previous verifier path refreshed trust material via TUF; this replacement needs the same online refresh behavior to keep self-updates working long-term.
Useful? React with 👍 / 👎.
|
@michaelneale seems bedrock wants to be openai'ish, so if we have critical mass probably dump it for their openai endpoints? https://aws.amazon.com/about-aws/whats-new/2025/12/amazon-bedrock-responses-api-from-openai/ |
* main: deps: replace sigstore-verification with sigstore-verify to kill vulns (#8064)
* origin/main: (62 commits) Tweak the release process: no more merge to main (#7994) fix: gemini models via databricks (#8042) feat(apps): Pass toolInfo to MCP Apps via hostContext (#7506) fix: remove configured marker when deleting oauth provider configuration (#7887) docs: add vmware-aiops MCP extension documentation (#8055) Show setup instructions for ACP providers in settings modal (#8065) deps: replace sigstore-verification with sigstore-verify to kill vulns (#8064) feat(acp): add session/set_config and stabilize list, delete and close (#7984) docs: Correct `gosoe` typo to `goose` (#8062) fix: use default provider and model when provider in session no longer exists (#8035) feat: add GOOSE_SHELL env var to configure preferred shell (#7909) fix(desktop): fullscreen header bar + always-visible close controls (#8033) docs: add Claude Code approve mode permission routing documentation (#7949) chatgpt_codex: Support reasoning and gpt-5.4 (#7941) refactor(anthropic): fix N+1 thinking message storage issue (#7958) fix: handle mid-stream error events in OpenAI SSE streaming (#8031) Fix apps extension: coerce string arguments from inner LLM responses (#8030) feat: ability to expand sidebar to see chats names (#7816) Fix config for GOOSE_MAX_BACKGROUND_TASKS (#7940) set MACOSX_DEPLOYMENT_TARGET=12.0 (#7947) ...
…pstream * wpfleger/socket-support: (62 commits) Tweak the release process: no more merge to main (#7994) fix: gemini models via databricks (#8042) feat(apps): Pass toolInfo to MCP Apps via hostContext (#7506) fix: remove configured marker when deleting oauth provider configuration (#7887) docs: add vmware-aiops MCP extension documentation (#8055) Show setup instructions for ACP providers in settings modal (#8065) deps: replace sigstore-verification with sigstore-verify to kill vulns (#8064) feat(acp): add session/set_config and stabilize list, delete and close (#7984) docs: Correct `gosoe` typo to `goose` (#8062) fix: use default provider and model when provider in session no longer exists (#8035) feat: add GOOSE_SHELL env var to configure preferred shell (#7909) fix(desktop): fullscreen header bar + always-visible close controls (#8033) docs: add Claude Code approve mode permission routing documentation (#7949) chatgpt_codex: Support reasoning and gpt-5.4 (#7941) refactor(anthropic): fix N+1 thinking message storage issue (#7958) fix: handle mid-stream error events in OpenAI SSE streaming (#8031) Fix apps extension: coerce string arguments from inner LLM responses (#8030) feat: ability to expand sidebar to see chats names (#7816) Fix config for GOOSE_MAX_BACKGROUND_TASKS (#7940) set MACOSX_DEPLOYMENT_TARGET=12.0 (#7947) ...
* main: (37 commits) fix: handle reasoning content blocks in OpenAI-compat streaming parser (#8078) chore(acp): build native packages on latest mac (#8075) Display delegate sub agents logs in UI (#7519) Update tar version to avoid CVE-2026-33056 (#8073) refactor: consolidate duplicated dependencies into workspace (#8041) tui: set up for publishing via github actions (#8020) feat: feature-gate local inference dependencies (#7976) feat: ability to manage sub recipes in desktop ui (#6360) Tweak the release process: no more merge to main (#7994) fix: gemini models via databricks (#8042) feat(apps): Pass toolInfo to MCP Apps via hostContext (#7506) fix: remove configured marker when deleting oauth provider configuration (#7887) docs: add vmware-aiops MCP extension documentation (#8055) Show setup instructions for ACP providers in settings modal (#8065) deps: replace sigstore-verification with sigstore-verify to kill vulns (#8064) feat(acp): add session/set_config and stabilize list, delete and close (#7984) docs: Correct `gosoe` typo to `goose` (#8062) fix: use default provider and model when provider in session no longer exists (#8035) feat: add GOOSE_SHELL env var to configure preferred shell (#7909) fix(desktop): fullscreen header bar + always-visible close controls (#8033) ...
3 participants
Summary
Cargo Deny is red on main due to four RustSec advisories.
Three are
cargo updatebumps, the fourth (rsa, Marvin Attack) has no patched release caused bysigstore-verification.This replaces
sigstore-verificationwithsigstore-verifywhich usesaws-lc-rsinstead ofrsa.We get a clean run due to 1k fewer lines of
Cargo.lock. They payment is ~30 lines of reqwest to call GitHub API directly.Type of Change
AI Assistance
Testing
$ GH_TOKEN=$(gh auth token) cargo run -p goose-cli --bin goose -- update Downloading goose-aarch64-apple-darwin.tar.bz2 from stable release... Downloaded 61602128 bytes. Archive SHA-256: bfa03a01b5e9bd97fbdf9f7d635850f46f73f62f74aedbf423fe5aa57bcf17f5 Verifying SLSA provenance via Sigstore... Sigstore provenance verification passed. goose updated successfully (verified with Sigstore SLSA provenance).Related Issues
Fixes the red Cargo Deny CI build
Builds on #7818