gh attestation verify JSON output includes incorrectly-formatted in-toto attestation
Describe the bug
The output of gh attestation verify with the --format json flag produces a result structure with an incorrectly-formatted in-toto attestation.
For example, the field predicateType is called predicate_type in the output, which isn't correct according to the spec.
This can be observed using this command:
gh attestation verify oci://ghcr.io/github/artifact-attestations-helm-charts/trust-policies:v0.6.2 --owner github --format json --jq .[0].verificationResult.statement
gh version:
▶ gh --version
gh version 2.59.0 (2024-10-15)
https://github.com/cli/cli/releases/tag/v2.59.0
The root cause is a problem with JSON encoding described in this issue: in-toto/attestation#363
Related issue in sigstore-go: sigstore/sigstore-go#365
This should be fixed by sigstore/sigstore-go#366. After it is merged, a release will be cut, and gh may update to that version of sigstore-go.
Steps to reproduce the behavior
- Type this '...'
- View the output '....'
- See error
Expected vs actual behavior
A clear and concise description of what you expected to happen and what actually happened.
Logs
Paste the activity from your command line. Redact if needed.