Problem
For trust = "sigstore" (the default), the installer verifies the Sigstore attestation only when gh >= 2.49.0 is resolvable. If gh is missing or too old, the install proceeds on sha256 alone with a one-time warning — it does not fail closed.
internal/installer/installer.go:608 — needAttest := bin.EffectiveTrust()==TrustSigstore && v != nil && v.Available()internal/installer/attestation.go:62-68 — warn-and-continue when unavailableinternal/installer/attestation.go:127-136 — findGh already prefers ~/.gale/current/bin/gh
Why it matters (keystone)
While that fallback exists, the sha256 in .binaries.toml — fetched unauthenticated from raw.githubusercontent.com/.../main — is a trusted security input, not a convenience index. A compromise of the gale-recipes main branch could repoint installs via sha256 on any host without a current gh; attestation would not catch it there.
This is the keystone for simplifying gale-recipes' in-repo bookkeeping: once attestation is the gate (fail-closed), .binaries.toml demotes to a cache/discovery index and the ledger + daily coherence audit become defense-in-depth rather than the boundary.
Proposal
- For
trust = "sigstore", treat a missing/old verifier as a hard error, not a warning.
- Guarantee a verifying
gh is present (gale already prefers ~/.gale/current/bin/gh and can ship gh as a dependency); fail closed if absent.
- Keep
trust = "sha256-only" as the explicit opt-out for upstreams without attestations.
Acceptance
- Installing a
sigstore-trust binary on a host with no/old gh fails with a clear error instead of warning + proceeding.
sha256-only recipes unaffected.
Problem
For
trust = "sigstore"(the default), the installer verifies the Sigstore attestation only whengh >= 2.49.0is resolvable. Ifghis missing or too old, the install proceeds on sha256 alone with a one-time warning — it does not fail closed.internal/installer/installer.go:608—needAttest := bin.EffectiveTrust()==TrustSigstore && v != nil && v.Available()internal/installer/attestation.go:62-68— warn-and-continue when unavailableinternal/installer/attestation.go:127-136—findGhalready prefers~/.gale/current/bin/ghWhy it matters (keystone)
While that fallback exists, the sha256 in
.binaries.toml— fetched unauthenticated fromraw.githubusercontent.com/.../main— is a trusted security input, not a convenience index. A compromise of the gale-recipes main branch could repoint installs via sha256 on any host without a currentgh; attestation would not catch it there.This is the keystone for simplifying gale-recipes' in-repo bookkeeping: once attestation is the gate (fail-closed),
.binaries.tomldemotes to a cache/discovery index and the ledger + daily coherence audit become defense-in-depth rather than the boundary.Proposal
trust = "sigstore", treat a missing/old verifier as a hard error, not a warning.ghis present (gale already prefers~/.gale/current/bin/ghand can shipghas a dependency); fail closed if absent.trust = "sha256-only"as the explicit opt-out for upstreams without attestations.Acceptance
sigstore-trust binary on a host with no/oldghfails with a clear error instead of warning + proceeding.sha256-onlyrecipes unaffected.