Version 0.4.47 changed checksum

[SMillerDev]

Was the repo compromised recently? The git manual says re-tagging is "the insane thing" to do, but somehow the artifact that Homebrew downloaded when it added 0.4.47 is no longer the same as the artifact that is served for that version now.

[michaelquigley]

I'd have to try and dig into the details, but I feel like we ran into a similar issue with an earlier v0.4.x version. I don't think it had/has anything to do with the git repo itself (as far as I know, it definitely has not been compromised, and the tag has not moved). It was something involving the homebrew build process itself (I believe). Not sure that what zrok is doing to vend to homebrew is optimal.

Will try and dig into this a little this week. If you have any additional insight, let me know. It'll take a little time for me to context-switch onto the homebrew build process (I didn't set it up).

[SMillerDev]

It was something involving the homebrew build process itself

The issue I see now happens before the build. The download from GitHub is different than what it was before when we compare the checksum.

Will try and dig into this a little this week.

Thanks, let me know if you need any homebrew info.

[stefanb]

In case of moving the tags the release.yml workflow would be triggered multiple times by the tag push on the same tag ref, but logs https://github.com/openziti/zrok/actions/workflows/release.yml don't support this:

[michaelquigley]

Again, I'll have to dig into this when I'm back in the office tomorrow... but I feel like I remember a similar/same issue a few months back. I believe someone even opened up a ticket with Github (the file contents somehow changed) and there was never any resolution that I remember.

For homebrew users I'm assuming this primarily manifests as a suspicious code integrity issue? If not, how does it manifest?

[michaelquigley]

I didn't work on the original homebrew integration for zrok, so I'm not very aware of what's going on there. If we're doing something that could be improved, I would certainly be open to suggestions...

[cho-m]

One thing to check is if .gitattributes are consistently substituted.

For example, the values at:

zrok/sdk/python/sdk/zrok/zrok/_version.py

Lines 29 to 31 in 030c87a

	git_refnames = "$Format:%d$"
	git_full = "$Format:%H$"
	git_date = "$Format:%ci$"

Current tarball is:

    git_refnames = " (tag: v0.4.47)"
    git_full = "030c87aa4b3c6ced6d4134ad22416d50b43fab09"
    git_date = "2025-01-31 10:44:26 -0500"

---

Not sure, but %d could potentially contain info on branch if tag aligns with HEAD.

At least if you generate off of current HEAD (https://github.com/openziti/zrok/archive/93dd468b29d365d0da7eee2f182b8f777f3dbf6c.tar.gz), it will look like:

    git_refnames = " (HEAD -> main)"
    git_full = "93dd468b29d365d0da7eee2f182b8f777f3dbf6c"
    git_date = "2025-02-05 08:48:45 -0500"

[michaelquigley]

One thing to check is if .gitattributes are consistently substituted.

We always release zrok off a tag on main. It's almost always the HEAD.

[cho-m]

We always release zrok off a tag on main. It's almost always the HEAD.

The part to check is what happens when the commit is no longer HEAD vs. when it is HEAD.

Specifically, see if git archive goes from git_refnames = " (HEAD -> main, tag: v0.4.47)" to git_refnames = " (tag: v0.4.47)" which would cause a checksum change.

[michaelquigley]

We always release zrok off a tag on main. It's almost always the HEAD.

The part to check is what happens when the commit is no longer HEAD vs. when it is HEAD.

Specifically, see if git archive goes from git_refnames = " (HEAD -> main, tag: v0.4.47)" to git_refnames = " (tag: v0.4.47)" which would cause a checksum change.

I'll give that a look... sounds like it could plausibly be an issue here.

[michaelquigley]

Apologies for not being more up-to-speed on how homebrew works... but what checksum is homebrew looking at that's not valid? The action appears to use mislav/[email protected]:

name: Homebrew Bump

on:
  release:
    types: [released]

jobs:
  update-brew:
    if: github.repository_owner == 'openziti'
    runs-on: ubuntu-latest
    steps:
      - name: Extract Version
        id: extract-version
        run: |
          echo "tag-name=${GITHUB_REF#refs/tags/}" | tee -a ${GITHUB_OUTPUT}

      - uses: mislav/[email protected]
        if: ${{ !contains(github.ref, '-') }}
        with:
          formula-name: zrok
          download-url: https://github.com/openziti/zrok/archive/refs/tags/${{ steps.extract-version.outputs.tag-name }}.tar.gz

It's working with https://github.com/openziti/zrok/archive/refs/tags/v0.4.47.tar.gz... and the checksum of this is somehow changing between two time periods? I would expect that the contents of that tarball would be stable for v0.4.47... what we're saying is that somehow that tarball is changing depending on when the archive is downloaded (and potentially .gitattributes substitutions being somehow different)?

And because these checksums are different, the initial reaction might be "hey, the tag moved!", correct?

[cho-m]

what checksum is homebrew looking at that's not valid?

The GitHub archive: https://github.com/openziti/zrok/archive/refs/tags/v0.4.47.tar.gz

and the checksum of this is somehow changing between two time periods? I would expect that the contents of that tarball would be stable for v0.4.47... what we're saying is that somehow that tarball is changing depending on when the archive is downloaded (and potentially .gitattributes substitutions being somehow different)?

Yes, the SHA256 checksum is different from time of original release and now.

GitHub archive is not a fixed uploaded tarball. Instead, it gets generated on demand, so can be impacted by things like gitattributes.

GitHub's recommendation for stability is to upload tarball as a release asset - https://github.blog/changelog/2023-01-30-git-archive-checksums-may-change/

And because these checksums are different, the initial reaction might be "hey, the tag moved!", correct?

Re-tag is the most common reason we've seen.

Mainly verified to avoid worst case situation, e.g. security issue from compromised tarball.

---

Outside of Homebrew, looks like Termux saw similar issue in 0.4.45 - termux/termux-packages@5a8834f

[michaelquigley]

GitHub's recommendation for stability is to upload tarball as a release asset - https://github.blog/changelog/2023-01-30-git-archive-checksums-may-change/

This sounds like it might be the best way to fix this issue to prevent it from reoccurring. I'll get that in the backlog and try to address it before we ship v1.0.0 (which is imminent within a few weeks).

Assuming the linked homebrew issue will get this working again for homebrew users in the short term? There might be another v0.4 release before v1.0.0 goes out the door. If so, hopefully we'll be okay. This doesn't seem to happen with every release (or we don't hear about it if it does).

[michaelquigley]

#861

[cho-m]

Looking at new 0.4.48 tarball, .gitattributes looks likely.

As reference, the tarball has sdk/python/sdk/zrok/zrok/_version.py with:

    git_refnames = " (HEAD -> main, tag: v0.4.48)"
    git_full = "2b1c7655863e37b1d67b2121be05f0d2638145be"
    git_date = "2025-02-12 12:42:19 -0500"

Can compare with tarball after a new commit is HEAD.

[qrkourier]

Does the built-in attestation verifier work on macOS? I tested it successfully on Linux with Linuxbrew.

❯ brew verify zrok
==> Downloading https://ghcr.io/v2/homebrew/core/zrok/blobs/sha256:afed55f742fe5dcbb8db3af7779d47b0a904825333644c0033f89f898f7d1d39
Already downloaded: /home/kbingham/.cache/Homebrew/downloads/7949510b73a0303c9f5f58a264e3883372216757d87759a795df0c609b8eb854--zrok--0.4.48.x86_64_linux.bottle.tar.gz
==> zrok--0.4.48.x86_64_linux.bottle.tar.gz has a valid attestation

[SMillerDev]

That verifies the provenance of the Homebrew build, not the provenance or checksum of the source that it read build from

[qrkourier]

@SMillerDev

Understood, and thanks for clarifying that. Do you need a way to link a Homebrew bottle to a GitHub commit hash from a verified author? Is your use case non-interactive?

I'm working on publishing GitHub Attestations for release binaries, SBOMs, checksums, container images, etc. In the Homebrew attestation copied below, I didn't see the Git commit hash or GitHub author of the release, and I'm guessing we could expand the in-toto predicate statements to include those.

Even if not, then the brew verify and gh attestation verify commands, taken together, would link the bottle to the commit hash and verify the author of the commit.

Here's the Homebrew attestation.

[
	{
		"attestation": {
			"bundle": {
				"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json",
				"verificationMaterial": {
					"certificate": {
						"rawBytes": "MIIHJTCCBqugAwIBAgIUMBeH9iyZoEDb1itKxkT6tQl5ryEwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUwMjEyMTg0NDAyWhcNMjUwMjEyMTg1NDAyWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9FvAb5cPgE7mh5d2rNfmi2g+nJa0w4dDO2OZ9OuUNX1Dl5c8EiMSMmbqHvEsYFFrnoPwADBorf0kUtsm1De/LKOCBcowggXGMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUZA4eFfYy+757K4zT1h6OFCW8HQcwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wdgYDVR0RAQH/BGwwaoZoaHR0cHM6Ly9naXRodWIuY29tL0hvbWVicmV3L2hvbWVicmV3LWNvcmUvLmdpdGh1Yi93b3JrZmxvd3MvcHVibGlzaC1jb21taXQtYm90dGxlcy55bWxAcmVmcy9oZWFkcy9tYXN0ZXIwOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTAfBgorBgEEAYO/MAECBBF3b3JrZmxvd19kaXNwYXRjaDA2BgorBgEEAYO/MAEDBChmOGQ1ZGYxYzc5NTk5YTBkYzJkMTlkNDA1NmUxYjg5YjlkNjhhMTE3MCgGCisGAQQBg78wAQQEGlB1Ymxpc2ggYW5kIGNvbW1pdCBib3R0bGVzMCQGCisGAQQBg78wAQUEFkhvbWVicmV3L2hvbWVicmV3LWNvcmUwHwYKKwYBBAGDvzABBgQRcmVmcy9oZWFkcy9tYXN0ZXIwOwYKKwYBBAGDvzABCAQtDCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMHgGCisGAQQBg78wAQkEagxoaHR0cHM6Ly9naXRodWIuY29tL0hvbWVicmV3L2hvbWVicmV3LWNvcmUvLmdpdGh1Yi93b3JrZmxvd3MvcHVibGlzaC1jb21taXQtYm90dGxlcy55bWxAcmVmcy9oZWFkcy9tYXN0ZXIwOAYKKwYBBAGDvzABCgQqDChmOGQ1ZGYxYzc5NTk5YTBkYzJkMTlkNDA1NmUxYjg5YjlkNjhhMTE3MB0GCisGAQQBg78wAQsEDwwNZ2l0aHViLWhvc3RlZDA5BgorBgEEAYO/MAEMBCsMKWh0dHBzOi8vZ2l0aHViLmNvbS9Ib21lYnJldy9ob21lYnJldy1jb3JlMDgGCisGAQQBg78wAQ0EKgwoZjhkNWRmMWM3OTU5OWEwZGMyZDE5ZDQwNTZlMWI4OWI5ZDY4YTExNzAhBgorBgEEAYO/MAEOBBMMEXJlZnMvaGVhZHMvbWFzdGVyMBgGCisGAQQBg78wAQ8ECgwINTI4NTU1MTYwKwYKKwYBBAGDvzABEAQdDBtodHRwczovL2dpdGh1Yi5jb20vSG9tZWJyZXcwFwYKKwYBBAGDvzABEQQJDAcxNTAzNTEyMHgGCisGAQQBg78wARIEagxoaHR0cHM6Ly9naXRodWIuY29tL0hvbWVicmV3L2hvbWVicmV3LWNvcmUvLmdpdGh1Yi93b3JrZmxvd3MvcHVibGlzaC1jb21taXQtYm90dGxlcy55bWxAcmVmcy9oZWFkcy9tYXN0ZXIwOAYKKwYBBAGDvzABEwQqDChmOGQ1ZGYxYzc5NTk5YTBkYzJkMTlkNDA1NmUxYjg5YjlkNjhhMTE3MCEGCisGAQQBg78wARQEEwwRd29ya2Zsb3dfZGlzcGF0Y2gwXQYKKwYBBAGDvzABFQRPDE1odHRwczovL2dpdGh1Yi5jb20vSG9tZWJyZXcvaG9tZWJyZXctY29yZS9hY3Rpb25zL3J1bnMvMTMyOTI1NTAyNDQvYXR0ZW1wdHMvMTAWBgorBgEEAYO/MAEWBAgMBnB1YmxpYzCBiwYKKwYBBAHWeQIEAgR9BHsAeQB3AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABlPt5rUEAAAQDAEgwRgIhALvRv6Ki1TGoXu8ggaHsEJ9WkplYJHTS7Sx9Gz5sqcfbAiEA1tySweWjzAfJY0LLDza909oJ0qJTbhgxoYPzeP+sMYcwCgYIKoZIzj0EAwMDaAAwZQIxAKr8r4V4CGSnqL0uDyJ9w3CGr2MyHPVf7dcFXU79yES9ZO5MZiPHEGaJmSV9mFx1mAIwHweh8SUX5/qSey3+EKYTqdplqqxhr4ZtbjdjFQZgjCExkk6SQguGeKRXOFfQefmO"
					},
					"tlogEntries": [
						{
							"logIndex": "170709799",
							"logId": {
								"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="
							},
							"kindVersion": {
								"kind": "dsse",
								"version": "0.0.1"
							},
							"integratedTime": "1739385843",
							"inclusionPromise": {
								"signedEntryTimestamp": "MEUCIQC1j8s2lXWUsD+zuXXDWd52mIa6GOM42oNnfwoPWSK6ywIgJxsKHQJPuiM9ivBosXxNoX2xy30VFywmcCm/ch4waWQ="
							},
							"inclusionProof": {
								"logIndex": "48805537",
								"rootHash": "Y+dpkpgi1q8S/vgQvK3eQYZ/UoFFFn5D63GzLgsxRb0=",
								"treeSize": "48805538",
								"hashes": [
									"0n1Mx4vn5poBA3wwej9UxI+zwVhcSlujNM2/EYdKVRQ=",
									"DlhHpy1bC3edGM//4UDB50tI4tUbPbnNpdUTSoR4Euo=",
									"qDPm+2J9AimIDWJlo1vDu+6UHNj+BpCEm4LFFHPYRB8=",
									"l7hG0vryLfQ5YuIP4uk5VzxEDv2iob7zeMl+bHurgHs=",
									"3fnQ6KLrAFu6fl4bWFhqiMOmmGswoAA8tlBLK7pDCkM=",
									"jcmwNUSg3EIQdYP1GJcfaXG14gF/BL6teOvsAipMOsE=",
									"/ctdWnAWCZ40Z6HLDAXyRVcpWpitGYs9GzkvulJJeDc=",
									"mK/vOqXrOTTtfugTpm9y2YqQjqISqjPhaPR6QYYlxq8=",
									"a+VlZq+Q1g/HML/JiV0zx/+nNE04MMneI/L7YES3ejw=",
									"3G1CfELRgkrpGc7BJBsecW/HvOojsTHpl40WsoH/3A0=",
									"Zse3BPkR/cJv62LvVuiDH+EpgIE5v3V3qXdG8HQFf1A=",
									"jU9+tgjTIKUYGeU7T7RjqyL+F+gFV9tCdwX2GZ1UtQs=",
									"vemyaMj0Na1LMjbB/9Dmkq8T+jAb3o+yCESgAayUABU="
								],
								"checkpoint": {
									"envelope": "rekor.sigstore.dev - 1193050959916656506\n48805538\nY+dpkpgi1q8S/vgQvK3eQYZ/UoFFFn5D63GzLgsxRb0=\n\n— rekor.sigstore.dev wNI9ajBFAiEApGIKxeSWWbNrvCHLIapK9NnFJAeo1Httfd4R3AhPSzMCIDbfM8PQML7RPHM/xVmvsBwJTyd/IkdxlEOW+RU0+Ge5\n"
								}
							},
							"canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiZHNzZSIsInNwZWMiOnsiZW52ZWxvcGVIYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiNmY1MWRkZDgwOTIxNGZjNTM0MTlkNGUxYTA5OWU0NzJhMTc5OTM5MjRiYjg4MzAwODc2ZDAwYTVkYTc2ZTk5NyJ9LCJwYXlsb2FkSGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjdjZWY0YjMzMmM0NTVkZjZlOTNhOGRmYTIxMDFiMzBlNWEwMGI1NmE0ZTUxZWFiMTVhZDhkYTE4ZWFlYTZlOTAifSwic2lnbmF0dXJlcyI6W3sic2lnbmF0dXJlIjoiTUVZQ0lRREVJQk1DaEU0S1Z6djJ2cExwclhDMFFxTWNZYXRVcThQdHVzVjhkVjZDMFFJaEFJYjB4a3kvdlVVdnQzNlRzM0VmVnF6VUE3K2E0UjBhZ1ZyZ3lNWVl6ZkhWIiwidmVyaWZpZXIiOiJMUzB0TFMxQ1JVZEpUaUJEUlZKVVNVWkpRMEZVUlMwdExTMHRDazFKU1VoS1ZFTkRRbkYxWjBGM1NVSkJaMGxWVFVKbFNEbHBlVnB2UlVSaU1XbDBTM2hyVkRaMFVXdzFjbmxGZDBObldVbExiMXBKZW1vd1JVRjNUWGNLVG5wRlZrMUNUVWRCTVZWRlEyaE5UV015Ykc1ak0xSjJZMjFWZFZwSFZqSk5ValIzU0VGWlJGWlJVVVJGZUZaNllWZGtlbVJIT1hsYVV6RndZbTVTYkFwamJURnNXa2RzYUdSSFZYZElhR05PVFdwVmQwMXFSWGxOVkdjd1RrUkJlVmRvWTA1TmFsVjNUV3BGZVUxVVp6Rk9SRUY1VjJwQlFVMUdhM2RGZDFsSUNrdHZXa2w2YWpCRFFWRlpTVXR2V2tsNmFqQkVRVkZqUkZGblFVVTVSblpCWWpWalVHZEZOMjFvTldReWNrNW1iV2t5Wnl0dVNtRXdkelJrUkU4eVQxb0tPVTkxVlU1WU1VUnNOV000UldsTlUwMXRZbkZJZGtWeldVWkdjbTV2VUhkQlJFSnZjbVl3YTFWMGMyMHhSR1V2VEV0UFEwSmpiM2RuWjFoSFRVRTBSd3BCTVZWa1JIZEZRaTkzVVVWQmQwbElaMFJCVkVKblRsWklVMVZGUkVSQlMwSm5aM0pDWjBWR1FsRmpSRUY2UVdSQ1owNVdTRkUwUlVablVWVmFRVFJsQ2tabVdYa3JOelUzU3pSNlZERm9OazlHUTFjNFNGRmpkMGgzV1VSV1VqQnFRa0puZDBadlFWVXpPVkJ3ZWpGWmEwVmFZalZ4VG1wd1MwWlhhWGhwTkZrS1drUTRkMlJuV1VSV1VqQlNRVkZJTDBKSGQzZGhiMXB2WVVoU01HTklUVFpNZVRsdVlWaFNiMlJYU1hWWk1qbDBUREJvZG1KWFZtbGpiVll6VERKb2RncGlWMVpwWTIxV00weFhUblpqYlZWMlRHMWtjR1JIYURGWmFUa3pZak5LY2xwdGVIWmtNMDEyWTBoV2FXSkhiSHBoUXpGcVlqSXhkR0ZZVVhSWmJUa3dDbVJIZUd4amVUVTFZbGQ0UVdOdFZtMWplVGx2V2xkR2EyTjVPWFJaV0U0d1dsaEpkMDlSV1V0TGQxbENRa0ZIUkhaNlFVSkJVVkZ5WVVoU01HTklUVFlLVEhrNU1HSXlkR3hpYVRWb1dUTlNjR0l5TlhwTWJXUndaRWRvTVZsdVZucGFXRXBxWWpJMU1GcFhOVEJNYlU1MllsUkJaa0puYjNKQ1owVkZRVmxQTHdwTlFVVkRRa0pHTTJJelNuSmFiWGgyWkRFNWEyRllUbmRaV0ZKcVlVUkJNa0puYjNKQ1owVkZRVmxQTDAxQlJVUkNRMmh0VDBkUk1WcEhXWGhaZW1NMUNrNVVhelZaVkVKcldYcEthMDFVYkd0T1JFRXhUbTFWZUZscVp6VlphbXhyVG1wb2FFMVVSVE5OUTJkSFEybHpSMEZSVVVKbk56aDNRVkZSUlVkc1FqRUtXVzE0Y0dNeVoyZFpWelZyU1VkT2RtSlhNWEJrUTBKcFlqTlNNR0pIVm5wTlExRkhRMmx6UjBGUlVVSm5OemgzUVZGVlJVWnJhSFppVjFacFkyMVdNd3BNTW1oMllsZFdhV050VmpOTVYwNTJZMjFWZDBoM1dVdExkMWxDUWtGSFJIWjZRVUpDWjFGU1kyMVdiV041T1c5YVYwWnJZM2s1ZEZsWVRqQmFXRWwzQ2s5M1dVdExkMWxDUWtGSFJIWjZRVUpEUVZGMFJFTjBiMlJJVW5kamVtOTJURE5TZG1FeVZuVk1iVVpxWkVkc2RtSnVUWFZhTW13d1lVaFdhV1JZVG13S1kyMU9kbUp1VW14aWJsRjFXVEk1ZEUxSVowZERhWE5IUVZGUlFtYzNPSGRCVVd0RllXZDRiMkZJVWpCalNFMDJUSGs1Ym1GWVVtOWtWMGwxV1RJNWRBcE1NR2gyWWxkV2FXTnRWak5NTW1oMllsZFdhV050VmpOTVYwNTJZMjFWZGt4dFpIQmtSMmd4V1drNU0ySXpTbkphYlhoMlpETk5kbU5JVm1saVIyeDZDbUZETVdwaU1qRjBZVmhSZEZsdE9UQmtSM2hzWTNrMU5XSlhlRUZqYlZadFkzazViMXBYUm10amVUbDBXVmhPTUZwWVNYZFBRVmxMUzNkWlFrSkJSMFFLZG5wQlFrTm5VWEZFUTJodFQwZFJNVnBIV1hoWmVtTTFUbFJyTlZsVVFtdFpla3ByVFZSc2EwNUVRVEZPYlZWNFdXcG5OVmxxYkd0T2FtaG9UVlJGTXdwTlFqQkhRMmx6UjBGUlVVSm5OemgzUVZGelJVUjNkMDVhTW13d1lVaFdhVXhYYUhaak0xSnNXa1JCTlVKbmIzSkNaMFZGUVZsUEwwMUJSVTFDUTNOTkNrdFhhREJrU0VKNlQyazRkbG95YkRCaFNGWnBURzFPZG1KVE9VbGlNakZzV1c1S2JHUjVPVzlpTWpGc1dXNUtiR1I1TVdwaU0wcHNUVVJuUjBOcGMwY0tRVkZSUW1jM09IZEJVVEJGUzJkM2IxcHFhR3RPVjFKdFRWZE5NMDlVVlRWUFYwVjNXa2ROZVZwRVJUVmFSRkYzVGxSYWJFMVhTVFJQVjBrMVdrUlpOQXBaVkVWNFRucEJhRUpuYjNKQ1owVkZRVmxQTDAxQlJVOUNRazFOUlZoS2JGcHVUWFpoUjFab1draE5kbUpYUm5wa1IxWjVUVUpuUjBOcGMwZEJVVkZDQ21jM09IZEJVVGhGUTJkM1NVNVVTVFJPVkZVeFRWUlpkMHQzV1V0TGQxbENRa0ZIUkhaNlFVSkZRVkZrUkVKMGIyUklVbmRqZW05MlRESmtjR1JIYURFS1dXazFhbUl5TUhaVFJ6bDBXbGRLZVZwWVkzZEdkMWxMUzNkWlFrSkJSMFIyZWtGQ1JWRlJTa1JCWTNoT1ZFRjZUbFJGZVUxSVowZERhWE5IUVZGUlFncG5OemgzUVZKSlJXRm5lRzloU0ZJd1kwaE5Oa3g1T1c1aFdGSnZaRmRKZFZreU9YUk1NR2gyWWxkV2FXTnRWak5NTW1oMllsZFdhV050VmpOTVYwNTJDbU50VlhaTWJXUndaRWRvTVZscE9UTmlNMHB5V20xNGRtUXpUWFpqU0ZacFlrZHNlbUZETVdwaU1qRjBZVmhSZEZsdE9UQmtSM2hzWTNrMU5XSlhlRUVLWTIxV2JXTjVPVzlhVjBaclkzazVkRmxZVGpCYVdFbDNUMEZaUzB0M1dVSkNRVWRFZG5wQlFrVjNVWEZFUTJodFQwZFJNVnBIV1hoWmVtTTFUbFJyTlFwWlZFSnJXWHBLYTAxVWJHdE9SRUV4VG0xVmVGbHFaelZaYW14clRtcG9hRTFVUlROTlEwVkhRMmx6UjBGUlVVSm5OemgzUVZKUlJVVjNkMUprTWpsNUNtRXlXbk5pTTJSbVdrZHNlbU5IUmpCWk1tZDNXRkZaUzB0M1dVSkNRVWRFZG5wQlFrWlJVbEJFUlRGdlpFaFNkMk42YjNaTU1tUndaRWRvTVZscE5Xb0tZakl3ZGxOSE9YUmFWMHA1V2xoamRtRkhPWFJhVjBwNVdsaGpkRmt5T1hsYVV6bG9XVE5TY0dJeU5YcE1NMG94WW01TmRrMVVUWGxQVkVreFRsUkJlUXBPUkZGMldWaFNNRnBYTVhka1NFMTJUVlJCVjBKbmIzSkNaMFZGUVZsUEwwMUJSVmRDUVdkTlFtNUNNVmx0ZUhCWmVrTkNhWGRaUzB0M1dVSkNRVWhYQ21WUlNVVkJaMUk1UWtoelFXVlJRak5CVGpBNVRVZHlSM2g0UlhsWmVHdGxTRXBzYms1M1MybFRiRFkwTTJwNWRDODBaVXRqYjBGMlMyVTJUMEZCUVVJS2JGQjBOWEpWUlVGQlFWRkVRVVZuZDFKblNXaEJUSFpTZGpaTGFURlVSMjlZZFRobloyRkljMFZLT1ZkcmNHeFpTa2hVVXpkVGVEbEhlalZ6Y1dObVlncEJhVVZCTVhSNVUzZGxWMnA2UVdaS1dUQk1URVI2WVRrd09XOUtNSEZLVkdKb1ozaHZXVkI2WlZBcmMwMVpZM2REWjFsSlMyOWFTWHBxTUVWQmQwMUVDbUZCUVhkYVVVbDRRVXR5T0hJMFZqUkRSMU51Y1V3d2RVUjVTamwzTTBOSGNqSk5lVWhRVm1ZM1pHTkdXRlUzT1hsRlV6bGFUelZOV21sUVNFVkhZVW9LYlZOV09XMUdlREZ0UVVsM1NIZGxhRGhUVlZnMUwzRlRaWGt6SzBWTFdWUnhaSEJzY1hGNGFISTBXblJpYW1ScVJsRmFaMnBEUlhocmF6WlRVV2QxUndwbFMxSllUMFptVVdWbWJVOEtMUzB0TFMxRlRrUWdRMFZTVkVsR1NVTkJWRVV0TFMwdExRbz0ifV19fQ=="
						}
					],
					"timestampVerificationData": {

					}
				},
				"dsseEnvelope": {
					"payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoienJvay0tMC40LjQ4LmFybTY0X3NlcXVvaWEuYm90dGxlLnRhci5neiIsImRpZ2VzdCI6eyJzaGEyNTYiOiI0NjFjNDFhYTgzNWI0MjMwYWMxNGE0NzUwMDkxYzZhMzZmOWExM2Q0ZTM0ZWQ4YWIzYzZmYjg3OTcyNmNkODA0In19LHsibmFtZSI6Inpyb2stLTAuNC40OC5hcm02NF9zb25vbWEuYm90dGxlLnRhci5neiIsImRpZ2VzdCI6eyJzaGEyNTYiOiIxNWQwMWVlNmZhMjMwMzU4MTZhYzU1ZjQ4YTVkNTQ1M2I1MDUzNjY0N2UzNGRkNjRiZWMwMTNjMmIwYThjOTBjIn19LHsibmFtZSI6Inpyb2stLTAuNC40OC5hcm02NF92ZW50dXJhLmJvdHRsZS50YXIuZ3oiLCJkaWdlc3QiOnsic2hhMjU2IjoiODdmY2ZlM2U0YmNjNDcyZDM1ZDM0ZjQ5MzMxNDk0NjJjMzExOTk0OGQxNmU4MWVjNWNlMjBjYTA2NmRlM2ZmNCJ9fSx7Im5hbWUiOiJ6cm9rLS0wLjQuNDguc29ub21hLmJvdHRsZS50YXIuZ3oiLCJkaWdlc3QiOnsic2hhMjU2IjoiNzlhNDA5MDdkZGI4ZTZiNjVhOWEzNjQ1ZjA5MGU4NjI3OWRkZGNkMzMzNzAxZjBiMDdhODEwNGY5OTlmZGIwOCJ9fSx7Im5hbWUiOiJ6cm9rLS0wLjQuNDgudmVudHVyYS5ib3R0bGUudGFyLmd6IiwiZGlnZXN0Ijp7InNoYTI1NiI6ImM0NGQxY2M1NzY4MDhhNzE1YjcwODlhMWEwOWQyN2MwNmJkYjUyZDc1ZmJjNWI4NmMxNzhjZmQ0NmUzMDAwZTEifX0seyJuYW1lIjoienJvay0tMC40LjQ4Lng4Nl82NF9saW51eC5ib3R0bGUudGFyLmd6IiwiZGlnZXN0Ijp7InNoYTI1NiI6ImFmZWQ1NWY3NDJmZTVkY2JiOGRiM2FmNzc3OWQ0N2IwYTkwNDgyNTMzMzY0NGMwMDMzZjg5Zjg5OGY3ZDFkMzkifX1dLCJwcmVkaWNhdGVUeXBlIjoiaHR0cHM6Ly9zbHNhLmRldi9wcm92ZW5hbmNlL3YxIiwicHJlZGljYXRlIjp7ImJ1aWxkRGVmaW5pdGlvbiI6eyJidWlsZFR5cGUiOiJodHRwczovL2FjdGlvbnMuZ2l0aHViLmlvL2J1aWxkdHlwZXMvd29ya2Zsb3cvdjEiLCJleHRlcm5hbFBhcmFtZXRlcnMiOnsid29ya2Zsb3ciOnsicmVmIjoicmVmcy9oZWFkcy9tYXN0ZXIiLCJyZXBvc2l0b3J5IjoiaHR0cHM6Ly9naXRodWIuY29tL0hvbWVicmV3L2hvbWVicmV3LWNvcmUiLCJwYXRoIjoiLmdpdGh1Yi93b3JrZmxvd3MvcHVibGlzaC1jb21taXQtYm90dGxlcy55bWwifX0sImludGVybmFsUGFyYW1ldGVycyI6eyJnaXRodWIiOnsiZXZlbnRfbmFtZSI6IndvcmtmbG93X2Rpc3BhdGNoIiwicmVwb3NpdG9yeV9pZCI6IjUyODU1NTE2IiwicmVwb3NpdG9yeV9vd25lcl9pZCI6IjE1MDM1MTIiLCJydW5uZXJfZW52aXJvbm1lbnQiOiJnaXRodWItaG9zdGVkIn19LCJyZXNvbHZlZERlcGVuZGVuY2llcyI6W3sidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9Ib21lYnJldy9ob21lYnJldy1jb3JlQHJlZnMvaGVhZHMvbWFzdGVyIiwiZGlnZXN0Ijp7ImdpdENvbW1pdCI6ImY4ZDVkZjFjNzk1OTlhMGRjMmQxOWQ0MDU2ZTFiODliOWQ2OGExMTcifX1dfSwicnVuRGV0YWlscyI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9naXRodWIuY29tL0hvbWVicmV3L2hvbWVicmV3LWNvcmUvLmdpdGh1Yi93b3JrZmxvd3MvcHVibGlzaC1jb21taXQtYm90dGxlcy55bWxAcmVmcy9oZWFkcy9tYXN0ZXIifSwibWV0YWRhdGEiOnsiaW52b2NhdGlvbklkIjoiaHR0cHM6Ly9naXRodWIuY29tL0hvbWVicmV3L2hvbWVicmV3LWNvcmUvYWN0aW9ucy9ydW5zLzEzMjkyNTUwMjQ0L2F0dGVtcHRzLzEifX19fQ==",
					"payloadType": "application/vnd.in-toto+json",
					"signatures": [
						{
							"sig": "MEYCIQDEIBMChE4KVzv2vpLprXC0QqMcYatUq8PtusV8dV6C0QIhAIb0xky/vUUvt36Ts3EfVqzUA7+a4R0agVrgyMYYzfHV"
						}
					]
				}
			},
			"bundle_url": ""
		},
		"verificationResult": {
			"mediaType": "application/vnd.dev.sigstore.verificationresult+json;version=0.1",
			"signature": {
				"certificate": {
					"certificateIssuer": "CN=sigstore-intermediate,O=sigstore.dev",
					"subjectAlternativeName": "https://github.com/Homebrew/homebrew-core/.github/workflows/publish-commit-bottles.yml@refs/heads/master",
					"issuer": "https://token.actions.githubusercontent.com",
					"githubWorkflowTrigger": "workflow_dispatch",
					"githubWorkflowSHA": "f8d5df1c79599a0dc2d19d4056e1b89b9d68a117",
					"githubWorkflowName": "Publish and commit bottles",
					"githubWorkflowRepository": "Homebrew/homebrew-core",
					"githubWorkflowRef": "refs/heads/master",
					"buildSignerURI": "https://github.com/Homebrew/homebrew-core/.github/workflows/publish-commit-bottles.yml@refs/heads/master",
					"buildSignerDigest": "f8d5df1c79599a0dc2d19d4056e1b89b9d68a117",
					"runnerEnvironment": "github-hosted",
					"sourceRepositoryURI": "https://github.com/Homebrew/homebrew-core",
					"sourceRepositoryDigest": "f8d5df1c79599a0dc2d19d4056e1b89b9d68a117",
					"sourceRepositoryRef": "refs/heads/master",
					"sourceRepositoryIdentifier": "52855516",
					"sourceRepositoryOwnerURI": "https://github.com/Homebrew",
					"sourceRepositoryOwnerIdentifier": "1503512",
					"buildConfigURI": "https://github.com/Homebrew/homebrew-core/.github/workflows/publish-commit-bottles.yml@refs/heads/master",
					"buildConfigDigest": "f8d5df1c79599a0dc2d19d4056e1b89b9d68a117",
					"buildTrigger": "workflow_dispatch",
					"runInvocationURI": "https://github.com/Homebrew/homebrew-core/actions/runs/13292550244/attempts/1",
					"sourceRepositoryVisibilityAtSigning": "public"
				}
			},
			"verifiedTimestamps": [
				{
					"type": "Tlog",
					"uri": "https://rekor.sigstore.dev",
					"timestamp": "2025-02-12T13:44:03-05:00"
				}
			],
			"verifiedIdentity": {
				"subjectAlternativeName": {
					"subjectAlternativeName": "",
					"regexp": "(?i)^https://github.com/Homebrew/homebrew-core/"
				},
				"issuer": {
					"issuer": "",
					"regexp": ".*"
				}
			},
			"statement": {
				"_type": "https://in-toto.io/Statement/v1",
				"subject": [
					{
						"name": "zrok--0.4.48.arm64_sequoia.bottle.tar.gz",
						"digest": {
							"sha256": "461c41aa835b4230ac14a4750091c6a36f9a13d4e34ed8ab3c6fb879726cd804"
						}
					},
					{
						"name": "zrok--0.4.48.arm64_sonoma.bottle.tar.gz",
						"digest": {
							"sha256": "15d01ee6fa23035816ac55f48a5d5453b50536647e34dd64bec013c2b0a8c90c"
						}
					},
					{
						"name": "zrok--0.4.48.arm64_ventura.bottle.tar.gz",
						"digest": {
							"sha256": "87fcfe3e4bcc472d35d34f4933149462c3119948d16e81ec5ce20ca066de3ff4"
						}
					},
					{
						"name": "zrok--0.4.48.sonoma.bottle.tar.gz",
						"digest": {
							"sha256": "79a40907ddb8e6b65a9a3645f090e86279dddcd333701f0b07a8104f999fdb08"
						}
					},
					{
						"name": "zrok--0.4.48.ventura.bottle.tar.gz",
						"digest": {
							"sha256": "c44d1cc576808a715b7089a1a09d27c06bdb52d75fbc5b86c178cfd46e3000e1"
						}
					},
					{
						"name": "zrok--0.4.48.x86_64_linux.bottle.tar.gz",
						"digest": {
							"sha256": "afed55f742fe5dcbb8db3af7779d47b0a904825333644c0033f89f898f7d1d39"
						}
					}
				],
				"predicateType": "https://slsa.dev/provenance/v1",
				"predicate": {
					"buildDefinition": {
						"buildType": "https://actions.github.io/buildtypes/workflow/v1",
						"externalParameters": {
							"workflow": {
								"path": ".github/workflows/publish-commit-bottles.yml",
								"ref": "refs/heads/master",
								"repository": "https://github.com/Homebrew/homebrew-core"
							}
						},
						"internalParameters": {
							"github": {
								"event_name": "workflow_dispatch",
								"repository_id": "52855516",
								"repository_owner_id": "1503512",
								"runner_environment": "github-hosted"
							}
						},
						"resolvedDependencies": [
							{
								"digest": {
									"gitCommit": "f8d5df1c79599a0dc2d19d4056e1b89b9d68a117"
								},
								"uri": "git+https://github.com/Homebrew/homebrew-core@refs/heads/master"
							}
						]
					},
					"runDetails": {
						"builder": {
							"id": "https://github.com/Homebrew/homebrew-core/.github/workflows/publish-commit-bottles.yml@refs/heads/master"
						},
						"metadata": {
							"invocationId": "https://github.com/Homebrew/homebrew-core/actions/runs/13292550244/attempts/1"
						}
					}
				}
			}
		}
	}
]