From f6ae402f458b347d2c414f1d053fc1f8257888d0 Mon Sep 17 00:00:00 2001
From: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Date: Mon, 2 Oct 2023 10:12:51 -0700
Subject: [PATCH] fix: npm publish verification (#705)

- adding support for IEEE P1363 formatted signatures
- fix the npm publish attestation bug. The verification always return
success, because it was not using PAE signature

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Co-authored-by: Ian Lewis <ianlewis@google.com>
Co-authored-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com>
---
 cli/slsa-verifier/main_regression_test.go     | 303 ++++++++++++++++++
 ...-npm-test-cli-v02-prega-invalidsigprov.tgz | Bin 0 -> 7120 bytes
 ...test-cli-v02-prega-invalidsigprov.tgz.json |   1 +
 ...e-npm-test-cli-v02-prega-invalidsigpub.tgz | Bin 0 -> 7120 bytes
 ...-test-cli-v02-prega-invalidsigpub.tgz.json |   1 +
 .../gha/provenance-npm-test-cli-v02-prega.tgz | Bin 0 -> 7120 bytes
 ...provenance-npm-test-cli-v02-prega.tgz.json |   1 +
 ...rovenance-npm-test-ossf-invalidsigprov.tgz | Bin 0 -> 7304 bytes
 ...ance-npm-test-ossf-invalidsigprov.tgz.json |   1 +
 ...provenance-npm-test-ossf-invalidsigpub.tgz | Bin 0 -> 7304 bytes
 ...nance-npm-test-ossf-invalidsigpub.tgz.json |   1 +
 .../npm/gha/provenance-npm-test-ossf.tgz      | Bin 0 -> 7304 bytes
 .../npm/gha/provenance-npm-test-ossf.tgz.json |   1 +
 ...eme-googles-cli-v02-tag-invalidsigprov.tgz | Bin 0 -> 1709 bytes
 ...oogles-cli-v02-tag-invalidsigprov.tgz.json |   1 +
 ...reme-googles-cli-v02-tag-invalidsigpub.tgz | Bin 0 -> 1709 bytes
 ...googles-cli-v02-tag-invalidsigpub.tgz.json |   1 +
 .../npm/gha/supreme-googles-cli-v02-tag.tgz   | Bin 0 -> 1709 bytes
 .../gha/supreme-googles-cli-v02-tag.tgz.json  |   1 +
 errors/errors.go                              |   1 +
 verifiers/internal/gha/npm.go                 | 106 +++---
 verifiers/internal/gha/npm_test.go            | 172 ++++++++++
 ...att-prov-invalid-signature.intoto.sigstore |  94 ++++++
 ...-publish-invalid-signature.intoto.sigstore |  94 ++++++
 .../npm-att-publish-nodigest.intoto.sigstore  |  94 ++++++
 ...npm-att-publish-nosubjects.intoto.sigstore |  94 ++++++
 verifiers/internal/gha/verifier.go            |  19 +-
 verifiers/utils/dsse.go                       | 156 ++++++++-
 28 files changed, 1091 insertions(+), 51 deletions(-)
 create mode 100644 cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v02-prega-invalidsigprov.tgz
 create mode 100644 cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v02-prega-invalidsigprov.tgz.json
 create mode 100644 cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v02-prega-invalidsigpub.tgz
 create mode 100644 cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v02-prega-invalidsigpub.tgz.json
 create mode 100644 cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v02-prega.tgz
 create mode 100644 cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v02-prega.tgz.json
 create mode 100644 cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-ossf-invalidsigprov.tgz
 create mode 100644 cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-ossf-invalidsigprov.tgz.json
 create mode 100644 cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-ossf-invalidsigpub.tgz
 create mode 100644 cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-ossf-invalidsigpub.tgz.json
 create mode 100644 cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-ossf.tgz
 create mode 100644 cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-ossf.tgz.json
 create mode 100644 cli/slsa-verifier/testdata/npm/gha/supreme-googles-cli-v02-tag-invalidsigprov.tgz
 create mode 100644 cli/slsa-verifier/testdata/npm/gha/supreme-googles-cli-v02-tag-invalidsigprov.tgz.json
 create mode 100644 cli/slsa-verifier/testdata/npm/gha/supreme-googles-cli-v02-tag-invalidsigpub.tgz
 create mode 100644 cli/slsa-verifier/testdata/npm/gha/supreme-googles-cli-v02-tag-invalidsigpub.tgz.json
 create mode 100644 cli/slsa-verifier/testdata/npm/gha/supreme-googles-cli-v02-tag.tgz
 create mode 100644 cli/slsa-verifier/testdata/npm/gha/supreme-googles-cli-v02-tag.tgz.json
 create mode 100644 verifiers/internal/gha/testdata/npm-att-prov-invalid-signature.intoto.sigstore
 create mode 100644 verifiers/internal/gha/testdata/npm-att-publish-invalid-signature.intoto.sigstore
 create mode 100644 verifiers/internal/gha/testdata/npm-att-publish-nodigest.intoto.sigstore
 create mode 100644 verifiers/internal/gha/testdata/npm-att-publish-nosubjects.intoto.sigstore

diff --git a/cli/slsa-verifier/main_regression_test.go b/cli/slsa-verifier/main_regression_test.go
index ee960778d..ad96602ab 100644
--- a/cli/slsa-verifier/main_regression_test.go
+++ b/cli/slsa-verifier/main_regression_test.go
@@ -1495,3 +1495,306 @@ func Test_runVerifyGHAContainerBased(t *testing.T) {
 		})
 	}
 }
+
+func Test_runVerifyNpmPackage(t *testing.T) {
+	// We cannot use t.Setenv due to parallelized tests.
+	os.Setenv("SLSA_VERIFIER_EXPERIMENTAL", "1")
+	t.Parallel()
+
+	tests := []struct {
+		name       string
+		artifact   string
+		builderID  *string
+		source     string
+		pkgVersion *string
+		pkgName    *string
+		err        error
+	}{
+		// npm CLI with tag.
+		{
+			name:       "valid npm CLI builder",
+			artifact:   "supreme-googles-cli-v02-tag.tgz",
+			source:     "github.com/trishankatdatadog/supreme-goggles",
+			pkgVersion: PointerTo("1.0.5"),
+			pkgName:    PointerTo("@trishankatdatadog/supreme-goggles"),
+			builderID:  PointerTo("https://github.com/actions/runner/github-hosted"),
+		},
+		{
+			name:       "valid npm CLI builder short runner name",
+			artifact:   "supreme-googles-cli-v02-tag.tgz",
+			source:     "github.com/trishankatdatadog/supreme-goggles",
+			pkgVersion: PointerTo("1.0.5"),
+			pkgName:    PointerTo("@trishankatdatadog/supreme-goggles"),
+			builderID:  PointerTo("https://github.com/actions/runner"),
+		},
+		{
+			name:       "valid npm CLI builder no builder",
+			artifact:   "supreme-googles-cli-v02-tag.tgz",
+			source:     "github.com/trishankatdatadog/supreme-goggles",
+			pkgVersion: PointerTo("1.0.5"),
+			pkgName:    PointerTo("@trishankatdatadog/supreme-goggles"),
+			err:        serrors.ErrorInvalidBuilderID,
+		},
+		{
+			name:       "valid npm CLI builder mismatch builder",
+			artifact:   "supreme-googles-cli-v02-tag.tgz",
+			source:     "github.com/trishankatdatadog/supreme-goggles",
+			pkgVersion: PointerTo("1.0.5"),
+			pkgName:    PointerTo("@trishankatdatadog/supreme-goggles"),
+			builderID:  PointerTo("https://github.com/actions/runner2"),
+			err:        serrors.ErrorNotSupported,
+		},
+		{
+			name:       "valid npm CLI builder no package name",
+			artifact:   "supreme-googles-cli-v02-tag.tgz",
+			source:     "github.com/trishankatdatadog/supreme-goggles",
+			pkgVersion: PointerTo("1.0.5"),
+			builderID:  PointerTo("https://github.com/actions/runner/github-hosted"),
+		},
+		{
+			name:      "valid npm CLI builder no package version",
+			artifact:  "supreme-googles-cli-v02-tag.tgz",
+			source:    "github.com/trishankatdatadog/supreme-goggles",
+			pkgName:   PointerTo("@trishankatdatadog/supreme-goggles"),
+			builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
+		},
+		{
+			name:       "valid npm CLI builder mismatch source",
+			artifact:   "supreme-googles-cli-v02-tag.tgz",
+			source:     "github.com/trishankatdatadog/supreme-goggleS",
+			pkgVersion: PointerTo("1.0.5"),
+			pkgName:    PointerTo("@trishankatdatadog/supreme-goggles"),
+			builderID:  PointerTo("https://github.com/actions/runner/github-hosted"),
+			err:        serrors.ErrorMismatchSource,
+		},
+		{
+			name:       "valid npm CLI builder mismatch package version",
+			artifact:   "supreme-googles-cli-v02-tag.tgz",
+			source:     "github.com/trishankatdatadog/supreme-goggles",
+			pkgVersion: PointerTo("1.0.4"),
+			builderID:  PointerTo("https://github.com/actions/runner/github-hosted"),
+			err:        serrors.ErrorMismatchPackageVersion,
+		},
+		{
+			name:      "valid npm CLI builder mismatch package name",
+			artifact:  "supreme-googles-cli-v02-tag.tgz",
+			source:    "github.com/trishankatdatadog/supreme-goggles",
+			pkgName:   PointerTo("@trishankatdatadog/supreme-goggleS"),
+			builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
+			err:       serrors.ErrorMismatchPackageName,
+		},
+		{
+			name:      "invalid signature provenance npm CLI",
+			artifact:  "supreme-googles-cli-v02-tag-invalidsigprov.tgz",
+			source:    "github.com/trishankatdatadog/supreme-goggles",
+			pkgName:   PointerTo("@trishankatdatadog/supreme-goggles"),
+			builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
+			err:       serrors.ErrorInvalidSignature,
+		},
+		{
+			name:      "invalid signature provenance npm CLI",
+			artifact:  "supreme-googles-cli-v02-tag-invalidsigpub.tgz",
+			source:    "github.com/trishankatdatadog/supreme-goggles",
+			pkgName:   PointerTo("@trishankatdatadog/supreme-goggles"),
+			builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
+			err:       serrors.ErrorInvalidSignature,
+		},
+		// npm CLI with main branch.
+		{
+			name:       "valid npm CLI builder",
+			artifact:   "provenance-npm-test-cli-v02-prega.tgz",
+			source:     "github.com/laurentsimon/provenance-npm-test",
+			pkgVersion: PointerTo("1.0.3"),
+			pkgName:    PointerTo("@laurentsimon/provenance-npm-test"),
+			builderID:  PointerTo("https://github.com/actions/runner/github-hosted"),
+		},
+		{
+			name:       "valid npm CLI builder short runner name",
+			artifact:   "provenance-npm-test-cli-v02-prega.tgz",
+			source:     "github.com/laurentsimon/provenance-npm-test",
+			pkgVersion: PointerTo("1.0.3"),
+			pkgName:    PointerTo("@laurentsimon/provenance-npm-test"),
+			builderID:  PointerTo("https://github.com/actions/runner"),
+		},
+		{
+			name:       "valid npm CLI builder no builder",
+			artifact:   "provenance-npm-test-cli-v02-prega.tgz",
+			source:     "github.com/laurentsimon/provenance-npm-test",
+			pkgVersion: PointerTo("1.0.3"),
+			pkgName:    PointerTo("@laurentsimon/provenance-npm-test"),
+			err:        serrors.ErrorInvalidBuilderID,
+		},
+		{
+			name:       "valid npm CLI builder mismatch builder",
+			artifact:   "provenance-npm-test-cli-v02-prega.tgz",
+			source:     "github.com/laurentsimon/provenance-npm-test",
+			pkgVersion: PointerTo("1.0.3"),
+			pkgName:    PointerTo("@laurentsimon/provenance-npm-test"),
+			builderID:  PointerTo("https://github.com/actions/runner2"),
+			err:        serrors.ErrorNotSupported,
+		},
+		{
+			name:       "valid npm CLI builder no package name",
+			artifact:   "provenance-npm-test-cli-v02-prega.tgz",
+			pkgVersion: PointerTo("1.0.3"),
+			source:     "github.com/laurentsimon/provenance-npm-test",
+			builderID:  PointerTo("https://github.com/actions/runner/github-hosted"),
+		},
+		{
+			name:      "valid npm CLI builder no package version",
+			artifact:  "provenance-npm-test-cli-v02-prega.tgz",
+			source:    "github.com/laurentsimon/provenance-npm-test",
+			pkgName:   PointerTo("@laurentsimon/provenance-npm-test"),
+			builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
+		},
+		{
+			name:      "valid npm CLI builder mismatch source",
+			artifact:  "provenance-npm-test-cli-v02-prega.tgz",
+			source:    "github.com/laurentsimon/provenance-npm-test2",
+			builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
+			err:       serrors.ErrorMismatchSource,
+		},
+		{
+			name:       "valid npm CLI builder mismatch package version",
+			artifact:   "provenance-npm-test-cli-v02-prega.tgz",
+			source:     "github.com/laurentsimon/provenance-npm-test",
+			pkgVersion: PointerTo("1.0.4"),
+			builderID:  PointerTo("https://github.com/actions/runner/github-hosted"),
+			err:        serrors.ErrorMismatchPackageVersion,
+		},
+		{
+			name:      "valid npm CLI builder mismatch package name",
+			artifact:  "provenance-npm-test-cli-v02-prega.tgz",
+			source:    "github.com/laurentsimon/provenance-npm-test",
+			pkgName:   PointerTo("@laurentsimon/provenance-npm-test2"),
+			builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
+			err:       serrors.ErrorMismatchPackageName,
+		},
+		{
+			name:      "invalid signature provenance npm CLI",
+			artifact:  "provenance-npm-test-cli-v02-prega-invalidsigprov.tgz",
+			source:    "github.com/laurentsimon/provenance-npm-test",
+			pkgName:   PointerTo("@laurentsimon/provenance-npm-test2"),
+			builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
+			err:       serrors.ErrorInvalidSignature,
+		},
+		{
+			name:      "invalid signature publish npm CLI",
+			artifact:  "provenance-npm-test-cli-v02-prega-invalidsigpub.tgz",
+			source:    "github.com/laurentsimon/provenance-npm-test",
+			pkgName:   PointerTo("@laurentsimon/provenance-npm-test2"),
+			builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
+			err:       serrors.ErrorInvalidSignature,
+		},
+		// OSSF builder.
+		{
+			name:       "valid npm OSSF builder",
+			artifact:   "provenance-npm-test-ossf.tgz",
+			source:     "github.com/laurentsimon/provenance-npm-test",
+			pkgVersion: PointerTo("1.0.5"),
+			pkgName:    PointerTo("@laurentsimon/provenance-npm-test"),
+			builderID:  PointerTo("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_nodejs_slsa3.yml"),
+		},
+		{
+			name:       "valid npm OSSF builder no builder",
+			artifact:   "provenance-npm-test-ossf.tgz",
+			source:     "github.com/laurentsimon/provenance-npm-test",
+			pkgVersion: PointerTo("1.0.5"),
+			pkgName:    PointerTo("@laurentsimon/provenance-npm-test"),
+			err:        serrors.ErrorInvalidBuilderID,
+		},
+		{
+			name:       "valid npm OSSF builder mismatch builder",
+			artifact:   "provenance-npm-test-ossf.tgz",
+			source:     "github.com/laurentsimon/provenance-npm-test",
+			pkgVersion: PointerTo("1.0.5"),
+			pkgName:    PointerTo("@laurentsimon/provenance-npm-test"),
+			builderID:  PointerTo("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_nodejs_slsa.yml"),
+			err:        serrors.ErrorMismatchBuilderID,
+		},
+		{
+			name:       "valid npm OSSF builder no package name",
+			artifact:   "provenance-npm-test-ossf.tgz",
+			source:     "github.com/laurentsimon/provenance-npm-test",
+			pkgVersion: PointerTo("1.0.5"),
+			builderID:  PointerTo("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_nodejs_slsa3.yml"),
+		},
+		{
+			name:      "valid npm OSSF builder no package version",
+			artifact:  "provenance-npm-test-ossf.tgz",
+			source:    "github.com/laurentsimon/provenance-npm-test",
+			pkgName:   PointerTo("@laurentsimon/provenance-npm-test"),
+			builderID: PointerTo("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_nodejs_slsa3.yml"),
+		},
+		{
+			name:       "valid npm OSSF builder mismatch package name",
+			artifact:   "provenance-npm-test-ossf.tgz",
+			source:     "github.com/laurentsimon/provenance-npm-test",
+			pkgVersion: PointerTo("1.0.5"),
+			pkgName:    PointerTo("@laurentsimon/provenance-npm-test2"),
+			builderID:  PointerTo("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_nodejs_slsa3.yml"),
+			err:        serrors.ErrorMismatchPackageName,
+		},
+		{
+			name:       "valid npm OSSF builder mismatch package version",
+			artifact:   "provenance-npm-test-ossf.tgz",
+			source:     "github.com/laurentsimon/provenance-npm-test",
+			pkgVersion: PointerTo("1.0.6"),
+			pkgName:    PointerTo("@laurentsimon/provenance-npm-test"),
+			builderID:  PointerTo("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_nodejs_slsa3.yml"),
+			err:        serrors.ErrorMismatchPackageVersion,
+		},
+		{
+			name:       "valid npm OSSF builder mismatch mismatch source",
+			artifact:   "provenance-npm-test-ossf.tgz",
+			source:     "github.com/laurentsimon/provenance-npm-test2",
+			pkgVersion: PointerTo("1.0.5"),
+			pkgName:    PointerTo("@laurentsimon/provenance-npm-test"),
+			builderID:  PointerTo("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_nodejs_slsa3.yml"),
+			err:        serrors.ErrorMismatchSource,
+		},
+		{
+			name:       "invalid signature provenance npm OSSF builder",
+			artifact:   "provenance-npm-test-ossf-invalidsigprov.tgz",
+			source:     "github.com/laurentsimon/provenance-npm-test",
+			pkgVersion: PointerTo("1.0.5"),
+			pkgName:    PointerTo("@laurentsimon/provenance-npm-test"),
+			builderID:  PointerTo("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_nodejs_slsa3.yml"),
+			err:        serrors.ErrorInvalidSignature,
+		},
+		{
+			name:       "invalid signature publish npm OSSF builder",
+			artifact:   "provenance-npm-test-ossf-invalidsigpub.tgz",
+			source:     "github.com/laurentsimon/provenance-npm-test",
+			pkgVersion: PointerTo("1.0.5"),
+			pkgName:    PointerTo("@laurentsimon/provenance-npm-test"),
+			builderID:  PointerTo("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_nodejs_slsa3.yml"),
+			err:        serrors.ErrorInvalidSignature,
+		},
+	}
+	for _, tt := range tests {
+		tt := tt // Re-initializing variable so it is not changed while executing the closure below
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			artifactPath := filepath.Clean(filepath.Join(TEST_DIR, "npm", "gha", tt.artifact))
+			attestationsPath := fmt.Sprintf("%s.json", artifactPath)
+			cmd := verify.VerifyNpmPackageCommand{
+				AttestationsPath: attestationsPath,
+				BuilderID:        tt.builderID,
+				SourceURI:        tt.source,
+				PackageName:      tt.pkgName,
+				PackageVersion:   tt.pkgVersion,
+			}
+
+			_, err := cmd.Exec(context.Background(), []string{artifactPath})
+			if diff := cmp.Diff(tt.err, err, cmpopts.EquateErrors()); diff != "" {
+				t.Fatalf("unexpected error (-want +got): \n%s", diff)
+			}
+		})
+	}
+}
+
+func PointerTo[K any](object K) *K {
+	return &object
+}
diff --git a/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v02-prega-invalidsigprov.tgz b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v02-prega-invalidsigprov.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..c53029ef610f44a8b1bc1b5db3662ec894efd97e
GIT binary patch
literal 7120
zcmV;>8!zM^iwFP!00002|Lr{eciXnL{aJqn%4V~aCsC3eJFRlE)s5ZNTVngz&g*uv
zETc$BVoebmL0Zwe{O|9600bz>PS&nI>pRxzX=D<(xVYaRfEH1F9ZhBb<;jcV)63(}
zeu>XuFgSSfL~MIL80;Pl_x8nSd;152;qc&K0OJP3!R}N1_p^KWRJx1`K;=KMN%)BR
z-(Sf`eC%_$h~k+PFVk4&TDI;O`M<KzsmjG}IOvK$MtKz#E3rEmJh^q!tSlF!et)@K
zh7m0js$$yDcq!d);l!)si&vN8@bpN$I6FN$xjH#Jy%gV`U5MA0$6ax8e136u^!f!p
z?$W5Elgq1%lW$(*69O;{#gUw(d0GN;I&2wi0<)t)=vkCyVlJaxl(5rM7IQ74JQ1<V
z6P_g|st}cyT~WwIp^_@b$6W&o$0n&Ri*#J!a}jBg;F2;C<CVCSF#{O_{6baJnfOYm
z3H*`5I2BiOnV0K$sbT}MSS?mXI-Qk5Epu52KnW(M<w`_VIa5XYPg>8w**2q`MWuj6
zr$q!4^C=B7bnp<6(<l?i1bPFBD#r~H_EJPKL9ti>8DOjdqhNqRFqN8@27;D_%DN&d
zr2Qi!q`SBqd|KrROpDcgu5ts(3>3?>oG~0;Fcjaag78>W#X^C^II7kRw>%0Alz_IP
zMLX^ARJD{v7uZ(-mk^0G=kHxnDiKG(bR1`(@GGJ~A?8sImJ^wW>*^|=8N|9`Ig_+~
z;6AMz5p16_%M_&vptMuKgxI5J=>j25(g{#=A&VG6xAzCX>Ckct$isxUfT|LV7vKv#
z05%m;TZjO1EOQ`2oB}Hw&^<gI%m1RPK(t{lek+2G&vp0@X>yY$6~ZcnFCPYgd=J>B
z8W91!=c(2t@FZuf1jLpNQM-iIVo*U)ulc&9Eebi2MFG?4?Sv?PjZ4f`lET&^(kjc~
zG>@~2NC8SHa#e~fou{}u@KLKtxkT~Ov>-4g0qR@bBR~cW59nI`pQO{Op!dL*OnT<y
zZ2SX=!Y1lbzT#)Vjw&Plm=tObFXLI11J+hSKq_*LBO@zN^dvKXPDCV_JOr-W+@OK6
zwoOo*MT!cg2syLODM$kB0UkFt>{~C`=?z<Njc{0Z=Q2qnQLYyLw!c@!^@dSc!b8HC
z><~(tQ-L(M+o%<QNoTe-j}kB>H&L2J<IL*6XP3HYO;G^j$cR!@+XZXgfDACWHg8NR
z7@QJWqq0QbLKL#t8W3&RfP5d#7qBu+1k(;;&J%Iu;bI|S<@caWnOb%n6^>+)-T)PE
zq(Fk`U|j-mjqNlryEl-S1{U#gq>*_!sbYd_p!9?Eu&u(Sh+U`)%UK%FJYxXND!~VU
zW)|`$C03#o18Iz&2niHch5ZXa7&iObWPqWUlNuz2s2{;%DkG(UY3Vf0VU<muZ`xyP
zrzQ>c?}~Nu8S0@l8{QFk<24F7kJ4H{<svFbQjjjRjkzpjwgNrKuZeJDkQS7aJetdn
zWqJyRsF*}CIf<_4BWt2=AcfSCYT~&50!_K`@mo2*t^>8odh68$Gzw>ZX^jU0Yw(0*
zI5Clkg`}7^Gz;F}hJ4pkiW059f~7NSwskcI+hL4{jXOxX2y;Tur~)lSc6=kOuv{j0
zcc-`T0~NH&v^>iDSOPI8K#JRgmrwKdBB=Ki7+CD@YqJcKWCjXYC@{ud<ia@0NRE~T
z&dVwIsB%Mnfm+}bT{=P`ol5PLh3K!lce<k5cKK_-e-0<Gh-rqCGYBaGn&-0WP)M(I
zDd*ZZ;ox&Ci7q52A8AG~`_c1pv{J`fKGD0L8EHs?M{T4V#JF*#$;;D<bF!BvjQpM~
zo^ws|y(L0(uT~ymD|(T}m8vu-?>s85(exEAI<g^`)af)Q+Yh3MJR-twl|(dF!70!?
z627j6!KMnY#n<(=tp<KH<nalJ_Hn+psF(pVV+ryEA)_Qq4oLg!I3?8b9~H<?hRenZ
z=*{jL171)4*bwc8;tv>B;j%C4?c2yoTvqH{jjV1>W;`|Xt+E6!DLeuRG$DX9MR61t
zKyV1Vga~gTOQ4JuKQMh+vP?17$W`7W&TH5){@H`5r<h{mq*hT@u6mO~!e1!_b~h?U
zL%!k7P5y@q+H4DEfQ~ItjyEiwGv|wH40C~sAgGHh0zt2z0M6`cH9awbg`c<iVSa6k
zDOlcEaf>@A+rkXm^B8m<q0#++z@0WslZz4+3{sBLhDd;*=7gvt7Q9!Fdl0Szuvv5?
zDax}5Q68-(6O8k~3CIl0FaIAbiYiKGOl=2DplqT-GBb8(NCM`OT{T)PGE6sB4ooL1
zqwO-N#aWaBy?Ly+IiMl|@u^$e%^b8>>!?UcJ0}HLADhw0)cQVO@!PrsX|T$r@rYpl
zAR?)wdYZOA!ET5%T;pv4eGc-P$eAUU$O`N0LUA%d{@1yX21|u9T{ERjr;I{0jqo)Y
zIg_}zox`eQ>q2SWBZA>JVpU=M#D4?lBauZ*U8N;%HIq|z0zff~yo(9etm0h;j(h?m
zu1%`#;KYtOE4wYrk2yuE0ER=crX<>s$tI&lQ*5H)bj-Ls8&$D)Kov#qSy_p+4cHQR
zXoat)E<nRPF=12iBor6YuMCB>^gLQQ%eHQXzz(K1wrSX-JEA;d35JcZSOrFo<Om}g
z_*c~)xtTVz3%|vZbzLe%1aYD@my)?WQ5ob!?BA{J8nx=Ys>3_2K+>j&FQUi!2Cy}S
zEuzu#L*F_(#Lvb?Bk~XHnZz@4qjt@)w<Z^ETquos6z1<-)G1JeAbm)4loQS#wYNN)
zxLTwUCZ_IFB8Fr*&6Q(s<wBOAU|kzGdnr6+2Y}J~=DdaL1)V^2QNx^f>>BCrqFGEN
z#!X!>m>>}?ow}L5aS37zKI<m68M(3bv@i&{L{UHsUIw>`<YbL2O6Rz21i!w~Cee}(
z8m*fDCh<d72d8IOCohfzP`>vi(Hqsytbrl7w~nt}o(b5ZDI1g}etDp5>KOqKql9uy
zCv<WvS<xs(Sm*V?7^6m(fj2^1=za=aJuurTyp^sbYycyZk;Zh&uhN?-PFo=`f<;Fb
z&B)^DXzeJ}kScvA4$pjJ-VichubTxZkxrbQL6<po9&i)BD!Q9gj%=*wRk=)Vu!TyK
zHBF%a0y02m762@g9&U0~^Crjo93;#bSjY&H(5o3|VQ9ZL$?Wl)f(K5e>mncI5H5Me
z2&IXR(JiuAt43|Ub{kQW;P(Ra9bY0nC>C`?p-<6-E>m9vBm6y4K859tB$0Vi&28A)
zkQi%NIRCTkT(@aNU|YlhGHg{Qs#ZbH#Bo4Tt;-)1=C;1YRuZ|ag2GlR)^h-`R`~K*
zfk4bYe3Y>ymtxe~h;p|?@UFDCrDeomyk3!-Y{91M)Mi4-;_8-E#IMfPszmT`X|I~+
z5ZLHeHN0>gbz?1=LTQwvMp>rLRMs+q21E8K*)g2}&Q)C$s6+8O2QR9LY4SZR6sMT}
z5=5^-Qr9<D>rtdv%<{@ux0bG4q>n4E7jih%8~fGge<w9FVHTn32@Hea&^58$N1lJG
zN}N=8Z^*xl6(?n=wo^*)(2Wpkx&n8gWg@u|glgci#4N<o1s6zxigijfg`AEAe`Pd;
zGBWvI#-52M!&?)ikkhE(zS4T`VR``vU<z#jqR}jRade`{a+Vx&dmSMpylJR$_+r}_
z(H!e$bwq<zFIn7RP2c<pI2jq{!B%K3#$8u+GHGfd|52r;dxQ>M15ePU6HCGIt2wr(
z5gVW~#2qng(6FLTI<Qi^QJ=NiWcg;i!4?<5lzJM9qf}GsgiYIt_#Wa<pv$UOf*RHF
ziW6AMyfMXcW`MXz$&0IkbsfWu?rVo?8*#;=!Fr17kH+$4gSj27Yk|oR4ll*YWgxye
zyga$I#Qpx{>btYoSK|A_i;Kh4tCQnPadzRi<<Gtqho^rLe>yomf^aA04)A-dj%v4)
zl<Z34l}VijQJplhc4`GlE|H27qGHp;0x_>nu3jE@f$FEdlhbc6PEP-D{Ob7hsw-X{
zU%dDZusr<c<mJiLUr2<$J-IqPzU1QrhX%&^;RP`4^~=KxasK+^{Ot0Wy)AbOGwdt?
z{tH+%rLF^YW;iQsiVJYAP>UkP@SHY00qMdaB!AB0di7GSHfjwq5pLI->r|6v*D6ly
zG?|UM>9bNb)^D_KCbKMiUxx6vB`HpNnMUI@qvrVudR_tHPhJup3<DlzRO|#CA=CCs
zEw+;d0#y1XgIrFt6r!(KcDi-9yW1$`)|H=+%6ppw1+3|3>6ijKLT-xnh`MiKmn`uF
zf~M~HcKu-M*>E3Nl(8(!Qd-zl1c<fKJeoFZ_&D1h32=u4^g?29-RnMsLP225tpp5U
zxTcE@IRn&MXso#b-dL_KxMz-Dy!O@DHC|72iJDbyV=8`<=7yP`UG*yl?K^wo7AxF#
zrdVL7N+ruQ^J|CK;FQ&35n+`OV}c41pG0X^73__oY*OVexFILF<s=Ap0Z@2-dho(h
zgW#YXVt~G0h%+$iVtSO^q|_vxnByCu0fq?naDxHQ8t_#p4rBBQNCj(oapgnjs6D0l
zeuklYQ(f1ag?F~wY!n*Ll;SEVRXQ8ZcB;8T+%}P9Pr%d>hEX0%-o%2-pvL;GNbcl3
z$D<{#AjV|PEbc;$GgF14xTTL~2P0o@wZMK*Urc_L>PEW<5{&QE5;GxAC2N8aJw3o~
ze{`ZH&%AC(9dnzu2o-V7V>G1Bj1s;S>9{V6v*@l;<cWc)31iNbPS`%9!n3{;Z6-Bs
z5;=i%g=auyoNOtbN5z~hkqxeEDmrzpio$ivOywACGGyhLta1^xyID6LuS~GvHnc(t
zIGWbM{L+&~FKn!FVF5lqJwm^_?HC-rKRiE&At!$xAq%Nm02Xy+jxYE}_wXH|vaEYa
zc)actCv?p*ie@#zhSdtRrhqiOv{j9+%j74i%n~iYL4dNe(H~=%Qi5a#Z{7wjNx{m5
z@pdaKOk`C}*5_r?p=ckee5XDy;OVFZ{&`1GwoYlPhVTL;0Ydy550f2uZrkh4qORx_
z*z@;wBb1VQMgZ&tOw2SksCcxglUgfIV_9xM$}nQ(w2Q*bg>}ZZwK|sW$O?5xEhZW#
z27nwDuF(bu=qs9?PjmPM(FDOu>wdhUob9{T<r!Dxh>CcI9cvZ_*Gzn~g3nv=hVTYF
z*Sf54X}A%R#LJnQ;?wmHgo-u}sLxz>o*@XEkDwu7_hriGHjGbmlZKLMtR<=ralEWw
zjj37|HA;3?kfYLy`^S!)nq$yCK$)g|N`!t}>|xHFwfrh&gI*RrJi_1&xGe(znc=q$
zyoqd=QZ`VqLQY`~$P8>PpH?7n5E6h}$k$KynQDoP*Y)PU!q#UGpa1sH!kqtyXuFS|
z^nLh)zSr~rgT1Fu4%W~A5BCTA59j~y;}f9aMcWgX!L!y)RET%)Vu)Z$`Ay2Tspn|B
z!9@M`w`8Ehwf7zIuYZX)_YOmTBYrR1HYaGSu9$ZP#1GfI9q}WXVTj<`*Sq5R^XFtV
z=%9Q@;1h98jzJ(E=q%xhfjpJv*)l%|R}B%^>c}`!RkRT}yAy)@IZZ>90+<rm;trtn
z`5aJ}`jtv5Fx?}19HO-*Qw}reL4D>I9(F9k!Xon{gb$Fc)7z225;Y#LEk~l>E=<7|
zU{&N|{^t7aGx0%uVC+7$+}YQVcWt+WM7rMX(kif*4;?`7XHrnTx!!#Xe-aV^v16I5
zWyvHsl9LEi%}xHU5BUTZ-&o9U-CvL}u%Nq@iZ@YK!5=r`gC)RL@ajzs2X}XaW9`oP
z^vETs^Oilim$VxTT(svZ@u>=b;w<>bla@}+Qk6IXHK{sC#fN8&`JX=*d6i`y@~Ukd
zitSB7D-q{l#B)awT+fgVLeWy;iR%y&UQgb`7}9Bkjl$kpSJ5_O(iLU^W3$Oef1DX)
z_QfxNn3k5&GD<Pg-z21YvqnXHd00Ty^A2)bYVkp?cwV19SB0f<Jta!iqHGh}J)NPy
z>HG?Ye0YKiB#j@AL@t-&yzLeRtW|bnrqfpg?-@#wQ8)t_=eEyDkk4UP=h*$%py8X~
zuwjGDaLVstJ*hGXP&1i0%*$d0|A+K?(XMwJ=8$xlA&7~9ARKb1w!sy_w+T&yWMd6}
z|FI?B1bCTf8NB_e%MdtbyrCd`3lluJ^!u8g=BdGCWVqIN8e-GET@$8T<6pCYk5s^F
z4trpMBNio~+e8T2_2zA-!{qE3nI#MHthL?JK)efj4#F2W^(B*I3=CQuf?x)QlwG~j
z=;v-!nux)(7PTKCktifQ^i4<G<N@vA>xl1k^>I{ynALQ(0NZmtwK8Ocu+|>hY}YL4
z{<Sb3i?%O)xJHP{Z~O1~|B-m~Bf$Rfcb^{H_G7<3YkfTaGyg*Lr}F!a|91B<=39^d
zo;<{V_wqq03oy|SMk4q+iz;ky>vXR2K6Z&@j&``0FXp{cYH;2-+}vEi8N+Z8?(tKv
zxPfo3V7M?+MUK#c<MDW@0|)w<2ftxB8eXyv1aXQ30SN)$xXc%ft29gSaj9ebjH@&F
z5R%@qOu>QmdKltKvGe$G|8ZFAo#xnHJd^SD+6;QOIm2v*P>Ewf2*7AQpWmBD3p+3a
zwZl<T<2M*GkKXr|5oOU@41_M?z5#BhfO~gaL~o1ViYhk+C;th-^!{c%yayIf1Dg1T
z*u*m>{u&$?g(^na=fM{?;g`u@DGrhE(^3qvCij6@QOJeTc(G{ZxPkEr0-UC$U85>8
z^W=Z9z@kU}K75~5V~D5c{f|jih>+?f`Hl#JV`(t88GOJ6CM?eIt8q2;q{JZc6A<Xr
z<q7R@n5ns37+(JbcwgWFvbnT+ftSc+9;ebnw&_4%nZFIg;Q%&P<B-UkqwQ1aN?t!#
ziJACiI2?vwSzhpKQlTD8V4wf#EwXCLI`_Bz@X5ZR;`S+vsL-<5HueTDre=Lm0eTDi
zf8gHoY<lr!xchYdg+Zamw4`BA!YARdRxzW5^kz4F>fSgE&8)A&eWDe(zK1H#&#(W0
z6{XDgmk0np;{S)kP5=M&;KBdjoByZV@pN;zI3xe<j16iYb}NlPJAhF7)=&SjxFm0~
z62~uI9bS^Q3Z8CnJC4N8@#Wr*Xq)7>)5Qn-JM_=)VCcRb)Zd=g-@dHBeYJxXZTNnA
z{O7BkP(1EibmtuMk7!R|pE0QT7`i-%uh^NigmKLw8^Sd$DEuDH6a0rS*x|Q|A4qNR
zH;6&X(m+gA<xxtOEyQZ;?UV$>@YVqTAVF0wDm=VcRB?$NcXM=&UxQorS16QnOF)ou
z>k{795g5*M5b2C{j;r#Gck!BAf%fhpU1DXl+#H7>b!mD%-mQ<FDKgrE&z*8~Y|d)o
z(Knh#*U&jIqa!s7bBxe|&(+DC&k-KxtGiY~@<w=uMq(sHcQ3g|VjCMGk#QE8i_*Lw
zyw%Fx6X1Wo+97oO)orSIg4bl!!mNMS=CqJ_`8DMUSPbJf{#cevJm~O(MDCB5gwgS(
zVE9_xq>-TNk7**(aX7Hz(p>sCO>LkY=dD1b6LXStC&ISv<thgjmT7FNLMJ@T$?6B|
zvgy1!s?wVPgN=8rCa6yVhp!mBK@9u0#nsIRZ~E)?{};!HN3V{<d2-*s|AfB)HQ4z5
zr~SPL|9>x^FT|GorPbP!^h{?xbCbJV^>L&(aY4tSWDks2<VLkxn3CS4aw$GqSpb)T
zk*D~V_~9R-2Oc!UmUtMI_>xU=2npWKgU0?c`k$y}o~bD5L7)b4L8xc<rT<R`gS~bA
z-+j8f`=I~#qW_=w$7$XlM|#$3X$aJNvQlD^E+n4uY_-yfcq4*GUj(9;m0~E~KBG%^
z6d_PWDR`|xen#Taz!si*R8Hg(R8DG5(pJm7e1|We2akq9tM!FAGE!%L@X1;Qb9&xa
z{&%4K&mXmGgAzRQ0S2FHK05V|)`15Cdve&f3$|?1+)XMZM5FRX+6#def_Q!L(%bPa
z?U-jCdh6gYpw!0FK%IK;@4UC~kPfix`8A{(3la3o`NA`vAq0=ARH06%y2KvApZODX
zTJ*yQdiHT(Jnjxi4P>{0Xwdj}IKXW@jd%I-^3daS*ouJwqNlfV#BtMq_h#^RNBj;Y
z;C7+~W;wGzpI1L=$)R2H7P{hk->9;&kp2k^@hTfM-&7VbT4M_G@yuHQ$%f|pPgx?1
zAZ(e}KTT`QWKUT<aR0uZSX6J<kt;U>)Wct_Rqtd?^vvV1oc_}nGDq<S%D?j-Fg^7w
z+8^%fYQFIXCFktuY(z&7@fOJCcZa+C2la__XQePR+ah2(+yKETJCGLBy=j4Y9-VUp
z@-8J_d=za?X``&Ob+T=w@Z~39`j~|c)~pwWiHqy$2$<df&6B~$0<N#Ibu+-Thd^~a
z6$=?&f|vvUz?}OF;viGM!Tv7ZB}mI1?OlhgZ-HXJ02n?EnX@|65l0l*S>e!vFtFg)
zh%f$10@CaG<b=Vn*KJx+4>vuSsz`+wu_7{k+JGJBd#H6~X#Gr-{cxBOzRNzjX)Hkg
zj_dii8Jqv?z8`|%hxi}Mg{BKz-t+m-!SLz+X8(V0_z?f!$A^oA;xXPUpc5}-%GcVH
z&syeq35;6hvDiH8LUv}Zrz5J@(#4PtcM$G4yz=2e{r+q8KV<*W$Gbk0Of5Bd5&S(7
z*+Yl87p~^nFQos&;nR)!AN=!>|KH08Lx2%yWqab>1heNR)F~AnD)~XTS}Gs4gpr65
z>NWM_N8$}1L`~kdgq56k_=_xf4sir&t-CTZqF>eN;kD4#4{EFt3LRY`aQ@|zk-aO)
zCWt4BFY2q;aeasS4<xhV(EPr-%x}^{<@|H%_7YUDRM#>e2|fnIP`G~rK+aB%UI-e%
zZ4>;dNqBB&8|Bc=+0_EGFuKau2>RWxm1ErP=6u_jV~9w12}?7p(zpgio|6I?f~4%z
zpRAR=`mE#@JtZQ_;vKeVe$ek~b^ZEg7#@U!UJ-|bmi>tbM_c?=yOH^UM0>3oqg)mN
z?qAufc~#ysXR;tGNxRIq7XKVC(6X#qhB)-_0FR~mqaS~?W5Uz(SMRRQ{&ajQK0KV+
z_|@3|pJn+!$^H+XK3%u}`-9zw{?9$y|Npq*Hx}L*c(5V5hi59Pag~=<FN?U*wAJ)G
z8;YjCwat>#OgvO>=k$yftpis)E1;_K>zlpp1Hk-Niym66dPvhoT6^Y>t_;82aqkK_
z#Y>wj$i6dpXFF#0aYzKj+oj%|7|$<`khT^lpbP!YcOJ4#^rrad*M>gpqvCYqQGEt<
z<BhFN`LzkGt&r_+ntt@1-o8)Ij*j0QzP|d74fgGJ{K0@ed>%dzpNG${^z(maB?f2!
GZU6v{B;H2=

literal 0
HcmV?d00001

diff --git a/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v02-prega-invalidsigprov.tgz.json b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v02-prega-invalidsigprov.tgz.json
new file mode 100644
index 000000000..1707f658d
--- /dev/null
+++ b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v02-prega-invalidsigprov.tgz.json
@@ -0,0 +1 @@
+{"attestations":[{"predicateType":"https://github.com/npm/attestation/tree/main/specs/publish/v0.1","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.1","verificationMaterial":{"publicKey":{"hint":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"},"tlogEntries":[{"logIndex":"18493593","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1682011041","inclusionPromise":{"signedEntryTimestamp":"MEUCIQC56Jk+crJXrVlY+m609XZCFJK1TBf+mJNw52yeZQB/uAIgBo/owggXcsChlwgwoecZLiSXZoaTDL1yyt16OoMrusc="},"inclusionProof":null,"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7ImtleWlkIjoiU0hBMjU2OmpsM2J3c3d1ODBQampva0NnaDBvMnc1YzJVNExoUUFFNTdnajljejFrekEiLCJwdWJsaWNLZXkiOiJMUzB0TFMxQ1JVZEpUaUJRVlVKTVNVTWdTMFZaTFMwdExTMEtUVVpyZDBWM1dVaExiMXBKZW1vd1EwRlJXVWxMYjFwSmVtb3dSRUZSWTBSUlowRkZNVTlzWWpONlRVRkdSbmhZUzBocFNXdFJUelZqU2pOWmFHdzFhVFpWVUhBclNXaDFkR1ZDU21KMVNHTkJOVlZ2WjB0dk1FVlhkR3hYZDFjMlMxTmhTMjlVVGtWWlREZEtiRU5SYVZadWEyaENhM1JWWjJjOVBRb3RMUzB0TFVWT1JDQlFWVUpNU1VNZ1MwVlpMUzB0TFMwPSIsInNpZyI6IlRVVlZRMGxJVTNGc1RrSjRWREZRYVZWclZHRmhOR1JxVFhOU2NEVlNMMkp3YVVWVFVISmxkSFlyUW5KTGFHSnpRV2xGUVhRclQyZzNiRlpUTkVkWlEzbE1kRVV6VEVwWlIwMVRZVEZCVWpGblJ6RlFjVXRvV0dOcGFsQlBlRVU5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjVjZmEwMTM5NWQ3OTBiYjUzZDlkMWY5Y2E1Y2VjZmRlMDZlY2ViNGJlMjgxZmQ2YjFiYWE2NjQ1N2VhNjk3OTcifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJjMGMyY2I4MDRjM2MzNjAxN2NjY2RkM2IxZjAyMWZmMjFkMzE0MWYzZGIyYzg1ZGEwZDlkOTI0ZjRiMDllZTVlIn19fX0="}],"timestampVerificationData":null},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtLyU0MGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QDEuMC4zIiwiZGlnZXN0Ijp7InNoYTUxMiI6ImYyOTk1ZTI1NjVhMTUxMGM3MDc4NTBkODE5NGY5ODNiOTFmZTYxZWMyNDNjNTU1MWFkODQ5YzM1NzI3Mzc2OGI1ZjNhNTdlNDRiODFjYzBjZDM2YTM0YjhiOTMzMzIyYmU4NzFlZWE1YjA1ODIwMmJlODA3ZTI0ZGM4ODI4MTFiIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vYXR0ZXN0YXRpb24vdHJlZS9tYWluL3NwZWNzL3B1Ymxpc2gvdjAuMSIsInByZWRpY2F0ZSI6eyJuYW1lIjoiQGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0IiwidmVyc2lvbiI6IjEuMC4zIiwicmVnaXN0cnkiOiJodHRwczovL3JlZ2lzdHJ5Lm5wbWpzLm9yZyJ9fQ==","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEUCIHSqlNBxT1PiUkTaa4djMsRp5R/bpiESPretv+BrKhbsAiEAt+Oh7lVS4GYCyLtE3LJYGMSa1AR1gG1PqKhXcijPOxE=","keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"}]}}},{"predicateType":"https://slsa.dev/provenance/v0.2","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.1","verificationMaterial":{"x509CertificateChain":{"certificates":[{"rawBytes":"MIIHFDCCBpqgAwIBAgIUId2RSQlZpHMm/Fb168WQtICiUdswCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwNDIwMTcxNzE3WhcNMjMwNDIwMTcyNzE3WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2LtGupj75EczLt2idlraVap2vqjhmC9sb3y1ZW2eDemX3XVI/yrIsA4H1ozH9mheG+DjiIs4DrlX1Xx8C2FYDaOCBbkwggW1MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQULFs/qoxiBXHhrst3wPY1zw8RUg0wHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wbwYDVR0RAQH/BGUwY4ZhaHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0Ly5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sQHJlZnMvaGVhZHMvbWFpbjA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMB8GCisGAQQBg78wAQIEEXdvcmtmbG93X2Rpc3BhdGNoMDYGCisGAQQBg78wAQMEKGIzODg5NGYyZGRhNDM1NWVhNTYwNmZjY2IxNjZlNjE1NjVlMTJhMTQwJgYKKwYBBAGDvzABBAQYUHVibGlzaCBQYWNrYWdlIHRvIG5wbWpzMC4GCisGAQQBg78wAQUEIGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0MB0GCisGAQQBg78wAQYED3JlZnMvaGVhZHMvbWFpbjA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wcQYKKwYBBAGDvzABCQRjDGFodHRwczovL2dpdGh1Yi5jb20vbGF1cmVudHNpbW9uL3Byb3ZlbmFuY2UtbnBtLXRlc3QvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wAQoEKgwoYjM4ODk0ZjJkZGE0MzU1ZWE1NjA2ZmNjYjE2NmU2MTU2NWUxMmExNDAdBgorBgEEAYO/MAELBA8MDWdpdGh1Yi1ob3N0ZWQwQwYKKwYBBAGDvzABDAQ1DDNodHRwczovL2dpdGh1Yi5jb20vbGF1cmVudHNpbW9uL3Byb3ZlbmFuY2UtbnBtLXRlc3QwOAYKKwYBBAGDvzABDQQqDChiMzg4OTRmMmRkYTQzNTVlYTU2MDZmY2NiMTY2ZTYxNTY1ZTEyYTE0MB8GCisGAQQBg78wAQ4EEQwPcmVmcy9oZWFkcy9tYWluMBkGCisGAQQBg78wAQ8ECwwJNjAyMjIzOTQ1MC8GCisGAQQBg78wARAEIQwfaHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbjAYBgorBgEEAYO/MAERBAoMCDY0NTA1MDk5MHEGCisGAQQBg78wARIEYwxhaHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0Ly5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sQHJlZnMvaGVhZHMvbWFpbjA4BgorBgEEAYO/MAETBCoMKGIzODg5NGYyZGRhNDM1NWVhNTYwNmZjY2IxNjZlNjE1NjVlMTJhMTQwIQYKKwYBBAGDvzABFAQTDBF3b3JrZmxvd19kaXNwYXRjaDBmBgorBgEEAYO/MAEVBFgMVmh0dHBzOi8vZ2l0aHViLmNvbS9sYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdC9hY3Rpb25zL3J1bnMvNDc1NzA2MDAwOS9hdHRlbXB0cy8xMIGKBgorBgEEAdZ5AgQCBHwEegB4AHYA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGHn6ug6gAABAMARzBFAiAm0uOjNaPwUPaSDjhoWA+n4MD6BkcHqPb3fGRdBK3qtQIhALsEcnRsy4GR6FSD+9bfHP4d4F2PVmeF7rnX/5Zw22EoMAoGCCqGSM49BAMDA2gAMGUCMBbgfEjKzWO1MXZNcepjaiDH/j2/Wwwe+0xOAQ7dgGxijaTrVuy5p2ya66KwwUmnuAIxAKjJzeiAzlhBODGwqXSFzsAeMRF1+yvc05Uas2nB3M/bi4ixWHI24czfHmDERRbh2g=="},{"rawBytes":"MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow="},{"rawBytes":"MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ"}]},"tlogEntries":[{"logIndex":"18493590","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1682011038","inclusionPromise":{"signedEntryTimestamp":"MEQCIDfITcXf8hI6h4PNE4sn3o4MdRC0mXmx/Uc1TR6Me/ScAiAve29D0ZhvOaO1w3OpdLBu2jiu49u97SjiEvqRlYM5tw=="},"inclusionProof":null,"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVWhHUkVORFFuQnhaMEYzU1VKQlowbFZTV1F5VWxOUmJGcHdTRTF0TDBaaU1UWTRWMUYwU1VOcFZXUnpkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDA1RVNYZE5WR040VG5wRk0xZG9ZMDVOYWsxM1RrUkpkMDFVWTNsT2VrVXpWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVVeVRIUkhkWEJxTnpWRlkzcE1kREpwWkd4eVlWWmhjREoyY1dwb2JVTTVjMkl6ZVRFS1dsY3laVVJsYlZneldGWkpMM2x5U1hOQk5FZ3hiM3BJT1cxb1pVY3JSR3BwU1hNMFJISnNXREZZZURoRE1rWlpSR0ZQUTBKaWEzZG5aMWN4VFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWTVJuTXZDbkZ2ZUdsQ1dFaG9jbk4wTTNkUVdURjZkemhTVldjd2QwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQySjNXVVJXVWpCU1FWRklMMEpIVlhkWk5GcG9ZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRESjRhR1JZU214aWJsSjZZVmN4ZGdwaWFUbDNZMjA1TWxwWE5XaGliVTVzVEZjMWQySlRNVEJhV0U0d1RIazFibUZZVW05a1YwbDJaREk1ZVdFeVduTmlNMlI2VEROS2JHSkhWbWhqTWxWMUNtVlhNWE5SU0Vwc1dtNU5kbUZIVm1oYVNFMTJZbGRHY0dKcVFUVkNaMjl5UW1kRlJVRlpUeTlOUVVWQ1FrTjBiMlJJVW5kamVtOTJURE5TZG1FeVZuVUtURzFHYW1SSGJIWmliazExV2pKc01HRklWbWxrV0U1c1kyMU9kbUp1VW14aWJsRjFXVEk1ZEUxQ09FZERhWE5IUVZGUlFtYzNPSGRCVVVsRlJWaGtkZ3BqYlhSdFlrYzVNMWd5VW5Cak0wSm9aRWRPYjAxRVdVZERhWE5IUVZGUlFtYzNPSGRCVVUxRlMwZEplazlFWnpWT1IxbDVXa2RTYUU1RVRURk9WMVpvQ2s1VVdYZE9iVnBxV1RKSmVFNXFXbXhPYWtVeFRtcFdiRTFVU21oTlZGRjNTbWRaUzB0M1dVSkNRVWRFZG5wQlFrSkJVVmxWU0ZacFlrZHNlbUZEUWxFS1dWZE9jbGxYWkd4SlNGSjJTVWMxZDJKWGNIcE5RelJIUTJselIwRlJVVUpuTnpoM1FWRlZSVWxIZUdoa1dFcHNZbTVTZW1GWE1YWmlhVGwzWTIwNU1ncGFWelZvWW0xT2JFeFhOWGRpVXpFd1dsaE9NRTFDTUVkRGFYTkhRVkZSUW1jM09IZEJVVmxGUkROS2JGcHVUWFpoUjFab1draE5kbUpYUm5CaWFrRTNDa0puYjNKQ1owVkZRVmxQTDAxQlJVbENRekJOU3pKb01HUklRbnBQYVRoMlpFYzVjbHBYTkhWWlYwNHdZVmM1ZFdONU5XNWhXRkp2WkZkS01XTXlWbmtLV1RJNWRXUkhWblZrUXpWcVlqSXdkMk5SV1V0TGQxbENRa0ZIUkhaNlFVSkRVVkpxUkVkR2IyUklVbmRqZW05MlRESmtjR1JIYURGWmFUVnFZakl3ZGdwaVIwWXhZMjFXZFdSSVRuQmlWemwxVEROQ2VXSXpXbXhpYlVaMVdUSlZkR0p1UW5STVdGSnNZek5SZGt4dFpIQmtSMmd4V1drNU0ySXpTbkphYlhoMkNtUXpUWFpqYlZaeldsZEdlbHBUTlRWaVYzaEJZMjFXYldONU9XOWFWMFpyWTNrNWRGbFhiSFZOUkdkSFEybHpSMEZSVVVKbk56aDNRVkZ2UlV0bmQyOEtXV3BOTkU5RWF6QmFha3ByV2tkRk1FMTZWVEZhVjBVeFRtcEJNbHB0VG1wWmFrVXlUbTFWTWsxVVZUSk9WMVY0VFcxRmVFNUVRV1JDWjI5eVFtZEZSUXBCV1U4dlRVRkZURUpCT0UxRVYyUndaRWRvTVZscE1XOWlNMDR3V2xkUmQxRjNXVXRMZDFsQ1FrRkhSSFo2UVVKRVFWRXhSRVJPYjJSSVVuZGplbTkyQ2t3eVpIQmtSMmd4V1drMWFtSXlNSFppUjBZeFkyMVdkV1JJVG5CaVZ6bDFURE5DZVdJeldteGliVVoxV1RKVmRHSnVRblJNV0ZKc1l6TlJkMDlCV1VzS1MzZFpRa0pCUjBSMmVrRkNSRkZSY1VSRGFHbE5lbWMwVDFSU2JVMXRVbXRaVkZGNlRsUldiRmxVVlRKTlJGcHRXVEpPYVUxVVdUSmFWRmw0VGxSWk1RcGFWRVY1V1ZSRk1FMUNPRWREYVhOSFFWRlJRbWMzT0hkQlVUUkZSVkYzVUdOdFZtMWplVGx2V2xkR2EyTjVPWFJaVjJ4MVRVSnJSME5wYzBkQlVWRkNDbWMzT0hkQlVUaEZRM2QzU2s1cVFYbE5ha2w2VDFSUk1VMURPRWREYVhOSFFWRlJRbWMzT0hkQlVrRkZTVkYzWm1GSVVqQmpTRTAyVEhrNWJtRllVbThLWkZkSmRWa3lPWFJNTW5ob1pGaEtiR0p1VW5waFZ6RjJZbXBCV1VKbmIzSkNaMFZGUVZsUEwwMUJSVkpDUVc5TlEwUlpNRTVVUVRGTlJHczFUVWhGUndwRGFYTkhRVkZSUW1jM09IZEJVa2xGV1hkNGFHRklVakJqU0UwMlRIazVibUZZVW05a1YwbDFXVEk1ZEV3eWVHaGtXRXBzWW01U2VtRlhNWFppYVRsM0NtTnRPVEphVnpWb1ltMU9iRXhYTlhkaVV6RXdXbGhPTUV4NU5XNWhXRkp2WkZkSmRtUXlPWGxoTWxwellqTmtla3d6U214aVIxWm9ZekpWZFdWWE1YTUtVVWhLYkZwdVRYWmhSMVpvV2toTmRtSlhSbkJpYWtFMFFtZHZja0puUlVWQldVOHZUVUZGVkVKRGIwMUxSMGw2VDBSbk5VNUhXWGxhUjFKb1RrUk5NUXBPVjFab1RsUlpkMDV0V21wWk1rbDRUbXBhYkU1cVJURk9hbFpzVFZSS2FFMVVVWGRKVVZsTFMzZFpRa0pCUjBSMmVrRkNSa0ZSVkVSQ1JqTmlNMHB5Q2xwdGVIWmtNVGxyWVZoT2QxbFlVbXBoUkVKdFFtZHZja0puUlVWQldVOHZUVUZGVmtKR1owMVdiV2d3WkVoQ2VrOXBPSFphTW13d1lVaFdhVXh0VG5ZS1lsTTVjMWxZVm5sYVZ6VXdZekpzZEdJeU5IWmpTRXAyWkcxV2RWbFhOV3BhVXpGMVkwY3dkR1JIVm5wa1F6bG9XVE5TY0dJeU5YcE1NMG94WW01TmRncE9SR014VG5wQk1rMUVRWGRQVXpsb1pFaFNiR0pZUWpCamVUaDRUVWxIUzBKbmIzSkNaMFZGUVdSYU5VRm5VVU5DU0hkRlpXZENORUZJV1VFelZEQjNDbUZ6WWtoRlZFcHFSMUkwWTIxWFl6TkJjVXBMV0hKcVpWQkxNeTlvTkhCNVowTTRjRGR2TkVGQlFVZElialoxWnpablFVRkNRVTFCVW5wQ1JrRnBRVzBLTUhWUGFrNWhVSGRWVUdGVFJHcG9iMWRCSzI0MFRVUTJRbXRqU0hGUVlqTm1SMUprUWtzemNYUlJTV2hCVEhORlkyNVNjM2swUjFJMlJsTkVLemxpWmdwSVVEUmtORVl5VUZadFpVWTNjbTVZTHpWYWR6SXlSVzlOUVc5SFEwTnhSMU5OTkRsQ1FVMUVRVEpuUVUxSFZVTk5RbUpuWmtWcVMzcFhUekZOV0ZwT0NtTmxjR3BoYVVSSUwyb3lMMWQzZDJVck1IaFBRVkUzWkdkSGVHbHFZVlJ5Vm5WNU5YQXllV0UyTmt0M2QxVnRiblZCU1hoQlMycEtlbVZwUVhwc2FFSUtUMFJIZDNGWVUwWjZjMEZsVFZKR01TdDVkbU13TlZWaGN6SnVRak5OTDJKcE5HbDRWMGhKTWpSamVtWkliVVJGVWxKaWFESm5QVDBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUT09Iiwic2lnIjoiVFVWUlEwbENWRVZWYkhWeFMzbHpkMnhsV21aYWVtb3hNVU5vTVd3eVdtRm5SSEJZWVZWSFdHWTBaREp6TTBoWVFXbENPWE12VmtWWVluQXJOMWs1UVdKbmFIbzJSVE52YjNabFRHVXpOVVU0VUVSVlMwRTFOMVF2ZERaQ2R6MDkifV19LCJoYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiYjEyYTIyODRiNGNmYzY1ZWZiMTI2YjUxNzZhZTBjMzU2YWZjOTQwM2JiNTdiM2RmNmI2MzRjNTE2ZDBiNTBlMSJ9LCJwYXlsb2FkSGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6ImJhZjkxMjU2MzIyYzQ0N2ExMGQ3ZDM0YjgxZTA0YzI0MjZhNzMwMjJlYTNjNWU3YWE4MmIwNjIwYzY4ZGIxZGQifX19fQ=="}],"timestampVerificationData":null},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtLyU0MGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QDEuMC4zIiwiZGlnZXN0Ijp7InNoYTUxMiI6ImYyOTk1ZTI1NjVhMTUxMGM3MDc4NTBkODE5NGY5ODNiOTFmZTYxZWMyNDNjNTU1MWFkODQ5YzM1NzI3Mzc2OGI1ZjNhNTdlNDRiODFjYzBjZDM2YTM0YjhiOTMzMzIyYmU4NzFlZWE1YjA1ODIwMmJlODA3ZTI0ZGM4ODI4MTFiIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MC4yIiwicHJlZGljYXRlIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vY2xpL2doYS92MiIsImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vYWN0aW9ucy9ydW5uZXIifSwiaW52b2NhdGlvbiI6eyJjb25maWdTb3VyY2UiOnsidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9sYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdEByZWZzL2hlYWRzL21haW4iLCJkaWdlc3QiOnsic2hhMSI6ImIzODg5NGYyZGRhNDM1NWVhNTYwNmZjY2IxNjZlNjE1NjVlMTJhMTQifSwiZW50cnlQb2ludCI6Ii5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sIn0sInBhcmFtZXRlcnMiOnt9LCJlbnZpcm9ubWVudCI6eyJHSVRIVUJfRVZFTlRfTkFNRSI6IndvcmtmbG93X2Rpc3BhdGNoIiwiR0lUSFVCX1JFRiI6InJlZnMvaGVhZHMvbWFpbiIsIkdJVEhVQl9SRVBPU0lUT1JZIjoibGF1cmVudHNpbW9uL3Byb3ZlbmFuY2UtbnBtLXRlc3QiLCJHSVRIVUJfUkVQT1NJVE9SWV9JRCI6IjYwMjIyMzk0NSIsIkdJVEhVQl9SRVBPU0lUT1JZX09XTkVSX0lEIjoiNjQ1MDUwOTkiLCJHSVRIVUJfUlVOX0FUVEVNUFQiOiIxIiwiR0lUSFVCX1JVTl9JRCI6IjQ3NTcwNjAwMDkiLCJHSVRIVUJfU0hBIjoiYjM4ODk0ZjJkZGE0MzU1ZWE1NjA2ZmNjYjE2NmU2MTU2NWUxMmExNCIsIkdJVEhVQl9XT1JLRkxPV19SRUYiOiJsYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdC8uZ2l0aHViL3dvcmtmbG93cy9yZWxlYXNlLnltbEByZWZzL2hlYWRzL21haW4iLCJHSVRIVUJfV09SS0ZMT1dfU0hBIjoiYjM4ODk0ZjJkZGE0MzU1ZWE1NjA2ZmNjYjE2NmU2MTU2NWUxMmExNCJ9fSwibWV0YWRhdGEiOnsiYnVpbGRJbnZvY2F0aW9uSWQiOiI0NzU3MDYwMDA5LTEiLCJjb21wbGV0ZW5lc3MiOnsicGFyYW1ldGVycyI6ZmFsc2UsImVudmlyb25tZW50IjpmYWxzZSwibWF0ZXJpYWxzIjpmYWxzZX0sInJlcHJvZHVjaWJsZSI6ZmFsc2V9LCJtYXRlcmlhbHMiOlt7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vbGF1cmVudHNpbW9uL3Byb3ZlbmFuY2UtbnBtLXRlc3RAcmVmcy9oZWFkcy9tYWluIiwiZGlnZXN0Ijp7InNoYTEiOiJiMzg4OTRmMmRkYTQzNTVlYTU2MDZmY2NiMTY2ZTYxNTY1ZTEyYTE1In19XX19Cg==","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEQCIBTEUluqKyswleZfZzj11Ch1l2ZagDpXaUGXf4d2s3HXAiB9s/VEXbp+7Y9Abghz6E3ooveLe35E8PDUKA57T/t6Bw==","keyid":""}]}}}]}
\ No newline at end of file
diff --git a/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v02-prega-invalidsigpub.tgz b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v02-prega-invalidsigpub.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..c53029ef610f44a8b1bc1b5db3662ec894efd97e
GIT binary patch
literal 7120
zcmV;>8!zM^iwFP!00002|Lr{eciXnL{aJqn%4V~aCsC3eJFRlE)s5ZNTVngz&g*uv
zETc$BVoebmL0Zwe{O|9600bz>PS&nI>pRxzX=D<(xVYaRfEH1F9ZhBb<;jcV)63(}
zeu>XuFgSSfL~MIL80;Pl_x8nSd;152;qc&K0OJP3!R}N1_p^KWRJx1`K;=KMN%)BR
z-(Sf`eC%_$h~k+PFVk4&TDI;O`M<KzsmjG}IOvK$MtKz#E3rEmJh^q!tSlF!et)@K
zh7m0js$$yDcq!d);l!)si&vN8@bpN$I6FN$xjH#Jy%gV`U5MA0$6ax8e136u^!f!p
z?$W5Elgq1%lW$(*69O;{#gUw(d0GN;I&2wi0<)t)=vkCyVlJaxl(5rM7IQ74JQ1<V
z6P_g|st}cyT~WwIp^_@b$6W&o$0n&Ri*#J!a}jBg;F2;C<CVCSF#{O_{6baJnfOYm
z3H*`5I2BiOnV0K$sbT}MSS?mXI-Qk5Epu52KnW(M<w`_VIa5XYPg>8w**2q`MWuj6
zr$q!4^C=B7bnp<6(<l?i1bPFBD#r~H_EJPKL9ti>8DOjdqhNqRFqN8@27;D_%DN&d
zr2Qi!q`SBqd|KrROpDcgu5ts(3>3?>oG~0;Fcjaag78>W#X^C^II7kRw>%0Alz_IP
zMLX^ARJD{v7uZ(-mk^0G=kHxnDiKG(bR1`(@GGJ~A?8sImJ^wW>*^|=8N|9`Ig_+~
z;6AMz5p16_%M_&vptMuKgxI5J=>j25(g{#=A&VG6xAzCX>Ckct$isxUfT|LV7vKv#
z05%m;TZjO1EOQ`2oB}Hw&^<gI%m1RPK(t{lek+2G&vp0@X>yY$6~ZcnFCPYgd=J>B
z8W91!=c(2t@FZuf1jLpNQM-iIVo*U)ulc&9Eebi2MFG?4?Sv?PjZ4f`lET&^(kjc~
zG>@~2NC8SHa#e~fou{}u@KLKtxkT~Ov>-4g0qR@bBR~cW59nI`pQO{Op!dL*OnT<y
zZ2SX=!Y1lbzT#)Vjw&Plm=tObFXLI11J+hSKq_*LBO@zN^dvKXPDCV_JOr-W+@OK6
zwoOo*MT!cg2syLODM$kB0UkFt>{~C`=?z<Njc{0Z=Q2qnQLYyLw!c@!^@dSc!b8HC
z><~(tQ-L(M+o%<QNoTe-j}kB>H&L2J<IL*6XP3HYO;G^j$cR!@+XZXgfDACWHg8NR
z7@QJWqq0QbLKL#t8W3&RfP5d#7qBu+1k(;;&J%Iu;bI|S<@caWnOb%n6^>+)-T)PE
zq(Fk`U|j-mjqNlryEl-S1{U#gq>*_!sbYd_p!9?Eu&u(Sh+U`)%UK%FJYxXND!~VU
zW)|`$C03#o18Iz&2niHch5ZXa7&iObWPqWUlNuz2s2{;%DkG(UY3Vf0VU<muZ`xyP
zrzQ>c?}~Nu8S0@l8{QFk<24F7kJ4H{<svFbQjjjRjkzpjwgNrKuZeJDkQS7aJetdn
zWqJyRsF*}CIf<_4BWt2=AcfSCYT~&50!_K`@mo2*t^>8odh68$Gzw>ZX^jU0Yw(0*
zI5Clkg`}7^Gz;F}hJ4pkiW059f~7NSwskcI+hL4{jXOxX2y;Tur~)lSc6=kOuv{j0
zcc-`T0~NH&v^>iDSOPI8K#JRgmrwKdBB=Ki7+CD@YqJcKWCjXYC@{ud<ia@0NRE~T
z&dVwIsB%Mnfm+}bT{=P`ol5PLh3K!lce<k5cKK_-e-0<Gh-rqCGYBaGn&-0WP)M(I
zDd*ZZ;ox&Ci7q52A8AG~`_c1pv{J`fKGD0L8EHs?M{T4V#JF*#$;;D<bF!BvjQpM~
zo^ws|y(L0(uT~ymD|(T}m8vu-?>s85(exEAI<g^`)af)Q+Yh3MJR-twl|(dF!70!?
z627j6!KMnY#n<(=tp<KH<nalJ_Hn+psF(pVV+ryEA)_Qq4oLg!I3?8b9~H<?hRenZ
z=*{jL171)4*bwc8;tv>B;j%C4?c2yoTvqH{jjV1>W;`|Xt+E6!DLeuRG$DX9MR61t
zKyV1Vga~gTOQ4JuKQMh+vP?17$W`7W&TH5){@H`5r<h{mq*hT@u6mO~!e1!_b~h?U
zL%!k7P5y@q+H4DEfQ~ItjyEiwGv|wH40C~sAgGHh0zt2z0M6`cH9awbg`c<iVSa6k
zDOlcEaf>@A+rkXm^B8m<q0#++z@0WslZz4+3{sBLhDd;*=7gvt7Q9!Fdl0Szuvv5?
zDax}5Q68-(6O8k~3CIl0FaIAbiYiKGOl=2DplqT-GBb8(NCM`OT{T)PGE6sB4ooL1
zqwO-N#aWaBy?Ly+IiMl|@u^$e%^b8>>!?UcJ0}HLADhw0)cQVO@!PrsX|T$r@rYpl
zAR?)wdYZOA!ET5%T;pv4eGc-P$eAUU$O`N0LUA%d{@1yX21|u9T{ERjr;I{0jqo)Y
zIg_}zox`eQ>q2SWBZA>JVpU=M#D4?lBauZ*U8N;%HIq|z0zff~yo(9etm0h;j(h?m
zu1%`#;KYtOE4wYrk2yuE0ER=crX<>s$tI&lQ*5H)bj-Ls8&$D)Kov#qSy_p+4cHQR
zXoat)E<nRPF=12iBor6YuMCB>^gLQQ%eHQXzz(K1wrSX-JEA;d35JcZSOrFo<Om}g
z_*c~)xtTVz3%|vZbzLe%1aYD@my)?WQ5ob!?BA{J8nx=Ys>3_2K+>j&FQUi!2Cy}S
zEuzu#L*F_(#Lvb?Bk~XHnZz@4qjt@)w<Z^ETquos6z1<-)G1JeAbm)4loQS#wYNN)
zxLTwUCZ_IFB8Fr*&6Q(s<wBOAU|kzGdnr6+2Y}J~=DdaL1)V^2QNx^f>>BCrqFGEN
z#!X!>m>>}?ow}L5aS37zKI<m68M(3bv@i&{L{UHsUIw>`<YbL2O6Rz21i!w~Cee}(
z8m*fDCh<d72d8IOCohfzP`>vi(Hqsytbrl7w~nt}o(b5ZDI1g}etDp5>KOqKql9uy
zCv<WvS<xs(Sm*V?7^6m(fj2^1=za=aJuurTyp^sbYycyZk;Zh&uhN?-PFo=`f<;Fb
z&B)^DXzeJ}kScvA4$pjJ-VichubTxZkxrbQL6<po9&i)BD!Q9gj%=*wRk=)Vu!TyK
zHBF%a0y02m762@g9&U0~^Crjo93;#bSjY&H(5o3|VQ9ZL$?Wl)f(K5e>mncI5H5Me
z2&IXR(JiuAt43|Ub{kQW;P(Ra9bY0nC>C`?p-<6-E>m9vBm6y4K859tB$0Vi&28A)
zkQi%NIRCTkT(@aNU|YlhGHg{Qs#ZbH#Bo4Tt;-)1=C;1YRuZ|ag2GlR)^h-`R`~K*
zfk4bYe3Y>ymtxe~h;p|?@UFDCrDeomyk3!-Y{91M)Mi4-;_8-E#IMfPszmT`X|I~+
z5ZLHeHN0>gbz?1=LTQwvMp>rLRMs+q21E8K*)g2}&Q)C$s6+8O2QR9LY4SZR6sMT}
z5=5^-Qr9<D>rtdv%<{@ux0bG4q>n4E7jih%8~fGge<w9FVHTn32@Hea&^58$N1lJG
zN}N=8Z^*xl6(?n=wo^*)(2Wpkx&n8gWg@u|glgci#4N<o1s6zxigijfg`AEAe`Pd;
zGBWvI#-52M!&?)ikkhE(zS4T`VR``vU<z#jqR}jRade`{a+Vx&dmSMpylJR$_+r}_
z(H!e$bwq<zFIn7RP2c<pI2jq{!B%K3#$8u+GHGfd|52r;dxQ>M15ePU6HCGIt2wr(
z5gVW~#2qng(6FLTI<Qi^QJ=NiWcg;i!4?<5lzJM9qf}GsgiYIt_#Wa<pv$UOf*RHF
ziW6AMyfMXcW`MXz$&0IkbsfWu?rVo?8*#;=!Fr17kH+$4gSj27Yk|oR4ll*YWgxye
zyga$I#Qpx{>btYoSK|A_i;Kh4tCQnPadzRi<<Gtqho^rLe>yomf^aA04)A-dj%v4)
zl<Z34l}VijQJplhc4`GlE|H27qGHp;0x_>nu3jE@f$FEdlhbc6PEP-D{Ob7hsw-X{
zU%dDZusr<c<mJiLUr2<$J-IqPzU1QrhX%&^;RP`4^~=KxasK+^{Ot0Wy)AbOGwdt?
z{tH+%rLF^YW;iQsiVJYAP>UkP@SHY00qMdaB!AB0di7GSHfjwq5pLI->r|6v*D6ly
zG?|UM>9bNb)^D_KCbKMiUxx6vB`HpNnMUI@qvrVudR_tHPhJup3<DlzRO|#CA=CCs
zEw+;d0#y1XgIrFt6r!(KcDi-9yW1$`)|H=+%6ppw1+3|3>6ijKLT-xnh`MiKmn`uF
zf~M~HcKu-M*>E3Nl(8(!Qd-zl1c<fKJeoFZ_&D1h32=u4^g?29-RnMsLP225tpp5U
zxTcE@IRn&MXso#b-dL_KxMz-Dy!O@DHC|72iJDbyV=8`<=7yP`UG*yl?K^wo7AxF#
zrdVL7N+ruQ^J|CK;FQ&35n+`OV}c41pG0X^73__oY*OVexFILF<s=Ap0Z@2-dho(h
zgW#YXVt~G0h%+$iVtSO^q|_vxnByCu0fq?naDxHQ8t_#p4rBBQNCj(oapgnjs6D0l
zeuklYQ(f1ag?F~wY!n*Ll;SEVRXQ8ZcB;8T+%}P9Pr%d>hEX0%-o%2-pvL;GNbcl3
z$D<{#AjV|PEbc;$GgF14xTTL~2P0o@wZMK*Urc_L>PEW<5{&QE5;GxAC2N8aJw3o~
ze{`ZH&%AC(9dnzu2o-V7V>G1Bj1s;S>9{V6v*@l;<cWc)31iNbPS`%9!n3{;Z6-Bs
z5;=i%g=auyoNOtbN5z~hkqxeEDmrzpio$ivOywACGGyhLta1^xyID6LuS~GvHnc(t
zIGWbM{L+&~FKn!FVF5lqJwm^_?HC-rKRiE&At!$xAq%Nm02Xy+jxYE}_wXH|vaEYa
zc)actCv?p*ie@#zhSdtRrhqiOv{j9+%j74i%n~iYL4dNe(H~=%Qi5a#Z{7wjNx{m5
z@pdaKOk`C}*5_r?p=ckee5XDy;OVFZ{&`1GwoYlPhVTL;0Ydy550f2uZrkh4qORx_
z*z@;wBb1VQMgZ&tOw2SksCcxglUgfIV_9xM$}nQ(w2Q*bg>}ZZwK|sW$O?5xEhZW#
z27nwDuF(bu=qs9?PjmPM(FDOu>wdhUob9{T<r!Dxh>CcI9cvZ_*Gzn~g3nv=hVTYF
z*Sf54X}A%R#LJnQ;?wmHgo-u}sLxz>o*@XEkDwu7_hriGHjGbmlZKLMtR<=ralEWw
zjj37|HA;3?kfYLy`^S!)nq$yCK$)g|N`!t}>|xHFwfrh&gI*RrJi_1&xGe(znc=q$
zyoqd=QZ`VqLQY`~$P8>PpH?7n5E6h}$k$KynQDoP*Y)PU!q#UGpa1sH!kqtyXuFS|
z^nLh)zSr~rgT1Fu4%W~A5BCTA59j~y;}f9aMcWgX!L!y)RET%)Vu)Z$`Ay2Tspn|B
z!9@M`w`8Ehwf7zIuYZX)_YOmTBYrR1HYaGSu9$ZP#1GfI9q}WXVTj<`*Sq5R^XFtV
z=%9Q@;1h98jzJ(E=q%xhfjpJv*)l%|R}B%^>c}`!RkRT}yAy)@IZZ>90+<rm;trtn
z`5aJ}`jtv5Fx?}19HO-*Qw}reL4D>I9(F9k!Xon{gb$Fc)7z225;Y#LEk~l>E=<7|
zU{&N|{^t7aGx0%uVC+7$+}YQVcWt+WM7rMX(kif*4;?`7XHrnTx!!#Xe-aV^v16I5
zWyvHsl9LEi%}xHU5BUTZ-&o9U-CvL}u%Nq@iZ@YK!5=r`gC)RL@ajzs2X}XaW9`oP
z^vETs^Oilim$VxTT(svZ@u>=b;w<>bla@}+Qk6IXHK{sC#fN8&`JX=*d6i`y@~Ukd
zitSB7D-q{l#B)awT+fgVLeWy;iR%y&UQgb`7}9Bkjl$kpSJ5_O(iLU^W3$Oef1DX)
z_QfxNn3k5&GD<Pg-z21YvqnXHd00Ty^A2)bYVkp?cwV19SB0f<Jta!iqHGh}J)NPy
z>HG?Ye0YKiB#j@AL@t-&yzLeRtW|bnrqfpg?-@#wQ8)t_=eEyDkk4UP=h*$%py8X~
zuwjGDaLVstJ*hGXP&1i0%*$d0|A+K?(XMwJ=8$xlA&7~9ARKb1w!sy_w+T&yWMd6}
z|FI?B1bCTf8NB_e%MdtbyrCd`3lluJ^!u8g=BdGCWVqIN8e-GET@$8T<6pCYk5s^F
z4trpMBNio~+e8T2_2zA-!{qE3nI#MHthL?JK)efj4#F2W^(B*I3=CQuf?x)QlwG~j
z=;v-!nux)(7PTKCktifQ^i4<G<N@vA>xl1k^>I{ynALQ(0NZmtwK8Ocu+|>hY}YL4
z{<Sb3i?%O)xJHP{Z~O1~|B-m~Bf$Rfcb^{H_G7<3YkfTaGyg*Lr}F!a|91B<=39^d
zo;<{V_wqq03oy|SMk4q+iz;ky>vXR2K6Z&@j&``0FXp{cYH;2-+}vEi8N+Z8?(tKv
zxPfo3V7M?+MUK#c<MDW@0|)w<2ftxB8eXyv1aXQ30SN)$xXc%ft29gSaj9ebjH@&F
z5R%@qOu>QmdKltKvGe$G|8ZFAo#xnHJd^SD+6;QOIm2v*P>Ewf2*7AQpWmBD3p+3a
zwZl<T<2M*GkKXr|5oOU@41_M?z5#BhfO~gaL~o1ViYhk+C;th-^!{c%yayIf1Dg1T
z*u*m>{u&$?g(^na=fM{?;g`u@DGrhE(^3qvCij6@QOJeTc(G{ZxPkEr0-UC$U85>8
z^W=Z9z@kU}K75~5V~D5c{f|jih>+?f`Hl#JV`(t88GOJ6CM?eIt8q2;q{JZc6A<Xr
z<q7R@n5ns37+(JbcwgWFvbnT+ftSc+9;ebnw&_4%nZFIg;Q%&P<B-UkqwQ1aN?t!#
ziJACiI2?vwSzhpKQlTD8V4wf#EwXCLI`_Bz@X5ZR;`S+vsL-<5HueTDre=Lm0eTDi
zf8gHoY<lr!xchYdg+Zamw4`BA!YARdRxzW5^kz4F>fSgE&8)A&eWDe(zK1H#&#(W0
z6{XDgmk0np;{S)kP5=M&;KBdjoByZV@pN;zI3xe<j16iYb}NlPJAhF7)=&SjxFm0~
z62~uI9bS^Q3Z8CnJC4N8@#Wr*Xq)7>)5Qn-JM_=)VCcRb)Zd=g-@dHBeYJxXZTNnA
z{O7BkP(1EibmtuMk7!R|pE0QT7`i-%uh^NigmKLw8^Sd$DEuDH6a0rS*x|Q|A4qNR
zH;6&X(m+gA<xxtOEyQZ;?UV$>@YVqTAVF0wDm=VcRB?$NcXM=&UxQorS16QnOF)ou
z>k{795g5*M5b2C{j;r#Gck!BAf%fhpU1DXl+#H7>b!mD%-mQ<FDKgrE&z*8~Y|d)o
z(Knh#*U&jIqa!s7bBxe|&(+DC&k-KxtGiY~@<w=uMq(sHcQ3g|VjCMGk#QE8i_*Lw
zyw%Fx6X1Wo+97oO)orSIg4bl!!mNMS=CqJ_`8DMUSPbJf{#cevJm~O(MDCB5gwgS(
zVE9_xq>-TNk7**(aX7Hz(p>sCO>LkY=dD1b6LXStC&ISv<thgjmT7FNLMJ@T$?6B|
zvgy1!s?wVPgN=8rCa6yVhp!mBK@9u0#nsIRZ~E)?{};!HN3V{<d2-*s|AfB)HQ4z5
zr~SPL|9>x^FT|GorPbP!^h{?xbCbJV^>L&(aY4tSWDks2<VLkxn3CS4aw$GqSpb)T
zk*D~V_~9R-2Oc!UmUtMI_>xU=2npWKgU0?c`k$y}o~bD5L7)b4L8xc<rT<R`gS~bA
z-+j8f`=I~#qW_=w$7$XlM|#$3X$aJNvQlD^E+n4uY_-yfcq4*GUj(9;m0~E~KBG%^
z6d_PWDR`|xen#Taz!si*R8Hg(R8DG5(pJm7e1|We2akq9tM!FAGE!%L@X1;Qb9&xa
z{&%4K&mXmGgAzRQ0S2FHK05V|)`15Cdve&f3$|?1+)XMZM5FRX+6#def_Q!L(%bPa
z?U-jCdh6gYpw!0FK%IK;@4UC~kPfix`8A{(3la3o`NA`vAq0=ARH06%y2KvApZODX
zTJ*yQdiHT(Jnjxi4P>{0Xwdj}IKXW@jd%I-^3daS*ouJwqNlfV#BtMq_h#^RNBj;Y
z;C7+~W;wGzpI1L=$)R2H7P{hk->9;&kp2k^@hTfM-&7VbT4M_G@yuHQ$%f|pPgx?1
zAZ(e}KTT`QWKUT<aR0uZSX6J<kt;U>)Wct_Rqtd?^vvV1oc_}nGDq<S%D?j-Fg^7w
z+8^%fYQFIXCFktuY(z&7@fOJCcZa+C2la__XQePR+ah2(+yKETJCGLBy=j4Y9-VUp
z@-8J_d=za?X``&Ob+T=w@Z~39`j~|c)~pwWiHqy$2$<df&6B~$0<N#Ibu+-Thd^~a
z6$=?&f|vvUz?}OF;viGM!Tv7ZB}mI1?OlhgZ-HXJ02n?EnX@|65l0l*S>e!vFtFg)
zh%f$10@CaG<b=Vn*KJx+4>vuSsz`+wu_7{k+JGJBd#H6~X#Gr-{cxBOzRNzjX)Hkg
zj_dii8Jqv?z8`|%hxi}Mg{BKz-t+m-!SLz+X8(V0_z?f!$A^oA;xXPUpc5}-%GcVH
z&syeq35;6hvDiH8LUv}Zrz5J@(#4PtcM$G4yz=2e{r+q8KV<*W$Gbk0Of5Bd5&S(7
z*+Yl87p~^nFQos&;nR)!AN=!>|KH08Lx2%yWqab>1heNR)F~AnD)~XTS}Gs4gpr65
z>NWM_N8$}1L`~kdgq56k_=_xf4sir&t-CTZqF>eN;kD4#4{EFt3LRY`aQ@|zk-aO)
zCWt4BFY2q;aeasS4<xhV(EPr-%x}^{<@|H%_7YUDRM#>e2|fnIP`G~rK+aB%UI-e%
zZ4>;dNqBB&8|Bc=+0_EGFuKau2>RWxm1ErP=6u_jV~9w12}?7p(zpgio|6I?f~4%z
zpRAR=`mE#@JtZQ_;vKeVe$ek~b^ZEg7#@U!UJ-|bmi>tbM_c?=yOH^UM0>3oqg)mN
z?qAufc~#ysXR;tGNxRIq7XKVC(6X#qhB)-_0FR~mqaS~?W5Uz(SMRRQ{&ajQK0KV+
z_|@3|pJn+!$^H+XK3%u}`-9zw{?9$y|Npq*Hx}L*c(5V5hi59Pag~=<FN?U*wAJ)G
z8;YjCwat>#OgvO>=k$yftpis)E1;_K>zlpp1Hk-Niym66dPvhoT6^Y>t_;82aqkK_
z#Y>wj$i6dpXFF#0aYzKj+oj%|7|$<`khT^lpbP!YcOJ4#^rrad*M>gpqvCYqQGEt<
z<BhFN`LzkGt&r_+ntt@1-o8)Ij*j0QzP|d74fgGJ{K0@ed>%dzpNG${^z(maB?f2!
GZU6v{B;H2=

literal 0
HcmV?d00001

diff --git a/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v02-prega-invalidsigpub.tgz.json b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v02-prega-invalidsigpub.tgz.json
new file mode 100644
index 000000000..a882ebc56
--- /dev/null
+++ b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v02-prega-invalidsigpub.tgz.json
@@ -0,0 +1 @@
+{"attestations":[{"predicateType":"https://github.com/npm/attestation/tree/main/specs/publish/v0.1","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.1","verificationMaterial":{"publicKey":{"hint":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"},"tlogEntries":[{"logIndex":"18493593","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1682011041","inclusionPromise":{"signedEntryTimestamp":"MEUCIQC56Jk+crJXrVlY+m609XZCFJK1TBf+mJNw52yeZQB/uAIgBo/owggXcsChlwgwoecZLiSXZoaTDL1yyt16OoMrusc="},"inclusionProof":null,"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7ImtleWlkIjoiU0hBMjU2OmpsM2J3c3d1ODBQampva0NnaDBvMnc1YzJVNExoUUFFNTdnajljejFrekEiLCJwdWJsaWNLZXkiOiJMUzB0TFMxQ1JVZEpUaUJRVlVKTVNVTWdTMFZaTFMwdExTMEtUVVpyZDBWM1dVaExiMXBKZW1vd1EwRlJXVWxMYjFwSmVtb3dSRUZSWTBSUlowRkZNVTlzWWpONlRVRkdSbmhZUzBocFNXdFJUelZqU2pOWmFHdzFhVFpWVUhBclNXaDFkR1ZDU21KMVNHTkJOVlZ2WjB0dk1FVlhkR3hYZDFjMlMxTmhTMjlVVGtWWlREZEtiRU5SYVZadWEyaENhM1JWWjJjOVBRb3RMUzB0TFVWT1JDQlFWVUpNU1VNZ1MwVlpMUzB0TFMwPSIsInNpZyI6IlRVVlZRMGxJVTNGc1RrSjRWREZRYVZWclZHRmhOR1JxVFhOU2NEVlNMMkp3YVVWVFVISmxkSFlyUW5KTGFHSnpRV2xGUVhRclQyZzNiRlpUTkVkWlEzbE1kRVV6VEVwWlIwMVRZVEZCVWpGblJ6RlFjVXRvV0dOcGFsQlBlRVU5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjVjZmEwMTM5NWQ3OTBiYjUzZDlkMWY5Y2E1Y2VjZmRlMDZlY2ViNGJlMjgxZmQ2YjFiYWE2NjQ1N2VhNjk3OTcifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJjMGMyY2I4MDRjM2MzNjAxN2NjY2RkM2IxZjAyMWZmMjFkMzE0MWYzZGIyYzg1ZGEwZDlkOTI0ZjRiMDllZTVlIn19fX0="}],"timestampVerificationData":null},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtLyU0MGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QDEuMC4zIiwiZGlnZXN0Ijp7InNoYTUxMiI6ImYyOTk1ZTI1NjVhMTUxMGM3MDc4NTBkODE5NGY5ODNiOTFmZTYxZWMyNDNjNTU1MWFkODQ5YzM1NzI3Mzc2OGI1ZjNhNTdlNDRiODFjYzBjZDM2YTM0YjhiOTMzMzIyYmU4NzFlZWE1YjA1ODIwMmJlODA3ZTI0ZGM4ODI4MTFiIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vYXR0ZXN0YXRpb24vdHJlZS9tYWluL3NwZWNzL3B1Ymxpc2gvdjAuMSIsInByZWRpY2F0ZSI6eyJuYW1lIjoiQGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0IiwidmVyc2lvbiI6IjEuMC4wIiwicmVnaXN0cnkiOiJodHRwczovL3JlZ2lzdHJ5Lm5wbWpzLm9yZyJ9fQo=","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEUCIHSqlNBxT1PiUkTaa4djMsRp5R/bpiESPretv+BrKhbsAiEAt+Oh7lVS4GYCyLtE3LJYGMSa1AR1gG1PqKhXcijPOxE=","keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"}]}}},{"predicateType":"https://slsa.dev/provenance/v0.2","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.1","verificationMaterial":{"x509CertificateChain":{"certificates":[{"rawBytes":"MIIHFDCCBpqgAwIBAgIUId2RSQlZpHMm/Fb168WQtICiUdswCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwNDIwMTcxNzE3WhcNMjMwNDIwMTcyNzE3WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2LtGupj75EczLt2idlraVap2vqjhmC9sb3y1ZW2eDemX3XVI/yrIsA4H1ozH9mheG+DjiIs4DrlX1Xx8C2FYDaOCBbkwggW1MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQULFs/qoxiBXHhrst3wPY1zw8RUg0wHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wbwYDVR0RAQH/BGUwY4ZhaHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0Ly5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sQHJlZnMvaGVhZHMvbWFpbjA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMB8GCisGAQQBg78wAQIEEXdvcmtmbG93X2Rpc3BhdGNoMDYGCisGAQQBg78wAQMEKGIzODg5NGYyZGRhNDM1NWVhNTYwNmZjY2IxNjZlNjE1NjVlMTJhMTQwJgYKKwYBBAGDvzABBAQYUHVibGlzaCBQYWNrYWdlIHRvIG5wbWpzMC4GCisGAQQBg78wAQUEIGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0MB0GCisGAQQBg78wAQYED3JlZnMvaGVhZHMvbWFpbjA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wcQYKKwYBBAGDvzABCQRjDGFodHRwczovL2dpdGh1Yi5jb20vbGF1cmVudHNpbW9uL3Byb3ZlbmFuY2UtbnBtLXRlc3QvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wAQoEKgwoYjM4ODk0ZjJkZGE0MzU1ZWE1NjA2ZmNjYjE2NmU2MTU2NWUxMmExNDAdBgorBgEEAYO/MAELBA8MDWdpdGh1Yi1ob3N0ZWQwQwYKKwYBBAGDvzABDAQ1DDNodHRwczovL2dpdGh1Yi5jb20vbGF1cmVudHNpbW9uL3Byb3ZlbmFuY2UtbnBtLXRlc3QwOAYKKwYBBAGDvzABDQQqDChiMzg4OTRmMmRkYTQzNTVlYTU2MDZmY2NiMTY2ZTYxNTY1ZTEyYTE0MB8GCisGAQQBg78wAQ4EEQwPcmVmcy9oZWFkcy9tYWluMBkGCisGAQQBg78wAQ8ECwwJNjAyMjIzOTQ1MC8GCisGAQQBg78wARAEIQwfaHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbjAYBgorBgEEAYO/MAERBAoMCDY0NTA1MDk5MHEGCisGAQQBg78wARIEYwxhaHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0Ly5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sQHJlZnMvaGVhZHMvbWFpbjA4BgorBgEEAYO/MAETBCoMKGIzODg5NGYyZGRhNDM1NWVhNTYwNmZjY2IxNjZlNjE1NjVlMTJhMTQwIQYKKwYBBAGDvzABFAQTDBF3b3JrZmxvd19kaXNwYXRjaDBmBgorBgEEAYO/MAEVBFgMVmh0dHBzOi8vZ2l0aHViLmNvbS9sYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdC9hY3Rpb25zL3J1bnMvNDc1NzA2MDAwOS9hdHRlbXB0cy8xMIGKBgorBgEEAdZ5AgQCBHwEegB4AHYA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGHn6ug6gAABAMARzBFAiAm0uOjNaPwUPaSDjhoWA+n4MD6BkcHqPb3fGRdBK3qtQIhALsEcnRsy4GR6FSD+9bfHP4d4F2PVmeF7rnX/5Zw22EoMAoGCCqGSM49BAMDA2gAMGUCMBbgfEjKzWO1MXZNcepjaiDH/j2/Wwwe+0xOAQ7dgGxijaTrVuy5p2ya66KwwUmnuAIxAKjJzeiAzlhBODGwqXSFzsAeMRF1+yvc05Uas2nB3M/bi4ixWHI24czfHmDERRbh2g=="},{"rawBytes":"MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow="},{"rawBytes":"MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ"}]},"tlogEntries":[{"logIndex":"18493590","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1682011038","inclusionPromise":{"signedEntryTimestamp":"MEQCIDfITcXf8hI6h4PNE4sn3o4MdRC0mXmx/Uc1TR6Me/ScAiAve29D0ZhvOaO1w3OpdLBu2jiu49u97SjiEvqRlYM5tw=="},"inclusionProof":null,"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVWhHUkVORFFuQnhaMEYzU1VKQlowbFZTV1F5VWxOUmJGcHdTRTF0TDBaaU1UWTRWMUYwU1VOcFZXUnpkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDA1RVNYZE5WR040VG5wRk0xZG9ZMDVOYWsxM1RrUkpkMDFVWTNsT2VrVXpWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVVeVRIUkhkWEJxTnpWRlkzcE1kREpwWkd4eVlWWmhjREoyY1dwb2JVTTVjMkl6ZVRFS1dsY3laVVJsYlZneldGWkpMM2x5U1hOQk5FZ3hiM3BJT1cxb1pVY3JSR3BwU1hNMFJISnNXREZZZURoRE1rWlpSR0ZQUTBKaWEzZG5aMWN4VFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWTVJuTXZDbkZ2ZUdsQ1dFaG9jbk4wTTNkUVdURjZkemhTVldjd2QwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQySjNXVVJXVWpCU1FWRklMMEpIVlhkWk5GcG9ZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRESjRhR1JZU214aWJsSjZZVmN4ZGdwaWFUbDNZMjA1TWxwWE5XaGliVTVzVEZjMWQySlRNVEJhV0U0d1RIazFibUZZVW05a1YwbDJaREk1ZVdFeVduTmlNMlI2VEROS2JHSkhWbWhqTWxWMUNtVlhNWE5SU0Vwc1dtNU5kbUZIVm1oYVNFMTJZbGRHY0dKcVFUVkNaMjl5UW1kRlJVRlpUeTlOUVVWQ1FrTjBiMlJJVW5kamVtOTJURE5TZG1FeVZuVUtURzFHYW1SSGJIWmliazExV2pKc01HRklWbWxrV0U1c1kyMU9kbUp1VW14aWJsRjFXVEk1ZEUxQ09FZERhWE5IUVZGUlFtYzNPSGRCVVVsRlJWaGtkZ3BqYlhSdFlrYzVNMWd5VW5Cak0wSm9aRWRPYjAxRVdVZERhWE5IUVZGUlFtYzNPSGRCVVUxRlMwZEplazlFWnpWT1IxbDVXa2RTYUU1RVRURk9WMVpvQ2s1VVdYZE9iVnBxV1RKSmVFNXFXbXhPYWtVeFRtcFdiRTFVU21oTlZGRjNTbWRaUzB0M1dVSkNRVWRFZG5wQlFrSkJVVmxWU0ZacFlrZHNlbUZEUWxFS1dWZE9jbGxYWkd4SlNGSjJTVWMxZDJKWGNIcE5RelJIUTJselIwRlJVVUpuTnpoM1FWRlZSVWxIZUdoa1dFcHNZbTVTZW1GWE1YWmlhVGwzWTIwNU1ncGFWelZvWW0xT2JFeFhOWGRpVXpFd1dsaE9NRTFDTUVkRGFYTkhRVkZSUW1jM09IZEJVVmxGUkROS2JGcHVUWFpoUjFab1draE5kbUpYUm5CaWFrRTNDa0puYjNKQ1owVkZRVmxQTDAxQlJVbENRekJOU3pKb01HUklRbnBQYVRoMlpFYzVjbHBYTkhWWlYwNHdZVmM1ZFdONU5XNWhXRkp2WkZkS01XTXlWbmtLV1RJNWRXUkhWblZrUXpWcVlqSXdkMk5SV1V0TGQxbENRa0ZIUkhaNlFVSkRVVkpxUkVkR2IyUklVbmRqZW05MlRESmtjR1JIYURGWmFUVnFZakl3ZGdwaVIwWXhZMjFXZFdSSVRuQmlWemwxVEROQ2VXSXpXbXhpYlVaMVdUSlZkR0p1UW5STVdGSnNZek5SZGt4dFpIQmtSMmd4V1drNU0ySXpTbkphYlhoMkNtUXpUWFpqYlZaeldsZEdlbHBUTlRWaVYzaEJZMjFXYldONU9XOWFWMFpyWTNrNWRGbFhiSFZOUkdkSFEybHpSMEZSVVVKbk56aDNRVkZ2UlV0bmQyOEtXV3BOTkU5RWF6QmFha3ByV2tkRk1FMTZWVEZhVjBVeFRtcEJNbHB0VG1wWmFrVXlUbTFWTWsxVVZUSk9WMVY0VFcxRmVFNUVRV1JDWjI5eVFtZEZSUXBCV1U4dlRVRkZURUpCT0UxRVYyUndaRWRvTVZscE1XOWlNMDR3V2xkUmQxRjNXVXRMZDFsQ1FrRkhSSFo2UVVKRVFWRXhSRVJPYjJSSVVuZGplbTkyQ2t3eVpIQmtSMmd4V1drMWFtSXlNSFppUjBZeFkyMVdkV1JJVG5CaVZ6bDFURE5DZVdJeldteGliVVoxV1RKVmRHSnVRblJNV0ZKc1l6TlJkMDlCV1VzS1MzZFpRa0pCUjBSMmVrRkNSRkZSY1VSRGFHbE5lbWMwVDFSU2JVMXRVbXRaVkZGNlRsUldiRmxVVlRKTlJGcHRXVEpPYVUxVVdUSmFWRmw0VGxSWk1RcGFWRVY1V1ZSRk1FMUNPRWREYVhOSFFWRlJRbWMzT0hkQlVUUkZSVkYzVUdOdFZtMWplVGx2V2xkR2EyTjVPWFJaVjJ4MVRVSnJSME5wYzBkQlVWRkNDbWMzT0hkQlVUaEZRM2QzU2s1cVFYbE5ha2w2VDFSUk1VMURPRWREYVhOSFFWRlJRbWMzT0hkQlVrRkZTVkYzWm1GSVVqQmpTRTAyVEhrNWJtRllVbThLWkZkSmRWa3lPWFJNTW5ob1pGaEtiR0p1VW5waFZ6RjJZbXBCV1VKbmIzSkNaMFZGUVZsUEwwMUJSVkpDUVc5TlEwUlpNRTVVUVRGTlJHczFUVWhGUndwRGFYTkhRVkZSUW1jM09IZEJVa2xGV1hkNGFHRklVakJqU0UwMlRIazVibUZZVW05a1YwbDFXVEk1ZEV3eWVHaGtXRXBzWW01U2VtRlhNWFppYVRsM0NtTnRPVEphVnpWb1ltMU9iRXhYTlhkaVV6RXdXbGhPTUV4NU5XNWhXRkp2WkZkSmRtUXlPWGxoTWxwellqTmtla3d6U214aVIxWm9ZekpWZFdWWE1YTUtVVWhLYkZwdVRYWmhSMVpvV2toTmRtSlhSbkJpYWtFMFFtZHZja0puUlVWQldVOHZUVUZGVkVKRGIwMUxSMGw2VDBSbk5VNUhXWGxhUjFKb1RrUk5NUXBPVjFab1RsUlpkMDV0V21wWk1rbDRUbXBhYkU1cVJURk9hbFpzVFZSS2FFMVVVWGRKVVZsTFMzZFpRa0pCUjBSMmVrRkNSa0ZSVkVSQ1JqTmlNMHB5Q2xwdGVIWmtNVGxyWVZoT2QxbFlVbXBoUkVKdFFtZHZja0puUlVWQldVOHZUVUZGVmtKR1owMVdiV2d3WkVoQ2VrOXBPSFphTW13d1lVaFdhVXh0VG5ZS1lsTTVjMWxZVm5sYVZ6VXdZekpzZEdJeU5IWmpTRXAyWkcxV2RWbFhOV3BhVXpGMVkwY3dkR1JIVm5wa1F6bG9XVE5TY0dJeU5YcE1NMG94WW01TmRncE9SR014VG5wQk1rMUVRWGRQVXpsb1pFaFNiR0pZUWpCamVUaDRUVWxIUzBKbmIzSkNaMFZGUVdSYU5VRm5VVU5DU0hkRlpXZENORUZJV1VFelZEQjNDbUZ6WWtoRlZFcHFSMUkwWTIxWFl6TkJjVXBMV0hKcVpWQkxNeTlvTkhCNVowTTRjRGR2TkVGQlFVZElialoxWnpablFVRkNRVTFCVW5wQ1JrRnBRVzBLTUhWUGFrNWhVSGRWVUdGVFJHcG9iMWRCSzI0MFRVUTJRbXRqU0hGUVlqTm1SMUprUWtzemNYUlJTV2hCVEhORlkyNVNjM2swUjFJMlJsTkVLemxpWmdwSVVEUmtORVl5VUZadFpVWTNjbTVZTHpWYWR6SXlSVzlOUVc5SFEwTnhSMU5OTkRsQ1FVMUVRVEpuUVUxSFZVTk5RbUpuWmtWcVMzcFhUekZOV0ZwT0NtTmxjR3BoYVVSSUwyb3lMMWQzZDJVck1IaFBRVkUzWkdkSGVHbHFZVlJ5Vm5WNU5YQXllV0UyTmt0M2QxVnRiblZCU1hoQlMycEtlbVZwUVhwc2FFSUtUMFJIZDNGWVUwWjZjMEZsVFZKR01TdDVkbU13TlZWaGN6SnVRak5OTDJKcE5HbDRWMGhKTWpSamVtWkliVVJGVWxKaWFESm5QVDBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUT09Iiwic2lnIjoiVFVWUlEwbENWRVZWYkhWeFMzbHpkMnhsV21aYWVtb3hNVU5vTVd3eVdtRm5SSEJZWVZWSFdHWTBaREp6TTBoWVFXbENPWE12VmtWWVluQXJOMWs1UVdKbmFIbzJSVE52YjNabFRHVXpOVVU0VUVSVlMwRTFOMVF2ZERaQ2R6MDkifV19LCJoYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiYjEyYTIyODRiNGNmYzY1ZWZiMTI2YjUxNzZhZTBjMzU2YWZjOTQwM2JiNTdiM2RmNmI2MzRjNTE2ZDBiNTBlMSJ9LCJwYXlsb2FkSGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6ImJhZjkxMjU2MzIyYzQ0N2ExMGQ3ZDM0YjgxZTA0YzI0MjZhNzMwMjJlYTNjNWU3YWE4MmIwNjIwYzY4ZGIxZGQifX19fQ=="}],"timestampVerificationData":null},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtLyU0MGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QDEuMC4zIiwiZGlnZXN0Ijp7InNoYTUxMiI6ImYyOTk1ZTI1NjVhMTUxMGM3MDc4NTBkODE5NGY5ODNiOTFmZTYxZWMyNDNjNTU1MWFkODQ5YzM1NzI3Mzc2OGI1ZjNhNTdlNDRiODFjYzBjZDM2YTM0YjhiOTMzMzIyYmU4NzFlZWE1YjA1ODIwMmJlODA3ZTI0ZGM4ODI4MTFiIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MC4yIiwicHJlZGljYXRlIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vY2xpL2doYS92MiIsImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vYWN0aW9ucy9ydW5uZXIifSwiaW52b2NhdGlvbiI6eyJjb25maWdTb3VyY2UiOnsidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9sYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdEByZWZzL2hlYWRzL21haW4iLCJkaWdlc3QiOnsic2hhMSI6ImIzODg5NGYyZGRhNDM1NWVhNTYwNmZjY2IxNjZlNjE1NjVlMTJhMTQifSwiZW50cnlQb2ludCI6Ii5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sIn0sInBhcmFtZXRlcnMiOnt9LCJlbnZpcm9ubWVudCI6eyJHSVRIVUJfRVZFTlRfTkFNRSI6IndvcmtmbG93X2Rpc3BhdGNoIiwiR0lUSFVCX1JFRiI6InJlZnMvaGVhZHMvbWFpbiIsIkdJVEhVQl9SRVBPU0lUT1JZIjoibGF1cmVudHNpbW9uL3Byb3ZlbmFuY2UtbnBtLXRlc3QiLCJHSVRIVUJfUkVQT1NJVE9SWV9JRCI6IjYwMjIyMzk0NSIsIkdJVEhVQl9SRVBPU0lUT1JZX09XTkVSX0lEIjoiNjQ1MDUwOTkiLCJHSVRIVUJfUlVOX0FUVEVNUFQiOiIxIiwiR0lUSFVCX1JVTl9JRCI6IjQ3NTcwNjAwMDkiLCJHSVRIVUJfU0hBIjoiYjM4ODk0ZjJkZGE0MzU1ZWE1NjA2ZmNjYjE2NmU2MTU2NWUxMmExNCIsIkdJVEhVQl9XT1JLRkxPV19SRUYiOiJsYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdC8uZ2l0aHViL3dvcmtmbG93cy9yZWxlYXNlLnltbEByZWZzL2hlYWRzL21haW4iLCJHSVRIVUJfV09SS0ZMT1dfU0hBIjoiYjM4ODk0ZjJkZGE0MzU1ZWE1NjA2ZmNjYjE2NmU2MTU2NWUxMmExNCJ9fSwibWV0YWRhdGEiOnsiYnVpbGRJbnZvY2F0aW9uSWQiOiI0NzU3MDYwMDA5LTEiLCJjb21wbGV0ZW5lc3MiOnsicGFyYW1ldGVycyI6ZmFsc2UsImVudmlyb25tZW50IjpmYWxzZSwibWF0ZXJpYWxzIjpmYWxzZX0sInJlcHJvZHVjaWJsZSI6ZmFsc2V9LCJtYXRlcmlhbHMiOlt7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vbGF1cmVudHNpbW9uL3Byb3ZlbmFuY2UtbnBtLXRlc3RAcmVmcy9oZWFkcy9tYWluIiwiZGlnZXN0Ijp7InNoYTEiOiJiMzg4OTRmMmRkYTQzNTVlYTU2MDZmY2NiMTY2ZTYxNTY1ZTEyYTE0In19XX19","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEQCIBTEUluqKyswleZfZzj11Ch1l2ZagDpXaUGXf4d2s3HXAiB9s/VEXbp+7Y9Abghz6E3ooveLe35E8PDUKA57T/t6Bw==","keyid":""}]}}}]}
\ No newline at end of file
diff --git a/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v02-prega.tgz b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v02-prega.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..c53029ef610f44a8b1bc1b5db3662ec894efd97e
GIT binary patch
literal 7120
zcmV;>8!zM^iwFP!00002|Lr{eciXnL{aJqn%4V~aCsC3eJFRlE)s5ZNTVngz&g*uv
zETc$BVoebmL0Zwe{O|9600bz>PS&nI>pRxzX=D<(xVYaRfEH1F9ZhBb<;jcV)63(}
zeu>XuFgSSfL~MIL80;Pl_x8nSd;152;qc&K0OJP3!R}N1_p^KWRJx1`K;=KMN%)BR
z-(Sf`eC%_$h~k+PFVk4&TDI;O`M<KzsmjG}IOvK$MtKz#E3rEmJh^q!tSlF!et)@K
zh7m0js$$yDcq!d);l!)si&vN8@bpN$I6FN$xjH#Jy%gV`U5MA0$6ax8e136u^!f!p
z?$W5Elgq1%lW$(*69O;{#gUw(d0GN;I&2wi0<)t)=vkCyVlJaxl(5rM7IQ74JQ1<V
z6P_g|st}cyT~WwIp^_@b$6W&o$0n&Ri*#J!a}jBg;F2;C<CVCSF#{O_{6baJnfOYm
z3H*`5I2BiOnV0K$sbT}MSS?mXI-Qk5Epu52KnW(M<w`_VIa5XYPg>8w**2q`MWuj6
zr$q!4^C=B7bnp<6(<l?i1bPFBD#r~H_EJPKL9ti>8DOjdqhNqRFqN8@27;D_%DN&d
zr2Qi!q`SBqd|KrROpDcgu5ts(3>3?>oG~0;Fcjaag78>W#X^C^II7kRw>%0Alz_IP
zMLX^ARJD{v7uZ(-mk^0G=kHxnDiKG(bR1`(@GGJ~A?8sImJ^wW>*^|=8N|9`Ig_+~
z;6AMz5p16_%M_&vptMuKgxI5J=>j25(g{#=A&VG6xAzCX>Ckct$isxUfT|LV7vKv#
z05%m;TZjO1EOQ`2oB}Hw&^<gI%m1RPK(t{lek+2G&vp0@X>yY$6~ZcnFCPYgd=J>B
z8W91!=c(2t@FZuf1jLpNQM-iIVo*U)ulc&9Eebi2MFG?4?Sv?PjZ4f`lET&^(kjc~
zG>@~2NC8SHa#e~fou{}u@KLKtxkT~Ov>-4g0qR@bBR~cW59nI`pQO{Op!dL*OnT<y
zZ2SX=!Y1lbzT#)Vjw&Plm=tObFXLI11J+hSKq_*LBO@zN^dvKXPDCV_JOr-W+@OK6
zwoOo*MT!cg2syLODM$kB0UkFt>{~C`=?z<Njc{0Z=Q2qnQLYyLw!c@!^@dSc!b8HC
z><~(tQ-L(M+o%<QNoTe-j}kB>H&L2J<IL*6XP3HYO;G^j$cR!@+XZXgfDACWHg8NR
z7@QJWqq0QbLKL#t8W3&RfP5d#7qBu+1k(;;&J%Iu;bI|S<@caWnOb%n6^>+)-T)PE
zq(Fk`U|j-mjqNlryEl-S1{U#gq>*_!sbYd_p!9?Eu&u(Sh+U`)%UK%FJYxXND!~VU
zW)|`$C03#o18Iz&2niHch5ZXa7&iObWPqWUlNuz2s2{;%DkG(UY3Vf0VU<muZ`xyP
zrzQ>c?}~Nu8S0@l8{QFk<24F7kJ4H{<svFbQjjjRjkzpjwgNrKuZeJDkQS7aJetdn
zWqJyRsF*}CIf<_4BWt2=AcfSCYT~&50!_K`@mo2*t^>8odh68$Gzw>ZX^jU0Yw(0*
zI5Clkg`}7^Gz;F}hJ4pkiW059f~7NSwskcI+hL4{jXOxX2y;Tur~)lSc6=kOuv{j0
zcc-`T0~NH&v^>iDSOPI8K#JRgmrwKdBB=Ki7+CD@YqJcKWCjXYC@{ud<ia@0NRE~T
z&dVwIsB%Mnfm+}bT{=P`ol5PLh3K!lce<k5cKK_-e-0<Gh-rqCGYBaGn&-0WP)M(I
zDd*ZZ;ox&Ci7q52A8AG~`_c1pv{J`fKGD0L8EHs?M{T4V#JF*#$;;D<bF!BvjQpM~
zo^ws|y(L0(uT~ymD|(T}m8vu-?>s85(exEAI<g^`)af)Q+Yh3MJR-twl|(dF!70!?
z627j6!KMnY#n<(=tp<KH<nalJ_Hn+psF(pVV+ryEA)_Qq4oLg!I3?8b9~H<?hRenZ
z=*{jL171)4*bwc8;tv>B;j%C4?c2yoTvqH{jjV1>W;`|Xt+E6!DLeuRG$DX9MR61t
zKyV1Vga~gTOQ4JuKQMh+vP?17$W`7W&TH5){@H`5r<h{mq*hT@u6mO~!e1!_b~h?U
zL%!k7P5y@q+H4DEfQ~ItjyEiwGv|wH40C~sAgGHh0zt2z0M6`cH9awbg`c<iVSa6k
zDOlcEaf>@A+rkXm^B8m<q0#++z@0WslZz4+3{sBLhDd;*=7gvt7Q9!Fdl0Szuvv5?
zDax}5Q68-(6O8k~3CIl0FaIAbiYiKGOl=2DplqT-GBb8(NCM`OT{T)PGE6sB4ooL1
zqwO-N#aWaBy?Ly+IiMl|@u^$e%^b8>>!?UcJ0}HLADhw0)cQVO@!PrsX|T$r@rYpl
zAR?)wdYZOA!ET5%T;pv4eGc-P$eAUU$O`N0LUA%d{@1yX21|u9T{ERjr;I{0jqo)Y
zIg_}zox`eQ>q2SWBZA>JVpU=M#D4?lBauZ*U8N;%HIq|z0zff~yo(9etm0h;j(h?m
zu1%`#;KYtOE4wYrk2yuE0ER=crX<>s$tI&lQ*5H)bj-Ls8&$D)Kov#qSy_p+4cHQR
zXoat)E<nRPF=12iBor6YuMCB>^gLQQ%eHQXzz(K1wrSX-JEA;d35JcZSOrFo<Om}g
z_*c~)xtTVz3%|vZbzLe%1aYD@my)?WQ5ob!?BA{J8nx=Ys>3_2K+>j&FQUi!2Cy}S
zEuzu#L*F_(#Lvb?Bk~XHnZz@4qjt@)w<Z^ETquos6z1<-)G1JeAbm)4loQS#wYNN)
zxLTwUCZ_IFB8Fr*&6Q(s<wBOAU|kzGdnr6+2Y}J~=DdaL1)V^2QNx^f>>BCrqFGEN
z#!X!>m>>}?ow}L5aS37zKI<m68M(3bv@i&{L{UHsUIw>`<YbL2O6Rz21i!w~Cee}(
z8m*fDCh<d72d8IOCohfzP`>vi(Hqsytbrl7w~nt}o(b5ZDI1g}etDp5>KOqKql9uy
zCv<WvS<xs(Sm*V?7^6m(fj2^1=za=aJuurTyp^sbYycyZk;Zh&uhN?-PFo=`f<;Fb
z&B)^DXzeJ}kScvA4$pjJ-VichubTxZkxrbQL6<po9&i)BD!Q9gj%=*wRk=)Vu!TyK
zHBF%a0y02m762@g9&U0~^Crjo93;#bSjY&H(5o3|VQ9ZL$?Wl)f(K5e>mncI5H5Me
z2&IXR(JiuAt43|Ub{kQW;P(Ra9bY0nC>C`?p-<6-E>m9vBm6y4K859tB$0Vi&28A)
zkQi%NIRCTkT(@aNU|YlhGHg{Qs#ZbH#Bo4Tt;-)1=C;1YRuZ|ag2GlR)^h-`R`~K*
zfk4bYe3Y>ymtxe~h;p|?@UFDCrDeomyk3!-Y{91M)Mi4-;_8-E#IMfPszmT`X|I~+
z5ZLHeHN0>gbz?1=LTQwvMp>rLRMs+q21E8K*)g2}&Q)C$s6+8O2QR9LY4SZR6sMT}
z5=5^-Qr9<D>rtdv%<{@ux0bG4q>n4E7jih%8~fGge<w9FVHTn32@Hea&^58$N1lJG
zN}N=8Z^*xl6(?n=wo^*)(2Wpkx&n8gWg@u|glgci#4N<o1s6zxigijfg`AEAe`Pd;
zGBWvI#-52M!&?)ikkhE(zS4T`VR``vU<z#jqR}jRade`{a+Vx&dmSMpylJR$_+r}_
z(H!e$bwq<zFIn7RP2c<pI2jq{!B%K3#$8u+GHGfd|52r;dxQ>M15ePU6HCGIt2wr(
z5gVW~#2qng(6FLTI<Qi^QJ=NiWcg;i!4?<5lzJM9qf}GsgiYIt_#Wa<pv$UOf*RHF
ziW6AMyfMXcW`MXz$&0IkbsfWu?rVo?8*#;=!Fr17kH+$4gSj27Yk|oR4ll*YWgxye
zyga$I#Qpx{>btYoSK|A_i;Kh4tCQnPadzRi<<Gtqho^rLe>yomf^aA04)A-dj%v4)
zl<Z34l}VijQJplhc4`GlE|H27qGHp;0x_>nu3jE@f$FEdlhbc6PEP-D{Ob7hsw-X{
zU%dDZusr<c<mJiLUr2<$J-IqPzU1QrhX%&^;RP`4^~=KxasK+^{Ot0Wy)AbOGwdt?
z{tH+%rLF^YW;iQsiVJYAP>UkP@SHY00qMdaB!AB0di7GSHfjwq5pLI->r|6v*D6ly
zG?|UM>9bNb)^D_KCbKMiUxx6vB`HpNnMUI@qvrVudR_tHPhJup3<DlzRO|#CA=CCs
zEw+;d0#y1XgIrFt6r!(KcDi-9yW1$`)|H=+%6ppw1+3|3>6ijKLT-xnh`MiKmn`uF
zf~M~HcKu-M*>E3Nl(8(!Qd-zl1c<fKJeoFZ_&D1h32=u4^g?29-RnMsLP225tpp5U
zxTcE@IRn&MXso#b-dL_KxMz-Dy!O@DHC|72iJDbyV=8`<=7yP`UG*yl?K^wo7AxF#
zrdVL7N+ruQ^J|CK;FQ&35n+`OV}c41pG0X^73__oY*OVexFILF<s=Ap0Z@2-dho(h
zgW#YXVt~G0h%+$iVtSO^q|_vxnByCu0fq?naDxHQ8t_#p4rBBQNCj(oapgnjs6D0l
zeuklYQ(f1ag?F~wY!n*Ll;SEVRXQ8ZcB;8T+%}P9Pr%d>hEX0%-o%2-pvL;GNbcl3
z$D<{#AjV|PEbc;$GgF14xTTL~2P0o@wZMK*Urc_L>PEW<5{&QE5;GxAC2N8aJw3o~
ze{`ZH&%AC(9dnzu2o-V7V>G1Bj1s;S>9{V6v*@l;<cWc)31iNbPS`%9!n3{;Z6-Bs
z5;=i%g=auyoNOtbN5z~hkqxeEDmrzpio$ivOywACGGyhLta1^xyID6LuS~GvHnc(t
zIGWbM{L+&~FKn!FVF5lqJwm^_?HC-rKRiE&At!$xAq%Nm02Xy+jxYE}_wXH|vaEYa
zc)actCv?p*ie@#zhSdtRrhqiOv{j9+%j74i%n~iYL4dNe(H~=%Qi5a#Z{7wjNx{m5
z@pdaKOk`C}*5_r?p=ckee5XDy;OVFZ{&`1GwoYlPhVTL;0Ydy550f2uZrkh4qORx_
z*z@;wBb1VQMgZ&tOw2SksCcxglUgfIV_9xM$}nQ(w2Q*bg>}ZZwK|sW$O?5xEhZW#
z27nwDuF(bu=qs9?PjmPM(FDOu>wdhUob9{T<r!Dxh>CcI9cvZ_*Gzn~g3nv=hVTYF
z*Sf54X}A%R#LJnQ;?wmHgo-u}sLxz>o*@XEkDwu7_hriGHjGbmlZKLMtR<=ralEWw
zjj37|HA;3?kfYLy`^S!)nq$yCK$)g|N`!t}>|xHFwfrh&gI*RrJi_1&xGe(znc=q$
zyoqd=QZ`VqLQY`~$P8>PpH?7n5E6h}$k$KynQDoP*Y)PU!q#UGpa1sH!kqtyXuFS|
z^nLh)zSr~rgT1Fu4%W~A5BCTA59j~y;}f9aMcWgX!L!y)RET%)Vu)Z$`Ay2Tspn|B
z!9@M`w`8Ehwf7zIuYZX)_YOmTBYrR1HYaGSu9$ZP#1GfI9q}WXVTj<`*Sq5R^XFtV
z=%9Q@;1h98jzJ(E=q%xhfjpJv*)l%|R}B%^>c}`!RkRT}yAy)@IZZ>90+<rm;trtn
z`5aJ}`jtv5Fx?}19HO-*Qw}reL4D>I9(F9k!Xon{gb$Fc)7z225;Y#LEk~l>E=<7|
zU{&N|{^t7aGx0%uVC+7$+}YQVcWt+WM7rMX(kif*4;?`7XHrnTx!!#Xe-aV^v16I5
zWyvHsl9LEi%}xHU5BUTZ-&o9U-CvL}u%Nq@iZ@YK!5=r`gC)RL@ajzs2X}XaW9`oP
z^vETs^Oilim$VxTT(svZ@u>=b;w<>bla@}+Qk6IXHK{sC#fN8&`JX=*d6i`y@~Ukd
zitSB7D-q{l#B)awT+fgVLeWy;iR%y&UQgb`7}9Bkjl$kpSJ5_O(iLU^W3$Oef1DX)
z_QfxNn3k5&GD<Pg-z21YvqnXHd00Ty^A2)bYVkp?cwV19SB0f<Jta!iqHGh}J)NPy
z>HG?Ye0YKiB#j@AL@t-&yzLeRtW|bnrqfpg?-@#wQ8)t_=eEyDkk4UP=h*$%py8X~
zuwjGDaLVstJ*hGXP&1i0%*$d0|A+K?(XMwJ=8$xlA&7~9ARKb1w!sy_w+T&yWMd6}
z|FI?B1bCTf8NB_e%MdtbyrCd`3lluJ^!u8g=BdGCWVqIN8e-GET@$8T<6pCYk5s^F
z4trpMBNio~+e8T2_2zA-!{qE3nI#MHthL?JK)efj4#F2W^(B*I3=CQuf?x)QlwG~j
z=;v-!nux)(7PTKCktifQ^i4<G<N@vA>xl1k^>I{ynALQ(0NZmtwK8Ocu+|>hY}YL4
z{<Sb3i?%O)xJHP{Z~O1~|B-m~Bf$Rfcb^{H_G7<3YkfTaGyg*Lr}F!a|91B<=39^d
zo;<{V_wqq03oy|SMk4q+iz;ky>vXR2K6Z&@j&``0FXp{cYH;2-+}vEi8N+Z8?(tKv
zxPfo3V7M?+MUK#c<MDW@0|)w<2ftxB8eXyv1aXQ30SN)$xXc%ft29gSaj9ebjH@&F
z5R%@qOu>QmdKltKvGe$G|8ZFAo#xnHJd^SD+6;QOIm2v*P>Ewf2*7AQpWmBD3p+3a
zwZl<T<2M*GkKXr|5oOU@41_M?z5#BhfO~gaL~o1ViYhk+C;th-^!{c%yayIf1Dg1T
z*u*m>{u&$?g(^na=fM{?;g`u@DGrhE(^3qvCij6@QOJeTc(G{ZxPkEr0-UC$U85>8
z^W=Z9z@kU}K75~5V~D5c{f|jih>+?f`Hl#JV`(t88GOJ6CM?eIt8q2;q{JZc6A<Xr
z<q7R@n5ns37+(JbcwgWFvbnT+ftSc+9;ebnw&_4%nZFIg;Q%&P<B-UkqwQ1aN?t!#
ziJACiI2?vwSzhpKQlTD8V4wf#EwXCLI`_Bz@X5ZR;`S+vsL-<5HueTDre=Lm0eTDi
zf8gHoY<lr!xchYdg+Zamw4`BA!YARdRxzW5^kz4F>fSgE&8)A&eWDe(zK1H#&#(W0
z6{XDgmk0np;{S)kP5=M&;KBdjoByZV@pN;zI3xe<j16iYb}NlPJAhF7)=&SjxFm0~
z62~uI9bS^Q3Z8CnJC4N8@#Wr*Xq)7>)5Qn-JM_=)VCcRb)Zd=g-@dHBeYJxXZTNnA
z{O7BkP(1EibmtuMk7!R|pE0QT7`i-%uh^NigmKLw8^Sd$DEuDH6a0rS*x|Q|A4qNR
zH;6&X(m+gA<xxtOEyQZ;?UV$>@YVqTAVF0wDm=VcRB?$NcXM=&UxQorS16QnOF)ou
z>k{795g5*M5b2C{j;r#Gck!BAf%fhpU1DXl+#H7>b!mD%-mQ<FDKgrE&z*8~Y|d)o
z(Knh#*U&jIqa!s7bBxe|&(+DC&k-KxtGiY~@<w=uMq(sHcQ3g|VjCMGk#QE8i_*Lw
zyw%Fx6X1Wo+97oO)orSIg4bl!!mNMS=CqJ_`8DMUSPbJf{#cevJm~O(MDCB5gwgS(
zVE9_xq>-TNk7**(aX7Hz(p>sCO>LkY=dD1b6LXStC&ISv<thgjmT7FNLMJ@T$?6B|
zvgy1!s?wVPgN=8rCa6yVhp!mBK@9u0#nsIRZ~E)?{};!HN3V{<d2-*s|AfB)HQ4z5
zr~SPL|9>x^FT|GorPbP!^h{?xbCbJV^>L&(aY4tSWDks2<VLkxn3CS4aw$GqSpb)T
zk*D~V_~9R-2Oc!UmUtMI_>xU=2npWKgU0?c`k$y}o~bD5L7)b4L8xc<rT<R`gS~bA
z-+j8f`=I~#qW_=w$7$XlM|#$3X$aJNvQlD^E+n4uY_-yfcq4*GUj(9;m0~E~KBG%^
z6d_PWDR`|xen#Taz!si*R8Hg(R8DG5(pJm7e1|We2akq9tM!FAGE!%L@X1;Qb9&xa
z{&%4K&mXmGgAzRQ0S2FHK05V|)`15Cdve&f3$|?1+)XMZM5FRX+6#def_Q!L(%bPa
z?U-jCdh6gYpw!0FK%IK;@4UC~kPfix`8A{(3la3o`NA`vAq0=ARH06%y2KvApZODX
zTJ*yQdiHT(Jnjxi4P>{0Xwdj}IKXW@jd%I-^3daS*ouJwqNlfV#BtMq_h#^RNBj;Y
z;C7+~W;wGzpI1L=$)R2H7P{hk->9;&kp2k^@hTfM-&7VbT4M_G@yuHQ$%f|pPgx?1
zAZ(e}KTT`QWKUT<aR0uZSX6J<kt;U>)Wct_Rqtd?^vvV1oc_}nGDq<S%D?j-Fg^7w
z+8^%fYQFIXCFktuY(z&7@fOJCcZa+C2la__XQePR+ah2(+yKETJCGLBy=j4Y9-VUp
z@-8J_d=za?X``&Ob+T=w@Z~39`j~|c)~pwWiHqy$2$<df&6B~$0<N#Ibu+-Thd^~a
z6$=?&f|vvUz?}OF;viGM!Tv7ZB}mI1?OlhgZ-HXJ02n?EnX@|65l0l*S>e!vFtFg)
zh%f$10@CaG<b=Vn*KJx+4>vuSsz`+wu_7{k+JGJBd#H6~X#Gr-{cxBOzRNzjX)Hkg
zj_dii8Jqv?z8`|%hxi}Mg{BKz-t+m-!SLz+X8(V0_z?f!$A^oA;xXPUpc5}-%GcVH
z&syeq35;6hvDiH8LUv}Zrz5J@(#4PtcM$G4yz=2e{r+q8KV<*W$Gbk0Of5Bd5&S(7
z*+Yl87p~^nFQos&;nR)!AN=!>|KH08Lx2%yWqab>1heNR)F~AnD)~XTS}Gs4gpr65
z>NWM_N8$}1L`~kdgq56k_=_xf4sir&t-CTZqF>eN;kD4#4{EFt3LRY`aQ@|zk-aO)
zCWt4BFY2q;aeasS4<xhV(EPr-%x}^{<@|H%_7YUDRM#>e2|fnIP`G~rK+aB%UI-e%
zZ4>;dNqBB&8|Bc=+0_EGFuKau2>RWxm1ErP=6u_jV~9w12}?7p(zpgio|6I?f~4%z
zpRAR=`mE#@JtZQ_;vKeVe$ek~b^ZEg7#@U!UJ-|bmi>tbM_c?=yOH^UM0>3oqg)mN
z?qAufc~#ysXR;tGNxRIq7XKVC(6X#qhB)-_0FR~mqaS~?W5Uz(SMRRQ{&ajQK0KV+
z_|@3|pJn+!$^H+XK3%u}`-9zw{?9$y|Npq*Hx}L*c(5V5hi59Pag~=<FN?U*wAJ)G
z8;YjCwat>#OgvO>=k$yftpis)E1;_K>zlpp1Hk-Niym66dPvhoT6^Y>t_;82aqkK_
z#Y>wj$i6dpXFF#0aYzKj+oj%|7|$<`khT^lpbP!YcOJ4#^rrad*M>gpqvCYqQGEt<
z<BhFN`LzkGt&r_+ntt@1-o8)Ij*j0QzP|d74fgGJ{K0@ed>%dzpNG${^z(maB?f2!
GZU6v{B;H2=

literal 0
HcmV?d00001

diff --git a/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v02-prega.tgz.json b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v02-prega.tgz.json
new file mode 100644
index 000000000..47e0349fd
--- /dev/null
+++ b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v02-prega.tgz.json
@@ -0,0 +1 @@
+{"attestations":[{"predicateType":"https://github.com/npm/attestation/tree/main/specs/publish/v0.1","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.1","verificationMaterial":{"publicKey":{"hint":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"},"tlogEntries":[{"logIndex":"18493593","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1682011041","inclusionPromise":{"signedEntryTimestamp":"MEUCIQC56Jk+crJXrVlY+m609XZCFJK1TBf+mJNw52yeZQB/uAIgBo/owggXcsChlwgwoecZLiSXZoaTDL1yyt16OoMrusc="},"inclusionProof":null,"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7ImtleWlkIjoiU0hBMjU2OmpsM2J3c3d1ODBQampva0NnaDBvMnc1YzJVNExoUUFFNTdnajljejFrekEiLCJwdWJsaWNLZXkiOiJMUzB0TFMxQ1JVZEpUaUJRVlVKTVNVTWdTMFZaTFMwdExTMEtUVVpyZDBWM1dVaExiMXBKZW1vd1EwRlJXVWxMYjFwSmVtb3dSRUZSWTBSUlowRkZNVTlzWWpONlRVRkdSbmhZUzBocFNXdFJUelZqU2pOWmFHdzFhVFpWVUhBclNXaDFkR1ZDU21KMVNHTkJOVlZ2WjB0dk1FVlhkR3hYZDFjMlMxTmhTMjlVVGtWWlREZEtiRU5SYVZadWEyaENhM1JWWjJjOVBRb3RMUzB0TFVWT1JDQlFWVUpNU1VNZ1MwVlpMUzB0TFMwPSIsInNpZyI6IlRVVlZRMGxJVTNGc1RrSjRWREZRYVZWclZHRmhOR1JxVFhOU2NEVlNMMkp3YVVWVFVISmxkSFlyUW5KTGFHSnpRV2xGUVhRclQyZzNiRlpUTkVkWlEzbE1kRVV6VEVwWlIwMVRZVEZCVWpGblJ6RlFjVXRvV0dOcGFsQlBlRVU5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjVjZmEwMTM5NWQ3OTBiYjUzZDlkMWY5Y2E1Y2VjZmRlMDZlY2ViNGJlMjgxZmQ2YjFiYWE2NjQ1N2VhNjk3OTcifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJjMGMyY2I4MDRjM2MzNjAxN2NjY2RkM2IxZjAyMWZmMjFkMzE0MWYzZGIyYzg1ZGEwZDlkOTI0ZjRiMDllZTVlIn19fX0="}],"timestampVerificationData":null},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtLyU0MGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QDEuMC4zIiwiZGlnZXN0Ijp7InNoYTUxMiI6ImYyOTk1ZTI1NjVhMTUxMGM3MDc4NTBkODE5NGY5ODNiOTFmZTYxZWMyNDNjNTU1MWFkODQ5YzM1NzI3Mzc2OGI1ZjNhNTdlNDRiODFjYzBjZDM2YTM0YjhiOTMzMzIyYmU4NzFlZWE1YjA1ODIwMmJlODA3ZTI0ZGM4ODI4MTFiIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vYXR0ZXN0YXRpb24vdHJlZS9tYWluL3NwZWNzL3B1Ymxpc2gvdjAuMSIsInByZWRpY2F0ZSI6eyJuYW1lIjoiQGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0IiwidmVyc2lvbiI6IjEuMC4zIiwicmVnaXN0cnkiOiJodHRwczovL3JlZ2lzdHJ5Lm5wbWpzLm9yZyJ9fQ==","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEUCIHSqlNBxT1PiUkTaa4djMsRp5R/bpiESPretv+BrKhbsAiEAt+Oh7lVS4GYCyLtE3LJYGMSa1AR1gG1PqKhXcijPOxE=","keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"}]}}},{"predicateType":"https://slsa.dev/provenance/v0.2","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.1","verificationMaterial":{"x509CertificateChain":{"certificates":[{"rawBytes":"MIIHFDCCBpqgAwIBAgIUId2RSQlZpHMm/Fb168WQtICiUdswCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwNDIwMTcxNzE3WhcNMjMwNDIwMTcyNzE3WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2LtGupj75EczLt2idlraVap2vqjhmC9sb3y1ZW2eDemX3XVI/yrIsA4H1ozH9mheG+DjiIs4DrlX1Xx8C2FYDaOCBbkwggW1MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQULFs/qoxiBXHhrst3wPY1zw8RUg0wHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wbwYDVR0RAQH/BGUwY4ZhaHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0Ly5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sQHJlZnMvaGVhZHMvbWFpbjA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMB8GCisGAQQBg78wAQIEEXdvcmtmbG93X2Rpc3BhdGNoMDYGCisGAQQBg78wAQMEKGIzODg5NGYyZGRhNDM1NWVhNTYwNmZjY2IxNjZlNjE1NjVlMTJhMTQwJgYKKwYBBAGDvzABBAQYUHVibGlzaCBQYWNrYWdlIHRvIG5wbWpzMC4GCisGAQQBg78wAQUEIGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0MB0GCisGAQQBg78wAQYED3JlZnMvaGVhZHMvbWFpbjA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wcQYKKwYBBAGDvzABCQRjDGFodHRwczovL2dpdGh1Yi5jb20vbGF1cmVudHNpbW9uL3Byb3ZlbmFuY2UtbnBtLXRlc3QvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wAQoEKgwoYjM4ODk0ZjJkZGE0MzU1ZWE1NjA2ZmNjYjE2NmU2MTU2NWUxMmExNDAdBgorBgEEAYO/MAELBA8MDWdpdGh1Yi1ob3N0ZWQwQwYKKwYBBAGDvzABDAQ1DDNodHRwczovL2dpdGh1Yi5jb20vbGF1cmVudHNpbW9uL3Byb3ZlbmFuY2UtbnBtLXRlc3QwOAYKKwYBBAGDvzABDQQqDChiMzg4OTRmMmRkYTQzNTVlYTU2MDZmY2NiMTY2ZTYxNTY1ZTEyYTE0MB8GCisGAQQBg78wAQ4EEQwPcmVmcy9oZWFkcy9tYWluMBkGCisGAQQBg78wAQ8ECwwJNjAyMjIzOTQ1MC8GCisGAQQBg78wARAEIQwfaHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbjAYBgorBgEEAYO/MAERBAoMCDY0NTA1MDk5MHEGCisGAQQBg78wARIEYwxhaHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0Ly5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sQHJlZnMvaGVhZHMvbWFpbjA4BgorBgEEAYO/MAETBCoMKGIzODg5NGYyZGRhNDM1NWVhNTYwNmZjY2IxNjZlNjE1NjVlMTJhMTQwIQYKKwYBBAGDvzABFAQTDBF3b3JrZmxvd19kaXNwYXRjaDBmBgorBgEEAYO/MAEVBFgMVmh0dHBzOi8vZ2l0aHViLmNvbS9sYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdC9hY3Rpb25zL3J1bnMvNDc1NzA2MDAwOS9hdHRlbXB0cy8xMIGKBgorBgEEAdZ5AgQCBHwEegB4AHYA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGHn6ug6gAABAMARzBFAiAm0uOjNaPwUPaSDjhoWA+n4MD6BkcHqPb3fGRdBK3qtQIhALsEcnRsy4GR6FSD+9bfHP4d4F2PVmeF7rnX/5Zw22EoMAoGCCqGSM49BAMDA2gAMGUCMBbgfEjKzWO1MXZNcepjaiDH/j2/Wwwe+0xOAQ7dgGxijaTrVuy5p2ya66KwwUmnuAIxAKjJzeiAzlhBODGwqXSFzsAeMRF1+yvc05Uas2nB3M/bi4ixWHI24czfHmDERRbh2g=="},{"rawBytes":"MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow="},{"rawBytes":"MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ"}]},"tlogEntries":[{"logIndex":"18493590","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1682011038","inclusionPromise":{"signedEntryTimestamp":"MEQCIDfITcXf8hI6h4PNE4sn3o4MdRC0mXmx/Uc1TR6Me/ScAiAve29D0ZhvOaO1w3OpdLBu2jiu49u97SjiEvqRlYM5tw=="},"inclusionProof":null,"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVWhHUkVORFFuQnhaMEYzU1VKQlowbFZTV1F5VWxOUmJGcHdTRTF0TDBaaU1UWTRWMUYwU1VOcFZXUnpkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDA1RVNYZE5WR040VG5wRk0xZG9ZMDVOYWsxM1RrUkpkMDFVWTNsT2VrVXpWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVVeVRIUkhkWEJxTnpWRlkzcE1kREpwWkd4eVlWWmhjREoyY1dwb2JVTTVjMkl6ZVRFS1dsY3laVVJsYlZneldGWkpMM2x5U1hOQk5FZ3hiM3BJT1cxb1pVY3JSR3BwU1hNMFJISnNXREZZZURoRE1rWlpSR0ZQUTBKaWEzZG5aMWN4VFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWTVJuTXZDbkZ2ZUdsQ1dFaG9jbk4wTTNkUVdURjZkemhTVldjd2QwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQySjNXVVJXVWpCU1FWRklMMEpIVlhkWk5GcG9ZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRESjRhR1JZU214aWJsSjZZVmN4ZGdwaWFUbDNZMjA1TWxwWE5XaGliVTVzVEZjMWQySlRNVEJhV0U0d1RIazFibUZZVW05a1YwbDJaREk1ZVdFeVduTmlNMlI2VEROS2JHSkhWbWhqTWxWMUNtVlhNWE5SU0Vwc1dtNU5kbUZIVm1oYVNFMTJZbGRHY0dKcVFUVkNaMjl5UW1kRlJVRlpUeTlOUVVWQ1FrTjBiMlJJVW5kamVtOTJURE5TZG1FeVZuVUtURzFHYW1SSGJIWmliazExV2pKc01HRklWbWxrV0U1c1kyMU9kbUp1VW14aWJsRjFXVEk1ZEUxQ09FZERhWE5IUVZGUlFtYzNPSGRCVVVsRlJWaGtkZ3BqYlhSdFlrYzVNMWd5VW5Cak0wSm9aRWRPYjAxRVdVZERhWE5IUVZGUlFtYzNPSGRCVVUxRlMwZEplazlFWnpWT1IxbDVXa2RTYUU1RVRURk9WMVpvQ2s1VVdYZE9iVnBxV1RKSmVFNXFXbXhPYWtVeFRtcFdiRTFVU21oTlZGRjNTbWRaUzB0M1dVSkNRVWRFZG5wQlFrSkJVVmxWU0ZacFlrZHNlbUZEUWxFS1dWZE9jbGxYWkd4SlNGSjJTVWMxZDJKWGNIcE5RelJIUTJselIwRlJVVUpuTnpoM1FWRlZSVWxIZUdoa1dFcHNZbTVTZW1GWE1YWmlhVGwzWTIwNU1ncGFWelZvWW0xT2JFeFhOWGRpVXpFd1dsaE9NRTFDTUVkRGFYTkhRVkZSUW1jM09IZEJVVmxGUkROS2JGcHVUWFpoUjFab1draE5kbUpYUm5CaWFrRTNDa0puYjNKQ1owVkZRVmxQTDAxQlJVbENRekJOU3pKb01HUklRbnBQYVRoMlpFYzVjbHBYTkhWWlYwNHdZVmM1ZFdONU5XNWhXRkp2WkZkS01XTXlWbmtLV1RJNWRXUkhWblZrUXpWcVlqSXdkMk5SV1V0TGQxbENRa0ZIUkhaNlFVSkRVVkpxUkVkR2IyUklVbmRqZW05MlRESmtjR1JIYURGWmFUVnFZakl3ZGdwaVIwWXhZMjFXZFdSSVRuQmlWemwxVEROQ2VXSXpXbXhpYlVaMVdUSlZkR0p1UW5STVdGSnNZek5SZGt4dFpIQmtSMmd4V1drNU0ySXpTbkphYlhoMkNtUXpUWFpqYlZaeldsZEdlbHBUTlRWaVYzaEJZMjFXYldONU9XOWFWMFpyWTNrNWRGbFhiSFZOUkdkSFEybHpSMEZSVVVKbk56aDNRVkZ2UlV0bmQyOEtXV3BOTkU5RWF6QmFha3ByV2tkRk1FMTZWVEZhVjBVeFRtcEJNbHB0VG1wWmFrVXlUbTFWTWsxVVZUSk9WMVY0VFcxRmVFNUVRV1JDWjI5eVFtZEZSUXBCV1U4dlRVRkZURUpCT0UxRVYyUndaRWRvTVZscE1XOWlNMDR3V2xkUmQxRjNXVXRMZDFsQ1FrRkhSSFo2UVVKRVFWRXhSRVJPYjJSSVVuZGplbTkyQ2t3eVpIQmtSMmd4V1drMWFtSXlNSFppUjBZeFkyMVdkV1JJVG5CaVZ6bDFURE5DZVdJeldteGliVVoxV1RKVmRHSnVRblJNV0ZKc1l6TlJkMDlCV1VzS1MzZFpRa0pCUjBSMmVrRkNSRkZSY1VSRGFHbE5lbWMwVDFSU2JVMXRVbXRaVkZGNlRsUldiRmxVVlRKTlJGcHRXVEpPYVUxVVdUSmFWRmw0VGxSWk1RcGFWRVY1V1ZSRk1FMUNPRWREYVhOSFFWRlJRbWMzT0hkQlVUUkZSVkYzVUdOdFZtMWplVGx2V2xkR2EyTjVPWFJaVjJ4MVRVSnJSME5wYzBkQlVWRkNDbWMzT0hkQlVUaEZRM2QzU2s1cVFYbE5ha2w2VDFSUk1VMURPRWREYVhOSFFWRlJRbWMzT0hkQlVrRkZTVkYzWm1GSVVqQmpTRTAyVEhrNWJtRllVbThLWkZkSmRWa3lPWFJNTW5ob1pGaEtiR0p1VW5waFZ6RjJZbXBCV1VKbmIzSkNaMFZGUVZsUEwwMUJSVkpDUVc5TlEwUlpNRTVVUVRGTlJHczFUVWhGUndwRGFYTkhRVkZSUW1jM09IZEJVa2xGV1hkNGFHRklVakJqU0UwMlRIazVibUZZVW05a1YwbDFXVEk1ZEV3eWVHaGtXRXBzWW01U2VtRlhNWFppYVRsM0NtTnRPVEphVnpWb1ltMU9iRXhYTlhkaVV6RXdXbGhPTUV4NU5XNWhXRkp2WkZkSmRtUXlPWGxoTWxwellqTmtla3d6U214aVIxWm9ZekpWZFdWWE1YTUtVVWhLYkZwdVRYWmhSMVpvV2toTmRtSlhSbkJpYWtFMFFtZHZja0puUlVWQldVOHZUVUZGVkVKRGIwMUxSMGw2VDBSbk5VNUhXWGxhUjFKb1RrUk5NUXBPVjFab1RsUlpkMDV0V21wWk1rbDRUbXBhYkU1cVJURk9hbFpzVFZSS2FFMVVVWGRKVVZsTFMzZFpRa0pCUjBSMmVrRkNSa0ZSVkVSQ1JqTmlNMHB5Q2xwdGVIWmtNVGxyWVZoT2QxbFlVbXBoUkVKdFFtZHZja0puUlVWQldVOHZUVUZGVmtKR1owMVdiV2d3WkVoQ2VrOXBPSFphTW13d1lVaFdhVXh0VG5ZS1lsTTVjMWxZVm5sYVZ6VXdZekpzZEdJeU5IWmpTRXAyWkcxV2RWbFhOV3BhVXpGMVkwY3dkR1JIVm5wa1F6bG9XVE5TY0dJeU5YcE1NMG94WW01TmRncE9SR014VG5wQk1rMUVRWGRQVXpsb1pFaFNiR0pZUWpCamVUaDRUVWxIUzBKbmIzSkNaMFZGUVdSYU5VRm5VVU5DU0hkRlpXZENORUZJV1VFelZEQjNDbUZ6WWtoRlZFcHFSMUkwWTIxWFl6TkJjVXBMV0hKcVpWQkxNeTlvTkhCNVowTTRjRGR2TkVGQlFVZElialoxWnpablFVRkNRVTFCVW5wQ1JrRnBRVzBLTUhWUGFrNWhVSGRWVUdGVFJHcG9iMWRCSzI0MFRVUTJRbXRqU0hGUVlqTm1SMUprUWtzemNYUlJTV2hCVEhORlkyNVNjM2swUjFJMlJsTkVLemxpWmdwSVVEUmtORVl5VUZadFpVWTNjbTVZTHpWYWR6SXlSVzlOUVc5SFEwTnhSMU5OTkRsQ1FVMUVRVEpuUVUxSFZVTk5RbUpuWmtWcVMzcFhUekZOV0ZwT0NtTmxjR3BoYVVSSUwyb3lMMWQzZDJVck1IaFBRVkUzWkdkSGVHbHFZVlJ5Vm5WNU5YQXllV0UyTmt0M2QxVnRiblZCU1hoQlMycEtlbVZwUVhwc2FFSUtUMFJIZDNGWVUwWjZjMEZsVFZKR01TdDVkbU13TlZWaGN6SnVRak5OTDJKcE5HbDRWMGhKTWpSamVtWkliVVJGVWxKaWFESm5QVDBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUT09Iiwic2lnIjoiVFVWUlEwbENWRVZWYkhWeFMzbHpkMnhsV21aYWVtb3hNVU5vTVd3eVdtRm5SSEJZWVZWSFdHWTBaREp6TTBoWVFXbENPWE12VmtWWVluQXJOMWs1UVdKbmFIbzJSVE52YjNabFRHVXpOVVU0VUVSVlMwRTFOMVF2ZERaQ2R6MDkifV19LCJoYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiYjEyYTIyODRiNGNmYzY1ZWZiMTI2YjUxNzZhZTBjMzU2YWZjOTQwM2JiNTdiM2RmNmI2MzRjNTE2ZDBiNTBlMSJ9LCJwYXlsb2FkSGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6ImJhZjkxMjU2MzIyYzQ0N2ExMGQ3ZDM0YjgxZTA0YzI0MjZhNzMwMjJlYTNjNWU3YWE4MmIwNjIwYzY4ZGIxZGQifX19fQ=="}],"timestampVerificationData":null},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtLyU0MGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QDEuMC4zIiwiZGlnZXN0Ijp7InNoYTUxMiI6ImYyOTk1ZTI1NjVhMTUxMGM3MDc4NTBkODE5NGY5ODNiOTFmZTYxZWMyNDNjNTU1MWFkODQ5YzM1NzI3Mzc2OGI1ZjNhNTdlNDRiODFjYzBjZDM2YTM0YjhiOTMzMzIyYmU4NzFlZWE1YjA1ODIwMmJlODA3ZTI0ZGM4ODI4MTFiIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MC4yIiwicHJlZGljYXRlIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vY2xpL2doYS92MiIsImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vYWN0aW9ucy9ydW5uZXIifSwiaW52b2NhdGlvbiI6eyJjb25maWdTb3VyY2UiOnsidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9sYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdEByZWZzL2hlYWRzL21haW4iLCJkaWdlc3QiOnsic2hhMSI6ImIzODg5NGYyZGRhNDM1NWVhNTYwNmZjY2IxNjZlNjE1NjVlMTJhMTQifSwiZW50cnlQb2ludCI6Ii5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sIn0sInBhcmFtZXRlcnMiOnt9LCJlbnZpcm9ubWVudCI6eyJHSVRIVUJfRVZFTlRfTkFNRSI6IndvcmtmbG93X2Rpc3BhdGNoIiwiR0lUSFVCX1JFRiI6InJlZnMvaGVhZHMvbWFpbiIsIkdJVEhVQl9SRVBPU0lUT1JZIjoibGF1cmVudHNpbW9uL3Byb3ZlbmFuY2UtbnBtLXRlc3QiLCJHSVRIVUJfUkVQT1NJVE9SWV9JRCI6IjYwMjIyMzk0NSIsIkdJVEhVQl9SRVBPU0lUT1JZX09XTkVSX0lEIjoiNjQ1MDUwOTkiLCJHSVRIVUJfUlVOX0FUVEVNUFQiOiIxIiwiR0lUSFVCX1JVTl9JRCI6IjQ3NTcwNjAwMDkiLCJHSVRIVUJfU0hBIjoiYjM4ODk0ZjJkZGE0MzU1ZWE1NjA2ZmNjYjE2NmU2MTU2NWUxMmExNCIsIkdJVEhVQl9XT1JLRkxPV19SRUYiOiJsYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdC8uZ2l0aHViL3dvcmtmbG93cy9yZWxlYXNlLnltbEByZWZzL2hlYWRzL21haW4iLCJHSVRIVUJfV09SS0ZMT1dfU0hBIjoiYjM4ODk0ZjJkZGE0MzU1ZWE1NjA2ZmNjYjE2NmU2MTU2NWUxMmExNCJ9fSwibWV0YWRhdGEiOnsiYnVpbGRJbnZvY2F0aW9uSWQiOiI0NzU3MDYwMDA5LTEiLCJjb21wbGV0ZW5lc3MiOnsicGFyYW1ldGVycyI6ZmFsc2UsImVudmlyb25tZW50IjpmYWxzZSwibWF0ZXJpYWxzIjpmYWxzZX0sInJlcHJvZHVjaWJsZSI6ZmFsc2V9LCJtYXRlcmlhbHMiOlt7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vbGF1cmVudHNpbW9uL3Byb3ZlbmFuY2UtbnBtLXRlc3RAcmVmcy9oZWFkcy9tYWluIiwiZGlnZXN0Ijp7InNoYTEiOiJiMzg4OTRmMmRkYTQzNTVlYTU2MDZmY2NiMTY2ZTYxNTY1ZTEyYTE0In19XX19","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEQCIBTEUluqKyswleZfZzj11Ch1l2ZagDpXaUGXf4d2s3HXAiB9s/VEXbp+7Y9Abghz6E3ooveLe35E8PDUKA57T/t6Bw==","keyid":""}]}}}]}
\ No newline at end of file
diff --git a/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-ossf-invalidsigprov.tgz b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-ossf-invalidsigprov.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..99d0c64ba0912bb8c5e6fd0689aa493ba3db6d7b
GIT binary patch
literal 7304
zcmV;39Cza%iwFP!00002|Lr_$ciYC5`OIH2Vcd%Jk|3$4Lm#(RETvIvOFE*wX^-o5
zL10KC0s#~QkY-c=_q~sq!GNSBCuy|p9`X2CBrtR5&V4@y$o$~OpUU3rvsb6*qth>b
zjZeSdKiuCJ+phQfyN83l1M$V)!C`+eI6Umbxc;EOdxU?#cz{o-3O@%_{so(akFbCL
zLq6iZ&vE7lGbvt2flQQa+%fXMWv-$$5xZW$BmU?orJt|FZoj{O>!evxWW!!>xm<ca
zE#sy6v={SIs@K4Y*QZx+M&kJVM7+8<KRLTTyEq?-Z!fOI+tF!9T%BHCU7Wmqg_k=t
z>f~&6eRcNDTf9O52A(*PlPHM_Ku&oLjZIVUs43LUk7F^Hej*CkX(98u5`GejAWcG^
zB_?SuN+mlYmsy^MWq_AE8WfHVBUR+lxWwziS0cnEWhllgF_HlT836n|EvGZ_wMZxM
zBZ6^hP|jsitmBpD8;AvIw#uXFtPtrkk+}erU}99PgkKi3G>`s4>uEUKW)w5O5U}Vp
z_hDi(r9qkw4gzxO$KsSgZy-@7xIw~R3O^ty1`8kqjMZRL7@!f1q~fK4phcd>9pUHF
z{D=wZ4(<l8mPrWHf^<Gl6AeiZ6w9cXF&tjd6W^ve;gOYjmV(4oRJ9B@JZfqvP1=eQ
zt*FgY)1}Niz`h)~gh)gQfA5GQ6@d>-$8j18-y#a+V(uqkIgxp|t}26>Myw;2GfCSA
z?$f$H!FDOLj8K{YN-F|Ph&^f+We8~!O@Nx2%mW17I_UqVP0OV~9wxj2R2E>o0AJt%
zuql_yKm?FunE(-j2v}Kz?%-Lm{4Z(Q6fKyG-|}YL<vRRBnk=HQL|D0S<wFCI9|7A)
zAtHeHJW`4Tp5%;`fY`DjY9m-J02KuFny*V*mdlCEbC^zdCq(fZTw<Pv5p2yTtuhRb
zk{~XL6rhA6NedB2^9WZ5KB{z5EK$4^EeK2rf%-=G2#^ND13E_kC(*Rb={~R}mX7(j
z82<pGu!*{#toRzRql`&ECV4uCo59Ra0BfTlAQg$ik-iZqx)ST36X6Rc4}t5{H>hE(
zZ4=Zci%_9bLQZdU3X%YOfXlTFyVeVKx?t<A5Dx3^T!xV^idE)r`};J%*)R%AxJVe2
z9YRT~R3J*sHmm|L>GZbdeh7wS;YYDQj*b31cBzBb6a_HwwJ7=4E*R?uWPrieyfLL<
za71MFivoQMQOIDcL9}24@}ob`U}cyHrX9qbC*sKCER(SEM^L6XUA8MKoX9*{02LQf
zAVE}fT>@~8?KIH4*N~V72Jx}4ka-EIVu)*?^n>)Ut-_^<U8oDoSrp71V*t!5zz2Y4
z=5i4cD^ZGpG+IxD1PZ6Q`2`>}n_X?vz|hM{1(HJ4_hGR#CZ&LB(KJe6l}(;++GAs<
zCN=f%h;{O5>Y+4i-Vu21HF7!kBdeb>^K+6Eqzi3hE^`^LKo61|BHS3H1?431=dx{>
z9)TgsCw@RqqT~2TOVkadkUBD*R9t_Brd<2@tsGz10jsjkdX|7%;fyb}cp$JEPe_JC
z9f=r7Dbt2#!TsBi?>I_Ppw&-d>DZWURgS@SXyakx4w5dyoY2#%Knsx_-v}!Vm&x7T
z=`Gwq1+6kIkMcg2K+Fk{;`ZR>^Sr%i+C4QjEcW--EW;!jg97F$7~>9dVeH2wN6Q@N
zB@}#=iKf0lEpUl0D?%Zi3RNi!(O-4$bVb&7xog0`3Ma6LQH+yg2q^)Y<Fafhq*khs
zbLE<F@VTW#7ZQ+<)FYVv==nHWv9Xp*^p0ajYEs}(8|elyZcr-n^0eZd?4=GPzbA`V
zxhDD15TU+TBag5Zl|@0BmI{=2?&mjX`tm9|G9i~#(KI3352A=XBEoK!L^M{-bD*~`
zTwV2=n<~5(U)yaP4ZJtxaS4d_alW>wm;o|l3GxIXqa;fXNW1G)N~q-DOOT%!mkm;&
zH@j;Lcpdd)L$vFOKVVpe%f7PPH<6VXmF!%#tZq$a95r*TvIH+F90Cb6A%HVQaTFIo
za0t7E2rrWbP{xQKn7%k%Mi^@(Y0@RmE7&pq>_XI&Pcd;ySAJZqx|3YOuLuIWMH-+X
z-|*%-|HB1Mwgodl$1;@T4NF&<^Q;`hT%aNdY8Lw-==KWW%&u0^6&+Z(d7B&NTU$)Q
z^2Ul=+&S46X3(C)pi3W(?*9Ysv|yUd3REyiISLaZ0fLGXqPEC*uMYPhTnAt?e<3N#
zGYC;0olYhg=YbQDF_>TeA1q3m7t9!I2XvsUqe3z>W@ktO=8;*|&$1ZP%`^d~6P3|+
zY1D$)kAU7h*4Z3Tk$||=wRSTB?N!RpBht=E4%WwHG%_;2&sF@EYC{^FCQ^GuFn<t{
z*r=YStxqr;;tW@NTR@+KygG7vi6yea_&QIVO_2XK7gAuUP^K+YifGCx_){NmlabSj
zd#iF-Hnz@FrMg5g+(wX=7(elE;Jhzlf2qo-z^%q|%1!_%W{|I9f;Fpnmw_Xnz=$iI
zYFBWAia9H@EyIsFMXCUXL$SIfnvlsPqgqo;qEYFXc6lbMV()+|irh1@;wuxdg>cab
zpQSE9!#pu$Q?T!eE9q8-JX(70uPV#7ZiT=OMkcnY*`qt6JYorkjj&h=MvmkNBO3Ud
zT8~^$o7simV#zvHDntaSL~AZ3b9s`+kQ1?gH@0iouz6LRcUpp^O%Y#2kMj*+YXn<F
zqveLaHao=6#zuYe59^u4b8@3*&9Sp47jCLh8uKX3-?^xhqX<Fz5G5!loINUMc{FiW
zq!A{j?o%R$WH|Me183!27NB4q6E{04JY@%f(fa0`h3$fsKy*;UD(~3Q(%nI`7)p$r
zI!-V_B3e}HruW7rh%NZ6o78&b#@5roAmqZ70$T7gxJ@J{Yg}Gbj>|;w>l>{TEo`IF
zvi#SHAF{f6esO*F>a+>U_pu;)quS{;FywaDaka}a0b4X>gR;ag2b4)Yec+)VQjS>(
zo!m-RG)g|!c^xp?sF7vhjnEc4pF>v%%ytTIr7H;=z=)-<Fr9L%^m<CAtq>T&qC<nG
zZ*Z(=T~VkeRq9S0p1a1pCS<N&*9%Z0npAcMUFNj%fSd5syt7GV-^6-Ol}qOaTc|Wy
z(-aCIAOmD(0l+-$;wD#?Hwo6~AYsP9Li&(|Ue7oSL;JN!W{2MtJa8&)i+qqnRLLtw
zD0OtSZjr@W)oSzBZTMk`-*e1&T#0m`7}Pa|K1UNeOnn86aQ8&{6qYx_P$pqHH(_f{
zVvJ$o{Lip+-KG(NO%VgguvM9;S_L^1#{qe{E`Lmz+xiw;NmOMO6t+^ao&$ij!k5De
z1fuuhqKqZE2&2|ol)EK@uS$DcT1E`U=@q4uE!cD_wV6<|xVj}3ajSDyl?Wa#?NswB
z1U9-=H7{(VZmcC!D2;MdE6dnSWi1n^G30=f9o-4wT(yb<l_%aN;6)WNO@4%hf(X-J
zg6K3zY<*+39z{CEET@chYw4<r^l`=YLJo&|W4HSJQ&KY>W)Yf>z%U37T|?7-<oV}m
zfs<_ahWyJo<)jSNc1r0Tx)DN6mEaDP3?(;$Pz@ZG=!H1C-~uU7(WXRG$mvM%S6V|T
zBa<Ix;Fx$ayp|xjoccNUmDY0)-3vGbQ)mJZg=W!-qr;ReXTc%2(-A_#>xLSKFQ$#*
z&#`W1BO0uF$$Wt|ef<+~(lX40jnEp5J5|+5r>VL8dl~8O5ju1QJVBREECt7(&apj>
z*Z`Fw?g(ImniV$bz)I~#eb#7`;hXjbTU-EB>c|r(k)qTIo3<12J;a|tmz7lli|TmA
z2`pvam||6CfVfD>OH~EyR1DL)uPRhqh$|Ki)>Bk>G?p)G%xz;`3rv3VcqGn7P4Ug~
z=xk(&`~BJVcNcH3#rMZoSI6hqXQv}^apkt<FTNGW=YJ7@Iy*msa3|sp@JFnUs%j?@
z*_F^KlU5o;byDBhsTCx-L@G*%@=X&9#JoPcetp^js-Jhy&cD4nJO9J!o73~_j(Br=
z_3Aso^7xyx*Jsy%Arboa?E3t4#K#AYHH^#SD`42$*T+}l^6k~-#psm1Eq4oJ>?{EO
z87vx6*MT}SoE6r^1vr<dSsr0{P8*(pbm0(^zslk|^-``jDg`kSZr7OWNRee%X%N{o
znT@*cvr;wIZM1GCvn+ehJos%$ij!VP{y2)Md47hTS3vla6od!EfJ-qII{`<?w4G9m
z>12Tb6>iBOk<&PW=qr%zj_r1LYNcFT`MFo#TO250O+Svt6wncJQ>;hWzJ*z`z!M0H
zy5rmRgRN)HePB_>uq=*fVO<d**7|dQTCd^bY;z=_Ivk)fiM@5F`wR*Nfi1TZFo5Bj
zE;i&eP-CI7<_36UxjN^bIeKyHtFddmp6C)aOKW3Fz7i#xnT}m`D+aAQd*TKw+;*I@
zz)sUNTt=~5JG=p>oMxGiRYHsjN<@6(M{$|6H}d02nN-0IIl(O_L9h#e!t2t57nTYH
z2jvh0^z}lVhGC28ez=IJNjlNTH$Ve45zOHR4W2dNYfl^p=o63%#`5CI$CaaYl;Zmt
zhVFHBU2hiN*={pYXfR7tu7Xmfv({{<nk&R@6G`?2OdVn9CxPTmWLyT-)^9~}C+7(s
zEvX7(OxD=oF4A$Vt56iT^w8{J<jbuV*bnN9&aWa>Yxh8c@m;#aOo&rSOE99R1Gw5B
zooGp7ryF8pZrv84BCfuShO{!HgfB%pRTrhQ=vAf25d&Ql#+)gduzf~_XMHEyOe}3e
zIe~PAXFy~eZYiDn`J60~39c;_D|IgOyy}+e$}!kv$jUKU<sxclvu-?I>0qPU&<ZI~
z(bNX>OGg@=u+iee0(^RYf_`<|F*v$^e0d2&&i*_^7E-kUEb2-hUvQ7^;XOiSX?sa{
zyzVn6bo4QbdNsj>)hTFA4rzE{sv4atlb=K~4wV200m{xse~ev936j}-_r6&rDOj1%
z-fm@tiL9#5`kYMK6Rndp*|FyZ933^lzibQ2)+tR@5MF>JK!|Vg(Ak0Gww>NA>WW%{
zJ^yGMp_J4!0$?X#Vyv)1#iMnd)L3yE%W?x!h7l{LT@+?!#u=N|>R47sR;WX2Fi|+M
z3CL058f|bBeMP<VsSm#(njm<Q?Z<1%nZBzn&s0SYKM!Wuv1VbYnu+gL@OdxZ5#E63
zT9@@b4c9^vIyqBad^+xdP|?Bx_RMAbIf5|x2pR%*U%Gs5!uTlBX(*XSD^WJYakBn&
zOw}^KR<bjK>=#Dd?>lm;k3n|<Wt#Fi5&CVhhdy)GaI2IxdKvWa2!k`=wg~(ehTkUe
zCbEsBtf63poWdHA8Q5AfEkWQQBmlRNte@=D)siY+SDX9t8ecqq{@p*BKK~EVb`L%2
zNACyqpy&Vldq?|+>*xOm2mOP`^ZyU=X`<mp+Y=Pc=Z%G*iw_?Hh+qo&O~kdS7ihb|
zME&-+WT3sZ`)%>he~K3O4n4jjelJ=kCupS|G4BY7A8vNr;zu&W5W%%>cEyVqFUV-n
zLHV}8E8>P6gFrmcS;7?!c`A#GWpW9w8X~aOiFTxE-a_E)P6+OoG!0Q|!jz^d?f^<(
z&H;6)-lSm(rh7=2J+#(j%3%gwuxEbZV%s1r3^G4L_yEZ|-5m-nQRDI2Vkqo(VG6bY
z%RCYDcQ@~!i%;ScWA~|1oqhFq*Je9Nq?_Fitpa=b)CTl^AqCTSH@olQCm{h4+lIMH
z7EFQ@Iq@;o+~n{2kk4T8!eDmm{+b~JYj(C$apA`${8)%jh5%c^r|&Er+}#4lnw|0K
zkrAl#mOWKBX*UMAXwB2mr7HZyS@6e^mbPVS8dd_TQ+1GvPtR-fzkDH*GLGBiRa-a|
z+na(`BF@2x7ZpKpJxw+UMT-<qTzio4I`ZxXkWM3P6!!MIinbV&j?e=bn@v8t<MbfC
zFTMf9G_>@WeuRnsCL#5mH7erG;~b)%50KkZiw|<eOMCV_%?*w16hBO}qD5?XbcTM@
z`4tTL@B|e|8ebfWL@vc;t6CJWPUD51PG2>==O{&5;WS{J+qxt{zJy&}V)tKxhHrwy
zh7B^KQho>PNf|?c8q2W4yvSGZKcv@L%kI`oAnDLU5EB7GIOI+(jVpq05t<sw+8TWS
zz9rr@@nNE6^Zn0VhQKl7H3i|D7vjOC-&=a>s~VG`=34ElhfVjEB}~WSZ&|=cDqyt=
zdtgCDEJ{GPi4d~u-TQW%$=TL2OBUjJW4on+co*~>gs)ktFPR)|V9?qS1U=BB?COm|
zKetGuQ1qWSsQn0uL@wc?YdTsw4`?-C`ut2+4@Wf-GfP(kur*gxBSTsUt@hAnJ9@$D
zuYvJYv|Q=KH9SmyTYtm<hvLbP0Q=M5TzYKVkNNt%aew@We<AcslZSr(Q-@1y@n8So
z=rR6#$oOCX{Z&NZZvOA?A<x(2|NY1K|3N-zWtv#%X%0p6W$c%Dyg^0tH0fcNP$uYy
zyGb_h7E(d*hQsxfD>!4|^}PeW>J+!|&NU1dTB;}zs=)Dhe5eNpx|t{6VK@qIvJGqo
z5e@_-1bpK%Z*yEmafp`-6_{&Wox_V6Sll9l0H)i;5MPR&r%!uNy+ZBO$99963~ttD
z(6!AOdNYJd5C}p5M)UI--MOEcfiaj}93>TggCTSOV|VFO6-9}@P<hbPz|9m0@2V|g
zw1waDGSLM`_X@#uels4<1%sysO?*Raf>|p5+C0tkG#_H04{w-)j|~4xaj5(l6=Hxj
z*-ylZTxO}l2g_C!H!wa$fYYcjYm|AculyGl*wnDsgYUC)4EfZ&cb`;w2+1zV&j=wn
zmIhs$!wXzs#Nr&^8kbW?N;DEb1A!hrJfkWcX6amJn%6%A-dA{la4wBr;6sEm2_oqr
zTMr;$ng1DhgFbA`;t<Nk$@Z!ANM<idLp|}CHyC(d8(#2jQlTzOV2}TFv$&kH&i&7U
zw|}6ixP40I=St?=#xC%|<hTbaKzIAz-eGl@XVZ;m-tN)*4UIyVX-UKOy?t+BRZJ@(
z-P!eysyh{ide+xqcaT;P`aD+ge!2e#D@v7*Un2mx$NvuooBsdk@X`N2nE$7@BhZuM
z`33p!%GjXhVYgcQvqMOwZvFJ0iV=B}l{kI%=6FQfDtNki+I1*)PDgt?qNR%;?G9cz
z*r7kW{XzBZ(0)6z-=5iTU+-W?1HPZ1{`q>x6Hj{v-8rXxL)sJAXACOtLzn09BbGWX
zWn2@;hH*^;3cvgF5dZK4miVpY3sPzPHDZvm)(}g};v^!==3%w{c1i+b_|yo$kfJQI
z5)ZHDWl-RW3w?BvZ-ZNQSIE<}S^|QMTbFRQj=*qU1(D9!C%7uV@j$%gR<L>YlpbPc
zw5mB3g4Ct!c6qlhcDl%H3VwIW(WySGhesc28oh>q12Z~OmFZ)o75F4QoAWu+<79Q$
zDo9=*&rnH>gy`8@?va_smI!4K`}#q7-VZ+2%-u8Kf3n&kbllZVso@MClS(ta{#~0>
zLgK^E5l_HkC?De(%VLQKU0#vM{c%JXosI;<S7H(Qf~tSIiA={K!HP@$(g%I00Vv0H
z3n0>&KFPb|W7~eTN`Qq$6zHnp84s&u^^<Yg^t=M9(z_-G8y{FrP@kF{zGCbKG3@&W
zSGOO%>3^>OzdAiWd2{N`!-uc`>>h5^fBFY|kN*EbK3|C~`Aeg*CFz;Yy821}V%5Wu
z&cuw4!^tifFTWbqXkbdZh~!e-TUh{?fsv>9r}*LTq6;3>!y^%%U*JtP#U3PhJC7Rs
z>*#-&E|WO*!!87B5EpoA_E7r2-|z3O>;LZ2?(U=hKZyQ+*&9bmZ|tjCqoE*B@5(Y2
zS(HgU<J)LN6Y)+opM2F6-MA0~@%}kIWJwVMRg{`<70Ay}Jn5UlQ<ut#Jc7zejY-sK
z=$jw#=8NW&L9@~LN}On^(=YroRzW{K;VS<JQ2rNBTGpU6pSS><pKCtac1P>Ln*w{X
z*tczN*`$6pEte3D%7ru!gc=Cq?bT~%$Gfy+o_Xx7gTsJQ8%qOq?A|{(cRwH<VAt~-
zNHsFi>=pCOF`ga-k7<#5Dw?VSdqjWcPqW>i7hkB^{lIwK9gu3sZUa%H@$GPc+jtst
z^m=scaN27GKmgHITRBp3)4lhu|9(gO4kh4rqBZq$dVemje%6u$v*ayw#r3{Pi`qi!
zXDr04Y|wmDS-@zGDagk&k4;E66hHqKhca(^4SoCPX^o!jD2oH`r|XG9^>!V(u10`*
zxQjLHPS!+EU-pXWKU^WJC|*PPcg_W-r<(Z(gI!h5H}0V1T%24C>F6mw1vL8Zc=zDY
zK5<Z4Da_2a2$=FVKyb<qq{Vb^nq!_v=UjojONkG@iWaA|e%#(V*)&r4;WuFVn1v12
zw2Q*T>}EOyX7_%x-@h;5dWo%@KAt@Vs^h6>$nZkM9QX(3++7d{>G}=!_wiYhsMt}?
z<FNKAVC)wF!>1l|R>jKahypt+99j?t2K*ZF#a~H4x?Pu?Fc|i_O)Knh-GeFfNH`HI
zBGaP{m~pO$T33d~FGSf5hZ*6!>{B(31<2j8oqwCL`Pc6IF$jK)|FK-CyRgLrpa1O-
zjt(~a|9gYS`2Qh3TqG1v@wpN@@kFM4tv&g?p^q2As8te(&9hEqXXa`;q<Sqq7}Vwt
z!X1Z~K0T`6zm5KT>_2+=tk)z?mkPWHzE4JW(IM`6t9kru_5ThJHtK)y=kQVgAL4@{
zz>u@DJ#ndn*-IVj6e%7m`9U=rX)<gGEfGW1YwE`j#XCNT9KLS|BRL=NjXZb`bqHx~
z^~lhW-m28a$ATL_q+^9p=;#W8b001mnrCI%1o1@im3{O+u+Px{fn-)3>-X!+WD(_Q
z!mrae55aYd^hPE_!N-6Y3inR{$i>;oD?tOeZGx{Fh3lU4=6Q^vEeiMw+A_l=3}<V4
z&|{&6ez!-dkSr8LPI90vQl&>fS;4yY*y|RRBYMdE19n?}P#>)3y<7~uL$BX3FX}K9
z%FCpy4@*J15OtWK`es9z<b;MNQijMd8iE}goUOXp<}Al$Qk318(usyXtZUfN6<S1O
z0b3X6*dxv56rWe)_xa*ehJpJEbxi}~L4Y=8*2OKoJlvPzAUKl#cs~f_-rnKv<XNz{
z-w&mPTL;pYa`J3)6ab|cdv?cbo2FMBg|cfq%7bUs9fKK!#IbXB$6WSEobi!A^GaB=
zJxwYDDGE0({RGaMtur4@k;UcW=AQ5YVWsq{!P;Jt&PI@*{P-ijbTdbhJHLGM;rilF
zr|05Rb=106hvV_Ye2-Y~aqm`nwVYtvbXyYsJUF%CcLRjv8#3yj0Fo!vfjTMe-T2i9
z-Uj4zcYDi>d%@nj=Ue9>=*It<|Nljv|8xBRpnr6<?*9+^yN~_92lW5{a>uVdeC6P8
zaW;*uuD|Yg8{0g2W7AL7-42}<0p)tR*xNq9@k?gNJ&tB)@NDNcSF>}wt8wN8cz$(=
zv^6*ZUFbJI^AyLTJH?+bD`#9A6+|1C>>1#VJEk`2)~2wwMxJKP(Ln6v?EC!U<n+Vw
i+w1SxyWH+{9uug?&*SIu^Z5A>{roTLC)9BOasU9VgAUOE

literal 0
HcmV?d00001

diff --git a/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-ossf-invalidsigprov.tgz.json b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-ossf-invalidsigprov.tgz.json
new file mode 100644
index 000000000..93052c6a5
--- /dev/null
+++ b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-ossf-invalidsigprov.tgz.json
@@ -0,0 +1 @@
+{"attestations":[{"predicateType":"https://github.com/npm/attestation/tree/main/specs/publish/v0.1","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.1","verificationMaterial":{"publicKey":{"hint":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"},"tlogEntries":[{"logIndex":"20994827","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1684432737","inclusionPromise":{"signedEntryTimestamp":"MEQCIAaehLQ3vo+OEcyokd/ksjiLzH+YkP6sQFutHqd1A5H1AiAU+Xzo6Xy38HYpETFnWGvHHnRAB1k/m2QWD9apTSSmrQ=="},"inclusionProof":null,"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7ImtleWlkIjoiU0hBMjU2OmpsM2J3c3d1ODBQampva0NnaDBvMnc1YzJVNExoUUFFNTdnajljejFrekEiLCJwdWJsaWNLZXkiOiJMUzB0TFMxQ1JVZEpUaUJRVlVKTVNVTWdTMFZaTFMwdExTMEtUVVpyZDBWM1dVaExiMXBKZW1vd1EwRlJXVWxMYjFwSmVtb3dSRUZSWTBSUlowRkZNVTlzWWpONlRVRkdSbmhZUzBocFNXdFJUelZqU2pOWmFHdzFhVFpWVUhBclNXaDFkR1ZDU21KMVNHTkJOVlZ2WjB0dk1FVlhkR3hYZDFjMlMxTmhTMjlVVGtWWlREZEtiRU5SYVZadWEyaENhM1JWWjJjOVBRb3RMUzB0TFVWT1JDQlFWVUpNU1VNZ1MwVlpMUzB0TFMwPSIsInNpZyI6IlRVVlZRMGxGWkVKWFowRnpUVFUzSzNOTVlWRk1OMnB3YVRsRGNXVXliR1FyT1ZsWFZXOU1URGhGZUdOcVMxSjBRV2xGUVRsRUwxaHFXVWw1VUVWbFlYRnVZemhFWlVZeVlXeGtTbFl5VmpJek5qWkRiRFpKVm5kT1prcHdhbGs5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6ImYzMWNmNDFkNzU2NDFlNzE0YTQ1MmU5MWQyM2RhM2M5YWVmMjlkYzk5ODA5YzllYWJjZDVmN2VkNDFkMzM0OTUifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJiYjhmYTMzNDJkZGQ0Nzg5ZTM0NmU0MTY3MzNhNTA5NTU5OTdlYjQwMTBjZGQwNjZkYTc1Y2RiYmIyZTVmMzEzIn19fX0="}],"timestampVerificationData":null},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtLyU0MGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QDEuMC41IiwiZGlnZXN0Ijp7InNoYTUxMiI6IjU2M2JjNmQ4OGM3Y2M2MDkxN2IxM2NmNDgzODQ3M2VlZWE2ZWM3ZWEwNDMwZjI2NzJiMTZmNDNjMmE1YzgyYzIzOTk0OWM3Y2FlN2ZlMTNiYmUzYjMwZDA1NzFjM2U1NmRlNjI0YWEzMWVhNDNjOThjMTJmMWYxOTBiOGE3Y2EwIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vYXR0ZXN0YXRpb24vdHJlZS9tYWluL3NwZWNzL3B1Ymxpc2gvdjAuMSIsInByZWRpY2F0ZSI6eyJuYW1lIjoiQGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0IiwidmVyc2lvbiI6IjEuMC41IiwicmVnaXN0cnkiOiJodHRwczovL3JlZ2lzdHJ5Lm5wbWpzLm9yZyJ9fQ==","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEUCIEdBWgAsM57+sLaQL7jpi9Cqe2ld+9YWUoLL8ExcjKRtAiEA9D/XjYIyPEeaqnc8DeF2aldJV2V2366Cl6IVwNfJpjY=","keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"}]}}},{"predicateType":"https://slsa.dev/provenance/v0.2","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.1","verificationMaterial":{"x509CertificateChain":{"certificates":[{"rawBytes":"MIIHYTCCBuegAwIBAgIUTL6lddYKR4C2nJkPNEnaRI3tbY4wCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwNTE4MTc1NzUzWhcNMjMwNTE4MTgwNzUzWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEt8wwi7GZYvLW8ZecTb32ZTy5Y1upwMjyDDuvqhndw/ONa/NDIPUFtylH/3xlwRcHD6vSElY+wrKckQRiSVjNb6OCBgYwggYCMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUxdHwVOS4gO1Bll9ipKdzxVDFJBUwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wgY8GA1UdEQEB/wSBhDCBgYZ/aHR0cHM6Ly9naXRodWIuY29tL3Nsc2EtZnJhbWV3b3JrL3Nsc2EtZ2l0aHViLWdlbmVyYXRvci8uZ2l0aHViL3dvcmtmbG93cy9kZWxlZ2F0b3JfbG93cGVybXMtZ2VuZXJpY19zbHNhMy55bWxAcmVmcy90YWdzL3YxLjYuMDA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMB8GCisGAQQBg78wAQIEEXdvcmtmbG93X2Rpc3BhdGNoMDYGCisGAQQBg78wAQMEKDM0NDkwYjQ0ZGI1NTdmMDA5NjE3YmNiOTJiODc4MGY5NzJjMTg5YWIwLQYKKwYBBAGDvzABBAQfU0xTQSAzIFB1Ymxpc2ggUGFja2FnZSB0byBucG1qczAuBgorBgEEAYO/MAEFBCBsYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdDAdBgorBgEEAYO/MAEGBA9yZWZzL2hlYWRzL21haW4wOwYKKwYBBAGDvzABCAQtDCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMIGQBgorBgEEAYO/MAEJBIGBDH9odHRwczovL2dpdGh1Yi5jb20vc2xzYS1mcmFtZXdvcmsvc2xzYS1naXRodWItZ2VuZXJhdG9yLy5naXRodWIvd29ya2Zsb3dzL2RlbGVnYXRvcl9sb3dwZXJtcy1nZW5lcmljX3Nsc2EzLnltbEByZWZzL3RhZ3MvdjEuNi4wMDgGCisGAQQBg78wAQoEKgwoMDc3OWY3YmVjNjhlMmJmNTRhN2IwYTMyYmY0NzYzZjI1YWIyOTcwMjAdBgorBgEEAYO/MAELBA8MDWdpdGh1Yi1ob3N0ZWQwQwYKKwYBBAGDvzABDAQ1DDNodHRwczovL2dpdGh1Yi5jb20vbGF1cmVudHNpbW9uL3Byb3ZlbmFuY2UtbnBtLXRlc3QwOAYKKwYBBAGDvzABDQQqDCgzNDQ5MGI0NGRiNTU3ZjAwOTYxN2JjYjkyYjg3ODBmOTcyYzE4OWFiMB8GCisGAQQBg78wAQ4EEQwPcmVmcy9oZWFkcy9tYWluMBkGCisGAQQBg78wAQ8ECwwJNjAyMjIzOTQ1MC8GCisGAQQBg78wARAEIQwfaHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbjAYBgorBgEEAYO/MAERBAoMCDY0NTA1MDk5MHcGCisGAQQBg78wARIEaQxnaHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0Ly5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2Utc2xzYTMueW1sQHJlZnMvaGVhZHMvbWFpbjA4BgorBgEEAYO/MAETBCoMKDM0NDkwYjQ0ZGI1NTdmMDA5NjE3YmNiOTJiODc4MGY5NzJjMTg5YWIwIQYKKwYBBAGDvzABFAQTDBF3b3JrZmxvd19kaXNwYXRjaDBmBgorBgEEAYO/MAEVBFgMVmh0dHBzOi8vZ2l0aHViLmNvbS9sYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdC9hY3Rpb25zL3J1bnMvNTAxNjc4MjE5Ni9hdHRlbXB0cy8xMIGJBgorBgEEAdZ5AgQCBHsEeQB3AHUA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGIMALbDQAABAMARjBEAiAFe98vnLZVW6+OMqJpGR2zf2jsU2HmjPRIGUf75iNeQgIgflQ53EBqKVUfO4R8sYgL1I0dByqLJ1AcsbKRVko3hB0wCgYIKoZIzj0EAwMDaAAwZQIwD7QlEaJyTdjBXvHZvz1mhFCv/PXJxf8rbKbSLDO2gwNad9LkXpDJmQiPfU9hcH+7AjEAtux0Vgi5DVXj606SckRblO3hU8gkgtBBePJbfUTix5GIzhltXOEi0WckRV/xi/w5"},{"rawBytes":"MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow="},{"rawBytes":"MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ"}]},"tlogEntries":[{"logIndex":"20994759","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1684432673","inclusionPromise":{"signedEntryTimestamp":"MEYCIQDCk3WOv3snfriWirXfHdXsFxcYk+QxV6oNtRJfc8slHQIhAJTGxdlC9hFTwYFo4k+4R+exU3d52x9Ksjh4Eo1pVHvq"},"inclusionProof":null,"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVWhaVkVORFFuVmxaMEYzU1VKQlowbFZWRXcyYkdSa1dVdFNORU15YmtwclVFNUZibUZTU1ROMFlsazBkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDA1VVJUUk5WR014VG5wVmVsZG9ZMDVOYWsxM1RsUkZORTFVWjNkT2VsVjZWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWME9IZDNhVGRIV2xsMlRGYzRXbVZqVkdJek1scFVlVFZaTVhWd2QwMXFlVVJFZFhZS2NXaHVaSGN2VDA1aEwwNUVTVkJWUm5SNWJFZ3ZNM2hzZDFKalNFUTJkbE5GYkZrcmQzSkxZMnRSVW1sVFZtcE9ZalpQUTBKbldYZG5aMWxEVFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWNFpFaDNDbFpQVXpSblR6RkNiR3c1YVhCTFpIcDRWa1JHU2tKVmQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQyZFpPRWRCTVZWa1JWRkZRaTkzVTBKb1JFTkNaMWxhTDJGSVVqQmpTRTAyVEhrNWJtRllVbTlrVjBsMVdUSTVkRXd6VG5Oak1rVjBXbTVLYUFwaVYxWXpZak5LY2t3elRuTmpNa1YwV2pKc01HRklWbWxNVjJSc1ltMVdlVmxZVW5aamFUaDFXakpzTUdGSVZtbE1NMlIyWTIxMGJXSkhPVE5qZVRsckNscFhlR3hhTWtZd1lqTktabUpIT1ROalIxWjVZbGhOZEZveVZuVmFXRXB3V1RFNWVtSklUbWhOZVRVMVlsZDRRV050Vm0xamVUa3dXVmRrZWt3eldYZ0tUR3BaZFUxRVFUVkNaMjl5UW1kRlJVRlpUeTlOUVVWQ1FrTjBiMlJJVW5kamVtOTJURE5TZG1FeVZuVk1iVVpxWkVkc2RtSnVUWFZhTW13d1lVaFdhUXBrV0U1c1kyMU9kbUp1VW14aWJsRjFXVEk1ZEUxQ09FZERhWE5IUVZGUlFtYzNPSGRCVVVsRlJWaGtkbU50ZEcxaVJ6a3pXREpTY0dNelFtaGtSMDV2Q2sxRVdVZERhWE5IUVZGUlFtYzNPSGRCVVUxRlMwUk5NRTVFYTNkWmFsRXdXa2RKTVU1VVpHMU5SRUUxVG1wRk0xbHRUbWxQVkVwcFQwUmpORTFIV1RVS1RucEthazFVWnpWWlYwbDNURkZaUzB0M1dVSkNRVWRFZG5wQlFrSkJVV1pWTUhoVVVWTkJla2xHUWpGWmJYaHdZekpuWjFWSFJtcGhNa1p1V2xOQ01BcGllVUoxWTBjeGNXTjZRWFZDWjI5eVFtZEZSVUZaVHk5TlFVVkdRa05DYzFsWVZubGFWelV3WXpKc2RHSXlOSFpqU0VwMlpHMVdkVmxYTldwYVV6RjFDbU5ITUhSa1IxWjZaRVJCWkVKbmIzSkNaMFZGUVZsUEwwMUJSVWRDUVRsNVdsZGFla3d5YUd4WlYxSjZUREl4YUdGWE5IZFBkMWxMUzNkWlFrSkJSMFFLZG5wQlFrTkJVWFJFUTNSdlpFaFNkMk42YjNaTU0xSjJZVEpXZFV4dFJtcGtSMngyWW01TmRWb3liREJoU0ZacFpGaE9iR050VG5aaWJsSnNZbTVSZFFwWk1qbDBUVWxIVVVKbmIzSkNaMFZGUVZsUEwwMUJSVXBDU1VkQ1JFZzViMlJJVW5kamVtOTJUREprY0dSSGFERlphVFZxWWpJd2RtTXllSHBaVXpGdENtTnRSblJhV0dSMlkyMXpkbU15ZUhwWlV6RnVZVmhTYjJSWFNYUmFNbFoxV2xoS2FHUkhPWGxNZVRWdVlWaFNiMlJYU1haa01qbDVZVEphYzJJelpIb0tUREpTYkdKSFZtNVpXRkoyWTJ3NWMySXpaSGRhV0VwMFkza3hibHBYTld4amJXeHFXRE5PYzJNeVJYcE1ibXgwWWtWQ2VWcFhXbnBNTTFKb1dqTk5kZ3BrYWtWMVRtazBkMDFFWjBkRGFYTkhRVkZSUW1jM09IZEJVVzlGUzJkM2IwMUVZek5QVjFreldXMVdhazVxYUd4TmJVcHRUbFJTYUU0eVNYZFpWRTE1Q2xsdFdUQk9lbGw2V21wSk1WbFhTWGxQVkdOM1RXcEJaRUpuYjNKQ1owVkZRVmxQTDAxQlJVeENRVGhOUkZka2NHUkhhREZaYVRGdllqTk9NRnBYVVhjS1VYZFpTMHQzV1VKQ1FVZEVkbnBCUWtSQlVURkVSRTV2WkVoU2QyTjZiM1pNTW1Sd1pFZG9NVmxwTldwaU1qQjJZa2RHTVdOdFZuVmtTRTV3WWxjNWRRcE1NMEo1WWpOYWJHSnRSblZaTWxWMFltNUNkRXhZVW14ak0xRjNUMEZaUzB0M1dVSkNRVWRFZG5wQlFrUlJVWEZFUTJkNlRrUlJOVTFIU1RCT1IxSnBDazVVVlROYWFrRjNUMVJaZUU0eVNtcFphbXQ1V1dwbk0wOUVRbTFQVkdONVdYcEZORTlYUm1sTlFqaEhRMmx6UjBGUlVVSm5OemgzUVZFMFJVVlJkMUFLWTIxV2JXTjVPVzlhVjBaclkzazVkRmxYYkhWTlFtdEhRMmx6UjBGUlVVSm5OemgzUVZFNFJVTjNkMHBPYWtGNVRXcEplazlVVVRGTlF6aEhRMmx6UndwQlVWRkNaemM0ZDBGU1FVVkpVWGRtWVVoU01HTklUVFpNZVRsdVlWaFNiMlJYU1hWWk1qbDBUREo0YUdSWVNteGlibEo2WVZjeGRtSnFRVmxDWjI5eUNrSm5SVVZCV1U4dlRVRkZVa0pCYjAxRFJGa3dUbFJCTVUxRWF6Vk5TR05IUTJselIwRlJVVUpuTnpoM1FWSkpSV0ZSZUc1aFNGSXdZMGhOTmt4NU9XNEtZVmhTYjJSWFNYVlpNamwwVERKNGFHUllTbXhpYmxKNllWY3hkbUpwT1hkamJUa3lXbGMxYUdKdFRteE1WelYzWWxNeE1GcFlUakJNZVRWdVlWaFNid3BrVjBsMlpESTVlV0V5V25OaU0yUjZURE5LYkdKSFZtaGpNbFYwWXpKNGVsbFVUWFZsVnpGelVVaEtiRnB1VFhaaFIxWm9Xa2hOZG1KWFJuQmlha0UwQ2tKbmIzSkNaMFZGUVZsUEwwMUJSVlJDUTI5TlMwUk5NRTVFYTNkWmFsRXdXa2RKTVU1VVpHMU5SRUUxVG1wRk0xbHRUbWxQVkVwcFQwUmpORTFIV1RVS1RucEthazFVWnpWWlYwbDNTVkZaUzB0M1dVSkNRVWRFZG5wQlFrWkJVVlJFUWtZellqTktjbHB0ZUhaa01UbHJZVmhPZDFsWVVtcGhSRUp0UW1kdmNncENaMFZGUVZsUEwwMUJSVlpDUm1kTlZtMW9NR1JJUW5wUGFUaDJXakpzTUdGSVZtbE1iVTUyWWxNNWMxbFlWbmxhVnpVd1l6SnNkR0l5TkhaalNFcDJDbVJ0Vm5WWlZ6VnFXbE14ZFdOSE1IUmtSMVo2WkVNNWFGa3pVbkJpTWpWNlRETktNV0p1VFhaT1ZFRjRUbXBqTkUxcVJUVk9hVGxvWkVoU2JHSllRakFLWTNrNGVFMUpSMHBDWjI5eVFtZEZSVUZrV2pWQloxRkRRa2h6UldWUlFqTkJTRlZCTTFRd2QyRnpZa2hGVkVwcVIxSTBZMjFYWXpOQmNVcExXSEpxWlFwUVN6TXZhRFJ3ZVdkRE9IQTNielJCUVVGSFNVMUJUR0pFVVVGQlFrRk5RVkpxUWtWQmFVRkdaVGs0ZG01TVdsWlhOaXRQVFhGS2NFZFNNbnBtTW1wekNsVXlTRzFxVUZKSlIxVm1OelZwVG1WUlowbG5abXhSTlRORlFuRkxWbFZtVHpSU09ITlpaMHd4U1RCa1FubHhURW94UVdOellrdFNWbXR2TTJoQ01IY0tRMmRaU1V0dldrbDZhakJGUVhkTlJHRkJRWGRhVVVsM1JEZFJiRVZoU25sVVpHcENXSFpJV25aNk1XMW9Sa04yTDFCWVNuaG1PSEppUzJKVFRFUlBNZ3BuZDA1aFpEbE1hMWh3UkVwdFVXbFFabFU1YUdOSUt6ZEJha1ZCZEhWNE1GWm5hVFZFVmxocU5qQTJVMk5yVW1Kc1R6Tm9WVGhuYTJkMFFrSmxVRXBpQ21aVlZHbDROVWRKZW1oc2RGaFBSV2t3VjJOclVsWXZlR2t2ZHpVS0xTMHRMUzFGVGtRZ1EwVlNWRWxHU1VOQlZFVXRMUzB0TFE9PSIsInNpZyI6IlRVVlpRMGxSUkV0aE1IZHZjbVpUUVZKVWQyWTBURE53VjNCbk0xSm5iV2sxTVhKeVREQlVWRkZPU1V0eGJEVm9ibWRKYUVGS2FrUXZiMHR0UzIwM1ZFcEVUVEpuV0VZMWVDOXhiVGwwY2pKM1UzQTJVR3RvTTNGd1pGbHpWM1p5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6Ijg3OTA5ZGQzOGJlMThmMWQ0ZDhiMTYyOTRiZmNiMWM1NDY3MjNhNmQyOGI1MTc0YTYyOTRjZjI0OGUyYjY4ZjgifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIwZTljMDJkOTgwODBlM2NmZjJmYTllNjJmYzZmZTdhODYyOTg5OWE5NzA3N2QwZjEzZGQzZjJkMDJjYTIwNzJmIn19fX0="}],"timestampVerificationData":null},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtLyU0MGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QDEuMC41IiwiZGlnZXN0Ijp7InNoYTUxMiI6IjU2M2JjNmQ4OGM3Y2M2MDkxN2IxM2NmNDgzODQ3M2VlZWE2ZWM3ZWEwNDMwZjI2NzJiMTZmNDNjMmE1YzgyYzIzOTk0OWM3Y2FlN2ZlMTNiYmUzYjMwZDA1NzFjM2U1NmRlNjI0YWEzMWVhNDNjOThjMTJmMWYxOTBiOGE3Y2EwIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MC4yIiwicHJlZGljYXRlIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vc2xzYS1mcmFtZXdvcmsvc2xzYS1naXRodWItZ2VuZXJhdG9yLy5naXRodWIvd29ya2Zsb3dzL2J1aWxkZXJfbm9kZWpzX3Nsc2EzLnltbEByZWZzL3RhZ3MvdjEuNi4wIn0sImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1ld29yay9zbHNhLWdpdGh1Yi1nZW5lcmF0b3IvZGVsZWdhdG9yLWdlbmVyaWNAdjAiLCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6eyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJzaGExIjoiMzQ0OTBiNDRkYjU1N2YwMDk2MTdiY2I5MmI4NzgwZjk3MmMxODlhYiJ9LCJlbnRyeVBvaW50IjoiLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS1zbHNhMy55bWwifSwicGFyYW1ldGVycyI6eyJpbnB1dHMiOnsiZGlyZWN0b3J5IjoiLiIsIm5vZGUtdmVyc2lvbiI6IiIsIm5vZGUtdmVyc2lvbi1maWxlIjoiIiwicmVrb3ItbG9nLXB1YmxpYyI6ZmFsc2UsInJ1bi1zY3JpcHRzIjoiY2ksIGJ1aWxkIn19LCJlbnZpcm9ubWVudCI6eyJHSVRIVUJfQUNUT1JfSUQiOiI2NDUwNTA5OSIsIkdJVEhVQl9FVkVOVF9OQU1FIjoid29ya2Zsb3dfZGlzcGF0Y2giLCJHSVRIVUJfUkVGIjoicmVmcy9oZWFkcy9tYWluIiwiR0lUSFVCX1JFRl9UWVBFIjoiYnJhbmNoIiwiR0lUSFVCX1JFUE9TSVRPUlkiOiJsYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdCIsIkdJVEhVQl9SRVBPU0lUT1JZX0lEIjoiNjAyMjIzOTQ1IiwiR0lUSFVCX1JFUE9TSVRPUllfT1dORVJfSUQiOiI2NDUwNTA5OSIsIkdJVEhVQl9SVU5fQVRURU1QVCI6IjEiLCJHSVRIVUJfUlVOX0lEIjoiNTAxNjc4MjE5NiIsIkdJVEhVQl9SVU5fTlVNQkVSIjoiMjIiLCJHSVRIVUJfU0hBIjoiMzQ0OTBiNDRkYjU1N2YwMDk2MTdiY2I5MmI4NzgwZjk3MmMxODlhYiIsIkdJVEhVQl9UUklHR0VSSU5HX0FDVE9SX0lEIjoiNjQ1MDUwOTkiLCJHSVRIVUJfV09SS0ZMT1dfUkVGIjoibGF1cmVudHNpbW9uL3Byb3ZlbmFuY2UtbnBtLXRlc3QvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS1zbHNhMy55bWxAcmVmcy9oZWFkcy9tYWluIiwiR0lUSFVCX1dPUktGTE9XX1NIQSI6IjM0NDkwYjQ0ZGI1NTdmMDA5NjE3YmNiOTJiODc4MGY5NzJjMTg5YWIifX0sIm1ldGFkYXRhIjp7ImJ1aWxkSW52b2NhdGlvbklkIjoiNTAxNjc4MjE5Ni0xIiwiY29tcGxldGVuZXNzIjp7InBhcmFtZXRlcnMiOnRydWV9fSwibWF0ZXJpYWxzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJzaGExIjoiMzQ0OTBiNDRkYjU1N2YwMDk2MTdiY2I5MmI4NzgwZjk3MmMxODlhYyJ9fV19fQo=","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEYCIQDKa0worfSARTwf4L3pWpg3Rgmi51rrL0TTQNIKql5hngIhAJjD/oKmKm7TJDM2gXF5x/qm9tr2wSp6Pkh3qpdYsWvr","keyid":""}]}}}]}
\ No newline at end of file
diff --git a/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-ossf-invalidsigpub.tgz b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-ossf-invalidsigpub.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..99d0c64ba0912bb8c5e6fd0689aa493ba3db6d7b
GIT binary patch
literal 7304
zcmV;39Cza%iwFP!00002|Lr_$ciYC5`OIH2Vcd%Jk|3$4Lm#(RETvIvOFE*wX^-o5
zL10KC0s#~QkY-c=_q~sq!GNSBCuy|p9`X2CBrtR5&V4@y$o$~OpUU3rvsb6*qth>b
zjZeSdKiuCJ+phQfyN83l1M$V)!C`+eI6Umbxc;EOdxU?#cz{o-3O@%_{so(akFbCL
zLq6iZ&vE7lGbvt2flQQa+%fXMWv-$$5xZW$BmU?orJt|FZoj{O>!evxWW!!>xm<ca
zE#sy6v={SIs@K4Y*QZx+M&kJVM7+8<KRLTTyEq?-Z!fOI+tF!9T%BHCU7Wmqg_k=t
z>f~&6eRcNDTf9O52A(*PlPHM_Ku&oLjZIVUs43LUk7F^Hej*CkX(98u5`GejAWcG^
zB_?SuN+mlYmsy^MWq_AE8WfHVBUR+lxWwziS0cnEWhllgF_HlT836n|EvGZ_wMZxM
zBZ6^hP|jsitmBpD8;AvIw#uXFtPtrkk+}erU}99PgkKi3G>`s4>uEUKW)w5O5U}Vp
z_hDi(r9qkw4gzxO$KsSgZy-@7xIw~R3O^ty1`8kqjMZRL7@!f1q~fK4phcd>9pUHF
z{D=wZ4(<l8mPrWHf^<Gl6AeiZ6w9cXF&tjd6W^ve;gOYjmV(4oRJ9B@JZfqvP1=eQ
zt*FgY)1}Niz`h)~gh)gQfA5GQ6@d>-$8j18-y#a+V(uqkIgxp|t}26>Myw;2GfCSA
z?$f$H!FDOLj8K{YN-F|Ph&^f+We8~!O@Nx2%mW17I_UqVP0OV~9wxj2R2E>o0AJt%
zuql_yKm?FunE(-j2v}Kz?%-Lm{4Z(Q6fKyG-|}YL<vRRBnk=HQL|D0S<wFCI9|7A)
zAtHeHJW`4Tp5%;`fY`DjY9m-J02KuFny*V*mdlCEbC^zdCq(fZTw<Pv5p2yTtuhRb
zk{~XL6rhA6NedB2^9WZ5KB{z5EK$4^EeK2rf%-=G2#^ND13E_kC(*Rb={~R}mX7(j
z82<pGu!*{#toRzRql`&ECV4uCo59Ra0BfTlAQg$ik-iZqx)ST36X6Rc4}t5{H>hE(
zZ4=Zci%_9bLQZdU3X%YOfXlTFyVeVKx?t<A5Dx3^T!xV^idE)r`};J%*)R%AxJVe2
z9YRT~R3J*sHmm|L>GZbdeh7wS;YYDQj*b31cBzBb6a_HwwJ7=4E*R?uWPrieyfLL<
za71MFivoQMQOIDcL9}24@}ob`U}cyHrX9qbC*sKCER(SEM^L6XUA8MKoX9*{02LQf
zAVE}fT>@~8?KIH4*N~V72Jx}4ka-EIVu)*?^n>)Ut-_^<U8oDoSrp71V*t!5zz2Y4
z=5i4cD^ZGpG+IxD1PZ6Q`2`>}n_X?vz|hM{1(HJ4_hGR#CZ&LB(KJe6l}(;++GAs<
zCN=f%h;{O5>Y+4i-Vu21HF7!kBdeb>^K+6Eqzi3hE^`^LKo61|BHS3H1?431=dx{>
z9)TgsCw@RqqT~2TOVkadkUBD*R9t_Brd<2@tsGz10jsjkdX|7%;fyb}cp$JEPe_JC
z9f=r7Dbt2#!TsBi?>I_Ppw&-d>DZWURgS@SXyakx4w5dyoY2#%Knsx_-v}!Vm&x7T
z=`Gwq1+6kIkMcg2K+Fk{;`ZR>^Sr%i+C4QjEcW--EW;!jg97F$7~>9dVeH2wN6Q@N
zB@}#=iKf0lEpUl0D?%Zi3RNi!(O-4$bVb&7xog0`3Ma6LQH+yg2q^)Y<Fafhq*khs
zbLE<F@VTW#7ZQ+<)FYVv==nHWv9Xp*^p0ajYEs}(8|elyZcr-n^0eZd?4=GPzbA`V
zxhDD15TU+TBag5Zl|@0BmI{=2?&mjX`tm9|G9i~#(KI3352A=XBEoK!L^M{-bD*~`
zTwV2=n<~5(U)yaP4ZJtxaS4d_alW>wm;o|l3GxIXqa;fXNW1G)N~q-DOOT%!mkm;&
zH@j;Lcpdd)L$vFOKVVpe%f7PPH<6VXmF!%#tZq$a95r*TvIH+F90Cb6A%HVQaTFIo
za0t7E2rrWbP{xQKn7%k%Mi^@(Y0@RmE7&pq>_XI&Pcd;ySAJZqx|3YOuLuIWMH-+X
z-|*%-|HB1Mwgodl$1;@T4NF&<^Q;`hT%aNdY8Lw-==KWW%&u0^6&+Z(d7B&NTU$)Q
z^2Ul=+&S46X3(C)pi3W(?*9Ysv|yUd3REyiISLaZ0fLGXqPEC*uMYPhTnAt?e<3N#
zGYC;0olYhg=YbQDF_>TeA1q3m7t9!I2XvsUqe3z>W@ktO=8;*|&$1ZP%`^d~6P3|+
zY1D$)kAU7h*4Z3Tk$||=wRSTB?N!RpBht=E4%WwHG%_;2&sF@EYC{^FCQ^GuFn<t{
z*r=YStxqr;;tW@NTR@+KygG7vi6yea_&QIVO_2XK7gAuUP^K+YifGCx_){NmlabSj
zd#iF-Hnz@FrMg5g+(wX=7(elE;Jhzlf2qo-z^%q|%1!_%W{|I9f;Fpnmw_Xnz=$iI
zYFBWAia9H@EyIsFMXCUXL$SIfnvlsPqgqo;qEYFXc6lbMV()+|irh1@;wuxdg>cab
zpQSE9!#pu$Q?T!eE9q8-JX(70uPV#7ZiT=OMkcnY*`qt6JYorkjj&h=MvmkNBO3Ud
zT8~^$o7simV#zvHDntaSL~AZ3b9s`+kQ1?gH@0iouz6LRcUpp^O%Y#2kMj*+YXn<F
zqveLaHao=6#zuYe59^u4b8@3*&9Sp47jCLh8uKX3-?^xhqX<Fz5G5!loINUMc{FiW
zq!A{j?o%R$WH|Me183!27NB4q6E{04JY@%f(fa0`h3$fsKy*;UD(~3Q(%nI`7)p$r
zI!-V_B3e}HruW7rh%NZ6o78&b#@5roAmqZ70$T7gxJ@J{Yg}Gbj>|;w>l>{TEo`IF
zvi#SHAF{f6esO*F>a+>U_pu;)quS{;FywaDaka}a0b4X>gR;ag2b4)Yec+)VQjS>(
zo!m-RG)g|!c^xp?sF7vhjnEc4pF>v%%ytTIr7H;=z=)-<Fr9L%^m<CAtq>T&qC<nG
zZ*Z(=T~VkeRq9S0p1a1pCS<N&*9%Z0npAcMUFNj%fSd5syt7GV-^6-Ol}qOaTc|Wy
z(-aCIAOmD(0l+-$;wD#?Hwo6~AYsP9Li&(|Ue7oSL;JN!W{2MtJa8&)i+qqnRLLtw
zD0OtSZjr@W)oSzBZTMk`-*e1&T#0m`7}Pa|K1UNeOnn86aQ8&{6qYx_P$pqHH(_f{
zVvJ$o{Lip+-KG(NO%VgguvM9;S_L^1#{qe{E`Lmz+xiw;NmOMO6t+^ao&$ij!k5De
z1fuuhqKqZE2&2|ol)EK@uS$DcT1E`U=@q4uE!cD_wV6<|xVj}3ajSDyl?Wa#?NswB
z1U9-=H7{(VZmcC!D2;MdE6dnSWi1n^G30=f9o-4wT(yb<l_%aN;6)WNO@4%hf(X-J
zg6K3zY<*+39z{CEET@chYw4<r^l`=YLJo&|W4HSJQ&KY>W)Yf>z%U37T|?7-<oV}m
zfs<_ahWyJo<)jSNc1r0Tx)DN6mEaDP3?(;$Pz@ZG=!H1C-~uU7(WXRG$mvM%S6V|T
zBa<Ix;Fx$ayp|xjoccNUmDY0)-3vGbQ)mJZg=W!-qr;ReXTc%2(-A_#>xLSKFQ$#*
z&#`W1BO0uF$$Wt|ef<+~(lX40jnEp5J5|+5r>VL8dl~8O5ju1QJVBREECt7(&apj>
z*Z`Fw?g(ImniV$bz)I~#eb#7`;hXjbTU-EB>c|r(k)qTIo3<12J;a|tmz7lli|TmA
z2`pvam||6CfVfD>OH~EyR1DL)uPRhqh$|Ki)>Bk>G?p)G%xz;`3rv3VcqGn7P4Ug~
z=xk(&`~BJVcNcH3#rMZoSI6hqXQv}^apkt<FTNGW=YJ7@Iy*msa3|sp@JFnUs%j?@
z*_F^KlU5o;byDBhsTCx-L@G*%@=X&9#JoPcetp^js-Jhy&cD4nJO9J!o73~_j(Br=
z_3Aso^7xyx*Jsy%Arboa?E3t4#K#AYHH^#SD`42$*T+}l^6k~-#psm1Eq4oJ>?{EO
z87vx6*MT}SoE6r^1vr<dSsr0{P8*(pbm0(^zslk|^-``jDg`kSZr7OWNRee%X%N{o
znT@*cvr;wIZM1GCvn+ehJos%$ij!VP{y2)Md47hTS3vla6od!EfJ-qII{`<?w4G9m
z>12Tb6>iBOk<&PW=qr%zj_r1LYNcFT`MFo#TO250O+Svt6wncJQ>;hWzJ*z`z!M0H
zy5rmRgRN)HePB_>uq=*fVO<d**7|dQTCd^bY;z=_Ivk)fiM@5F`wR*Nfi1TZFo5Bj
zE;i&eP-CI7<_36UxjN^bIeKyHtFddmp6C)aOKW3Fz7i#xnT}m`D+aAQd*TKw+;*I@
zz)sUNTt=~5JG=p>oMxGiRYHsjN<@6(M{$|6H}d02nN-0IIl(O_L9h#e!t2t57nTYH
z2jvh0^z}lVhGC28ez=IJNjlNTH$Ve45zOHR4W2dNYfl^p=o63%#`5CI$CaaYl;Zmt
zhVFHBU2hiN*={pYXfR7tu7Xmfv({{<nk&R@6G`?2OdVn9CxPTmWLyT-)^9~}C+7(s
zEvX7(OxD=oF4A$Vt56iT^w8{J<jbuV*bnN9&aWa>Yxh8c@m;#aOo&rSOE99R1Gw5B
zooGp7ryF8pZrv84BCfuShO{!HgfB%pRTrhQ=vAf25d&Ql#+)gduzf~_XMHEyOe}3e
zIe~PAXFy~eZYiDn`J60~39c;_D|IgOyy}+e$}!kv$jUKU<sxclvu-?I>0qPU&<ZI~
z(bNX>OGg@=u+iee0(^RYf_`<|F*v$^e0d2&&i*_^7E-kUEb2-hUvQ7^;XOiSX?sa{
zyzVn6bo4QbdNsj>)hTFA4rzE{sv4atlb=K~4wV200m{xse~ev936j}-_r6&rDOj1%
z-fm@tiL9#5`kYMK6Rndp*|FyZ933^lzibQ2)+tR@5MF>JK!|Vg(Ak0Gww>NA>WW%{
zJ^yGMp_J4!0$?X#Vyv)1#iMnd)L3yE%W?x!h7l{LT@+?!#u=N|>R47sR;WX2Fi|+M
z3CL058f|bBeMP<VsSm#(njm<Q?Z<1%nZBzn&s0SYKM!Wuv1VbYnu+gL@OdxZ5#E63
zT9@@b4c9^vIyqBad^+xdP|?Bx_RMAbIf5|x2pR%*U%Gs5!uTlBX(*XSD^WJYakBn&
zOw}^KR<bjK>=#Dd?>lm;k3n|<Wt#Fi5&CVhhdy)GaI2IxdKvWa2!k`=wg~(ehTkUe
zCbEsBtf63poWdHA8Q5AfEkWQQBmlRNte@=D)siY+SDX9t8ecqq{@p*BKK~EVb`L%2
zNACyqpy&Vldq?|+>*xOm2mOP`^ZyU=X`<mp+Y=Pc=Z%G*iw_?Hh+qo&O~kdS7ihb|
zME&-+WT3sZ`)%>he~K3O4n4jjelJ=kCupS|G4BY7A8vNr;zu&W5W%%>cEyVqFUV-n
zLHV}8E8>P6gFrmcS;7?!c`A#GWpW9w8X~aOiFTxE-a_E)P6+OoG!0Q|!jz^d?f^<(
z&H;6)-lSm(rh7=2J+#(j%3%gwuxEbZV%s1r3^G4L_yEZ|-5m-nQRDI2Vkqo(VG6bY
z%RCYDcQ@~!i%;ScWA~|1oqhFq*Je9Nq?_Fitpa=b)CTl^AqCTSH@olQCm{h4+lIMH
z7EFQ@Iq@;o+~n{2kk4T8!eDmm{+b~JYj(C$apA`${8)%jh5%c^r|&Er+}#4lnw|0K
zkrAl#mOWKBX*UMAXwB2mr7HZyS@6e^mbPVS8dd_TQ+1GvPtR-fzkDH*GLGBiRa-a|
z+na(`BF@2x7ZpKpJxw+UMT-<qTzio4I`ZxXkWM3P6!!MIinbV&j?e=bn@v8t<MbfC
zFTMf9G_>@WeuRnsCL#5mH7erG;~b)%50KkZiw|<eOMCV_%?*w16hBO}qD5?XbcTM@
z`4tTL@B|e|8ebfWL@vc;t6CJWPUD51PG2>==O{&5;WS{J+qxt{zJy&}V)tKxhHrwy
zh7B^KQho>PNf|?c8q2W4yvSGZKcv@L%kI`oAnDLU5EB7GIOI+(jVpq05t<sw+8TWS
zz9rr@@nNE6^Zn0VhQKl7H3i|D7vjOC-&=a>s~VG`=34ElhfVjEB}~WSZ&|=cDqyt=
zdtgCDEJ{GPi4d~u-TQW%$=TL2OBUjJW4on+co*~>gs)ktFPR)|V9?qS1U=BB?COm|
zKetGuQ1qWSsQn0uL@wc?YdTsw4`?-C`ut2+4@Wf-GfP(kur*gxBSTsUt@hAnJ9@$D
zuYvJYv|Q=KH9SmyTYtm<hvLbP0Q=M5TzYKVkNNt%aew@We<AcslZSr(Q-@1y@n8So
z=rR6#$oOCX{Z&NZZvOA?A<x(2|NY1K|3N-zWtv#%X%0p6W$c%Dyg^0tH0fcNP$uYy
zyGb_h7E(d*hQsxfD>!4|^}PeW>J+!|&NU1dTB;}zs=)Dhe5eNpx|t{6VK@qIvJGqo
z5e@_-1bpK%Z*yEmafp`-6_{&Wox_V6Sll9l0H)i;5MPR&r%!uNy+ZBO$99963~ttD
z(6!AOdNYJd5C}p5M)UI--MOEcfiaj}93>TggCTSOV|VFO6-9}@P<hbPz|9m0@2V|g
zw1waDGSLM`_X@#uels4<1%sysO?*Raf>|p5+C0tkG#_H04{w-)j|~4xaj5(l6=Hxj
z*-ylZTxO}l2g_C!H!wa$fYYcjYm|AculyGl*wnDsgYUC)4EfZ&cb`;w2+1zV&j=wn
zmIhs$!wXzs#Nr&^8kbW?N;DEb1A!hrJfkWcX6amJn%6%A-dA{la4wBr;6sEm2_oqr
zTMr;$ng1DhgFbA`;t<Nk$@Z!ANM<idLp|}CHyC(d8(#2jQlTzOV2}TFv$&kH&i&7U
zw|}6ixP40I=St?=#xC%|<hTbaKzIAz-eGl@XVZ;m-tN)*4UIyVX-UKOy?t+BRZJ@(
z-P!eysyh{ide+xqcaT;P`aD+ge!2e#D@v7*Un2mx$NvuooBsdk@X`N2nE$7@BhZuM
z`33p!%GjXhVYgcQvqMOwZvFJ0iV=B}l{kI%=6FQfDtNki+I1*)PDgt?qNR%;?G9cz
z*r7kW{XzBZ(0)6z-=5iTU+-W?1HPZ1{`q>x6Hj{v-8rXxL)sJAXACOtLzn09BbGWX
zWn2@;hH*^;3cvgF5dZK4miVpY3sPzPHDZvm)(}g};v^!==3%w{c1i+b_|yo$kfJQI
z5)ZHDWl-RW3w?BvZ-ZNQSIE<}S^|QMTbFRQj=*qU1(D9!C%7uV@j$%gR<L>YlpbPc
zw5mB3g4Ct!c6qlhcDl%H3VwIW(WySGhesc28oh>q12Z~OmFZ)o75F4QoAWu+<79Q$
zDo9=*&rnH>gy`8@?va_smI!4K`}#q7-VZ+2%-u8Kf3n&kbllZVso@MClS(ta{#~0>
zLgK^E5l_HkC?De(%VLQKU0#vM{c%JXosI;<S7H(Qf~tSIiA={K!HP@$(g%I00Vv0H
z3n0>&KFPb|W7~eTN`Qq$6zHnp84s&u^^<Yg^t=M9(z_-G8y{FrP@kF{zGCbKG3@&W
zSGOO%>3^>OzdAiWd2{N`!-uc`>>h5^fBFY|kN*EbK3|C~`Aeg*CFz;Yy821}V%5Wu
z&cuw4!^tifFTWbqXkbdZh~!e-TUh{?fsv>9r}*LTq6;3>!y^%%U*JtP#U3PhJC7Rs
z>*#-&E|WO*!!87B5EpoA_E7r2-|z3O>;LZ2?(U=hKZyQ+*&9bmZ|tjCqoE*B@5(Y2
zS(HgU<J)LN6Y)+opM2F6-MA0~@%}kIWJwVMRg{`<70Ay}Jn5UlQ<ut#Jc7zejY-sK
z=$jw#=8NW&L9@~LN}On^(=YroRzW{K;VS<JQ2rNBTGpU6pSS><pKCtac1P>Ln*w{X
z*tczN*`$6pEte3D%7ru!gc=Cq?bT~%$Gfy+o_Xx7gTsJQ8%qOq?A|{(cRwH<VAt~-
zNHsFi>=pCOF`ga-k7<#5Dw?VSdqjWcPqW>i7hkB^{lIwK9gu3sZUa%H@$GPc+jtst
z^m=scaN27GKmgHITRBp3)4lhu|9(gO4kh4rqBZq$dVemje%6u$v*ayw#r3{Pi`qi!
zXDr04Y|wmDS-@zGDagk&k4;E66hHqKhca(^4SoCPX^o!jD2oH`r|XG9^>!V(u10`*
zxQjLHPS!+EU-pXWKU^WJC|*PPcg_W-r<(Z(gI!h5H}0V1T%24C>F6mw1vL8Zc=zDY
zK5<Z4Da_2a2$=FVKyb<qq{Vb^nq!_v=UjojONkG@iWaA|e%#(V*)&r4;WuFVn1v12
zw2Q*T>}EOyX7_%x-@h;5dWo%@KAt@Vs^h6>$nZkM9QX(3++7d{>G}=!_wiYhsMt}?
z<FNKAVC)wF!>1l|R>jKahypt+99j?t2K*ZF#a~H4x?Pu?Fc|i_O)Knh-GeFfNH`HI
zBGaP{m~pO$T33d~FGSf5hZ*6!>{B(31<2j8oqwCL`Pc6IF$jK)|FK-CyRgLrpa1O-
zjt(~a|9gYS`2Qh3TqG1v@wpN@@kFM4tv&g?p^q2As8te(&9hEqXXa`;q<Sqq7}Vwt
z!X1Z~K0T`6zm5KT>_2+=tk)z?mkPWHzE4JW(IM`6t9kru_5ThJHtK)y=kQVgAL4@{
zz>u@DJ#ndn*-IVj6e%7m`9U=rX)<gGEfGW1YwE`j#XCNT9KLS|BRL=NjXZb`bqHx~
z^~lhW-m28a$ATL_q+^9p=;#W8b001mnrCI%1o1@im3{O+u+Px{fn-)3>-X!+WD(_Q
z!mrae55aYd^hPE_!N-6Y3inR{$i>;oD?tOeZGx{Fh3lU4=6Q^vEeiMw+A_l=3}<V4
z&|{&6ez!-dkSr8LPI90vQl&>fS;4yY*y|RRBYMdE19n?}P#>)3y<7~uL$BX3FX}K9
z%FCpy4@*J15OtWK`es9z<b;MNQijMd8iE}goUOXp<}Al$Qk318(usyXtZUfN6<S1O
z0b3X6*dxv56rWe)_xa*ehJpJEbxi}~L4Y=8*2OKoJlvPzAUKl#cs~f_-rnKv<XNz{
z-w&mPTL;pYa`J3)6ab|cdv?cbo2FMBg|cfq%7bUs9fKK!#IbXB$6WSEobi!A^GaB=
zJxwYDDGE0({RGaMtur4@k;UcW=AQ5YVWsq{!P;Jt&PI@*{P-ijbTdbhJHLGM;rilF
zr|05Rb=106hvV_Ye2-Y~aqm`nwVYtvbXyYsJUF%CcLRjv8#3yj0Fo!vfjTMe-T2i9
z-Uj4zcYDi>d%@nj=Ue9>=*It<|Nljv|8xBRpnr6<?*9+^yN~_92lW5{a>uVdeC6P8
zaW;*uuD|Yg8{0g2W7AL7-42}<0p)tR*xNq9@k?gNJ&tB)@NDNcSF>}wt8wN8cz$(=
zv^6*ZUFbJI^AyLTJH?+bD`#9A6+|1C>>1#VJEk`2)~2wwMxJKP(Ln6v?EC!U<n+Vw
i+w1SxyWH+{9uug?&*SIu^Z5A>{roTLC)9BOasU9VgAUOE

literal 0
HcmV?d00001

diff --git a/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-ossf-invalidsigpub.tgz.json b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-ossf-invalidsigpub.tgz.json
new file mode 100644
index 000000000..b6155f4ce
--- /dev/null
+++ b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-ossf-invalidsigpub.tgz.json
@@ -0,0 +1 @@
+{"attestations":[{"predicateType":"https://github.com/npm/attestation/tree/main/specs/publish/v0.1","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.1","verificationMaterial":{"publicKey":{"hint":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"},"tlogEntries":[{"logIndex":"20994827","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1684432737","inclusionPromise":{"signedEntryTimestamp":"MEQCIAaehLQ3vo+OEcyokd/ksjiLzH+YkP6sQFutHqd1A5H1AiAU+Xzo6Xy38HYpETFnWGvHHnRAB1k/m2QWD9apTSSmrQ=="},"inclusionProof":null,"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7ImtleWlkIjoiU0hBMjU2OmpsM2J3c3d1ODBQampva0NnaDBvMnc1YzJVNExoUUFFNTdnajljejFrekEiLCJwdWJsaWNLZXkiOiJMUzB0TFMxQ1JVZEpUaUJRVlVKTVNVTWdTMFZaTFMwdExTMEtUVVpyZDBWM1dVaExiMXBKZW1vd1EwRlJXVWxMYjFwSmVtb3dSRUZSWTBSUlowRkZNVTlzWWpONlRVRkdSbmhZUzBocFNXdFJUelZqU2pOWmFHdzFhVFpWVUhBclNXaDFkR1ZDU21KMVNHTkJOVlZ2WjB0dk1FVlhkR3hYZDFjMlMxTmhTMjlVVGtWWlREZEtiRU5SYVZadWEyaENhM1JWWjJjOVBRb3RMUzB0TFVWT1JDQlFWVUpNU1VNZ1MwVlpMUzB0TFMwPSIsInNpZyI6IlRVVlZRMGxGWkVKWFowRnpUVFUzSzNOTVlWRk1OMnB3YVRsRGNXVXliR1FyT1ZsWFZXOU1URGhGZUdOcVMxSjBRV2xGUVRsRUwxaHFXVWw1VUVWbFlYRnVZemhFWlVZeVlXeGtTbFl5VmpJek5qWkRiRFpKVm5kT1prcHdhbGs5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6ImYzMWNmNDFkNzU2NDFlNzE0YTQ1MmU5MWQyM2RhM2M5YWVmMjlkYzk5ODA5YzllYWJjZDVmN2VkNDFkMzM0OTUifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJiYjhmYTMzNDJkZGQ0Nzg5ZTM0NmU0MTY3MzNhNTA5NTU5OTdlYjQwMTBjZGQwNjZkYTc1Y2RiYmIyZTVmMzEzIn19fX0="}],"timestampVerificationData":null},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtLyU0MGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QDEuMC41IiwiZGlnZXN0Ijp7InNoYTUxMiI6IjU2M2JjNmQ4OGM3Y2M2MDkxN2IxM2NmNDgzODQ3M2VlZWE2ZWM3ZWEwNDMwZjI2NzJiMTZmNDNjMmE1YzgyYzIzOTk0OWM3Y2FlN2ZlMTNiYmUzYjMwZDA1NzFjM2U1NmRlNjI0YWEzMWVhNDNjOThjMTJmMWYxOTBiOGE3Y2EwIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vYXR0ZXN0YXRpb24vdHJlZS9tYWluL3NwZWNzL3B1Ymxpc2gvdjAuMSIsInByZWRpY2F0ZSI6eyJuYW1lIjoiQGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0IiwidmVyc2lvbiI6IjEuMC42IiwicmVnaXN0cnkiOiJodHRwczovL3JlZ2lzdHJ5Lm5wbWpzLm9yZyJ9fQo=","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEUCIEdBWgAsM57+sLaQL7jpi9Cqe2ld+9YWUoLL8ExcjKRtAiEA9D/XjYIyPEeaqnc8DeF2aldJV2V2366Cl6IVwNfJpjY=","keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"}]}}},{"predicateType":"https://slsa.dev/provenance/v0.2","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.1","verificationMaterial":{"x509CertificateChain":{"certificates":[{"rawBytes":"MIIHYTCCBuegAwIBAgIUTL6lddYKR4C2nJkPNEnaRI3tbY4wCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwNTE4MTc1NzUzWhcNMjMwNTE4MTgwNzUzWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEt8wwi7GZYvLW8ZecTb32ZTy5Y1upwMjyDDuvqhndw/ONa/NDIPUFtylH/3xlwRcHD6vSElY+wrKckQRiSVjNb6OCBgYwggYCMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUxdHwVOS4gO1Bll9ipKdzxVDFJBUwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wgY8GA1UdEQEB/wSBhDCBgYZ/aHR0cHM6Ly9naXRodWIuY29tL3Nsc2EtZnJhbWV3b3JrL3Nsc2EtZ2l0aHViLWdlbmVyYXRvci8uZ2l0aHViL3dvcmtmbG93cy9kZWxlZ2F0b3JfbG93cGVybXMtZ2VuZXJpY19zbHNhMy55bWxAcmVmcy90YWdzL3YxLjYuMDA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMB8GCisGAQQBg78wAQIEEXdvcmtmbG93X2Rpc3BhdGNoMDYGCisGAQQBg78wAQMEKDM0NDkwYjQ0ZGI1NTdmMDA5NjE3YmNiOTJiODc4MGY5NzJjMTg5YWIwLQYKKwYBBAGDvzABBAQfU0xTQSAzIFB1Ymxpc2ggUGFja2FnZSB0byBucG1qczAuBgorBgEEAYO/MAEFBCBsYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdDAdBgorBgEEAYO/MAEGBA9yZWZzL2hlYWRzL21haW4wOwYKKwYBBAGDvzABCAQtDCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMIGQBgorBgEEAYO/MAEJBIGBDH9odHRwczovL2dpdGh1Yi5jb20vc2xzYS1mcmFtZXdvcmsvc2xzYS1naXRodWItZ2VuZXJhdG9yLy5naXRodWIvd29ya2Zsb3dzL2RlbGVnYXRvcl9sb3dwZXJtcy1nZW5lcmljX3Nsc2EzLnltbEByZWZzL3RhZ3MvdjEuNi4wMDgGCisGAQQBg78wAQoEKgwoMDc3OWY3YmVjNjhlMmJmNTRhN2IwYTMyYmY0NzYzZjI1YWIyOTcwMjAdBgorBgEEAYO/MAELBA8MDWdpdGh1Yi1ob3N0ZWQwQwYKKwYBBAGDvzABDAQ1DDNodHRwczovL2dpdGh1Yi5jb20vbGF1cmVudHNpbW9uL3Byb3ZlbmFuY2UtbnBtLXRlc3QwOAYKKwYBBAGDvzABDQQqDCgzNDQ5MGI0NGRiNTU3ZjAwOTYxN2JjYjkyYjg3ODBmOTcyYzE4OWFiMB8GCisGAQQBg78wAQ4EEQwPcmVmcy9oZWFkcy9tYWluMBkGCisGAQQBg78wAQ8ECwwJNjAyMjIzOTQ1MC8GCisGAQQBg78wARAEIQwfaHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbjAYBgorBgEEAYO/MAERBAoMCDY0NTA1MDk5MHcGCisGAQQBg78wARIEaQxnaHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0Ly5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2Utc2xzYTMueW1sQHJlZnMvaGVhZHMvbWFpbjA4BgorBgEEAYO/MAETBCoMKDM0NDkwYjQ0ZGI1NTdmMDA5NjE3YmNiOTJiODc4MGY5NzJjMTg5YWIwIQYKKwYBBAGDvzABFAQTDBF3b3JrZmxvd19kaXNwYXRjaDBmBgorBgEEAYO/MAEVBFgMVmh0dHBzOi8vZ2l0aHViLmNvbS9sYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdC9hY3Rpb25zL3J1bnMvNTAxNjc4MjE5Ni9hdHRlbXB0cy8xMIGJBgorBgEEAdZ5AgQCBHsEeQB3AHUA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGIMALbDQAABAMARjBEAiAFe98vnLZVW6+OMqJpGR2zf2jsU2HmjPRIGUf75iNeQgIgflQ53EBqKVUfO4R8sYgL1I0dByqLJ1AcsbKRVko3hB0wCgYIKoZIzj0EAwMDaAAwZQIwD7QlEaJyTdjBXvHZvz1mhFCv/PXJxf8rbKbSLDO2gwNad9LkXpDJmQiPfU9hcH+7AjEAtux0Vgi5DVXj606SckRblO3hU8gkgtBBePJbfUTix5GIzhltXOEi0WckRV/xi/w5"},{"rawBytes":"MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow="},{"rawBytes":"MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ"}]},"tlogEntries":[{"logIndex":"20994759","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1684432673","inclusionPromise":{"signedEntryTimestamp":"MEYCIQDCk3WOv3snfriWirXfHdXsFxcYk+QxV6oNtRJfc8slHQIhAJTGxdlC9hFTwYFo4k+4R+exU3d52x9Ksjh4Eo1pVHvq"},"inclusionProof":null,"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVWhaVkVORFFuVmxaMEYzU1VKQlowbFZWRXcyYkdSa1dVdFNORU15YmtwclVFNUZibUZTU1ROMFlsazBkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDA1VVJUUk5WR014VG5wVmVsZG9ZMDVOYWsxM1RsUkZORTFVWjNkT2VsVjZWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWME9IZDNhVGRIV2xsMlRGYzRXbVZqVkdJek1scFVlVFZaTVhWd2QwMXFlVVJFZFhZS2NXaHVaSGN2VDA1aEwwNUVTVkJWUm5SNWJFZ3ZNM2hzZDFKalNFUTJkbE5GYkZrcmQzSkxZMnRSVW1sVFZtcE9ZalpQUTBKbldYZG5aMWxEVFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWNFpFaDNDbFpQVXpSblR6RkNiR3c1YVhCTFpIcDRWa1JHU2tKVmQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQyZFpPRWRCTVZWa1JWRkZRaTkzVTBKb1JFTkNaMWxhTDJGSVVqQmpTRTAyVEhrNWJtRllVbTlrVjBsMVdUSTVkRXd6VG5Oak1rVjBXbTVLYUFwaVYxWXpZak5LY2t3elRuTmpNa1YwV2pKc01HRklWbWxNVjJSc1ltMVdlVmxZVW5aamFUaDFXakpzTUdGSVZtbE1NMlIyWTIxMGJXSkhPVE5qZVRsckNscFhlR3hhTWtZd1lqTktabUpIT1ROalIxWjVZbGhOZEZveVZuVmFXRXB3V1RFNWVtSklUbWhOZVRVMVlsZDRRV050Vm0xamVUa3dXVmRrZWt3eldYZ0tUR3BaZFUxRVFUVkNaMjl5UW1kRlJVRlpUeTlOUVVWQ1FrTjBiMlJJVW5kamVtOTJURE5TZG1FeVZuVk1iVVpxWkVkc2RtSnVUWFZhTW13d1lVaFdhUXBrV0U1c1kyMU9kbUp1VW14aWJsRjFXVEk1ZEUxQ09FZERhWE5IUVZGUlFtYzNPSGRCVVVsRlJWaGtkbU50ZEcxaVJ6a3pXREpTY0dNelFtaGtSMDV2Q2sxRVdVZERhWE5IUVZGUlFtYzNPSGRCVVUxRlMwUk5NRTVFYTNkWmFsRXdXa2RKTVU1VVpHMU5SRUUxVG1wRk0xbHRUbWxQVkVwcFQwUmpORTFIV1RVS1RucEthazFVWnpWWlYwbDNURkZaUzB0M1dVSkNRVWRFZG5wQlFrSkJVV1pWTUhoVVVWTkJla2xHUWpGWmJYaHdZekpuWjFWSFJtcGhNa1p1V2xOQ01BcGllVUoxWTBjeGNXTjZRWFZDWjI5eVFtZEZSVUZaVHk5TlFVVkdRa05DYzFsWVZubGFWelV3WXpKc2RHSXlOSFpqU0VwMlpHMVdkVmxYTldwYVV6RjFDbU5ITUhSa1IxWjZaRVJCWkVKbmIzSkNaMFZGUVZsUEwwMUJSVWRDUVRsNVdsZGFla3d5YUd4WlYxSjZUREl4YUdGWE5IZFBkMWxMUzNkWlFrSkJSMFFLZG5wQlFrTkJVWFJFUTNSdlpFaFNkMk42YjNaTU0xSjJZVEpXZFV4dFJtcGtSMngyWW01TmRWb3liREJoU0ZacFpGaE9iR050VG5aaWJsSnNZbTVSZFFwWk1qbDBUVWxIVVVKbmIzSkNaMFZGUVZsUEwwMUJSVXBDU1VkQ1JFZzViMlJJVW5kamVtOTJUREprY0dSSGFERlphVFZxWWpJd2RtTXllSHBaVXpGdENtTnRSblJhV0dSMlkyMXpkbU15ZUhwWlV6RnVZVmhTYjJSWFNYUmFNbFoxV2xoS2FHUkhPWGxNZVRWdVlWaFNiMlJYU1haa01qbDVZVEphYzJJelpIb0tUREpTYkdKSFZtNVpXRkoyWTJ3NWMySXpaSGRhV0VwMFkza3hibHBYTld4amJXeHFXRE5PYzJNeVJYcE1ibXgwWWtWQ2VWcFhXbnBNTTFKb1dqTk5kZ3BrYWtWMVRtazBkMDFFWjBkRGFYTkhRVkZSUW1jM09IZEJVVzlGUzJkM2IwMUVZek5QVjFreldXMVdhazVxYUd4TmJVcHRUbFJTYUU0eVNYZFpWRTE1Q2xsdFdUQk9lbGw2V21wSk1WbFhTWGxQVkdOM1RXcEJaRUpuYjNKQ1owVkZRVmxQTDAxQlJVeENRVGhOUkZka2NHUkhhREZaYVRGdllqTk9NRnBYVVhjS1VYZFpTMHQzV1VKQ1FVZEVkbnBCUWtSQlVURkVSRTV2WkVoU2QyTjZiM1pNTW1Sd1pFZG9NVmxwTldwaU1qQjJZa2RHTVdOdFZuVmtTRTV3WWxjNWRRcE1NMEo1WWpOYWJHSnRSblZaTWxWMFltNUNkRXhZVW14ak0xRjNUMEZaUzB0M1dVSkNRVWRFZG5wQlFrUlJVWEZFUTJkNlRrUlJOVTFIU1RCT1IxSnBDazVVVlROYWFrRjNUMVJaZUU0eVNtcFphbXQ1V1dwbk0wOUVRbTFQVkdONVdYcEZORTlYUm1sTlFqaEhRMmx6UjBGUlVVSm5OemgzUVZFMFJVVlJkMUFLWTIxV2JXTjVPVzlhVjBaclkzazVkRmxYYkhWTlFtdEhRMmx6UjBGUlVVSm5OemgzUVZFNFJVTjNkMHBPYWtGNVRXcEplazlVVVRGTlF6aEhRMmx6UndwQlVWRkNaemM0ZDBGU1FVVkpVWGRtWVVoU01HTklUVFpNZVRsdVlWaFNiMlJYU1hWWk1qbDBUREo0YUdSWVNteGlibEo2WVZjeGRtSnFRVmxDWjI5eUNrSm5SVVZCV1U4dlRVRkZVa0pCYjAxRFJGa3dUbFJCTVUxRWF6Vk5TR05IUTJselIwRlJVVUpuTnpoM1FWSkpSV0ZSZUc1aFNGSXdZMGhOTmt4NU9XNEtZVmhTYjJSWFNYVlpNamwwVERKNGFHUllTbXhpYmxKNllWY3hkbUpwT1hkamJUa3lXbGMxYUdKdFRteE1WelYzWWxNeE1GcFlUakJNZVRWdVlWaFNid3BrVjBsMlpESTVlV0V5V25OaU0yUjZURE5LYkdKSFZtaGpNbFYwWXpKNGVsbFVUWFZsVnpGelVVaEtiRnB1VFhaaFIxWm9Xa2hOZG1KWFJuQmlha0UwQ2tKbmIzSkNaMFZGUVZsUEwwMUJSVlJDUTI5TlMwUk5NRTVFYTNkWmFsRXdXa2RKTVU1VVpHMU5SRUUxVG1wRk0xbHRUbWxQVkVwcFQwUmpORTFIV1RVS1RucEthazFVWnpWWlYwbDNTVkZaUzB0M1dVSkNRVWRFZG5wQlFrWkJVVlJFUWtZellqTktjbHB0ZUhaa01UbHJZVmhPZDFsWVVtcGhSRUp0UW1kdmNncENaMFZGUVZsUEwwMUJSVlpDUm1kTlZtMW9NR1JJUW5wUGFUaDJXakpzTUdGSVZtbE1iVTUyWWxNNWMxbFlWbmxhVnpVd1l6SnNkR0l5TkhaalNFcDJDbVJ0Vm5WWlZ6VnFXbE14ZFdOSE1IUmtSMVo2WkVNNWFGa3pVbkJpTWpWNlRETktNV0p1VFhaT1ZFRjRUbXBqTkUxcVJUVk9hVGxvWkVoU2JHSllRakFLWTNrNGVFMUpSMHBDWjI5eVFtZEZSVUZrV2pWQloxRkRRa2h6UldWUlFqTkJTRlZCTTFRd2QyRnpZa2hGVkVwcVIxSTBZMjFYWXpOQmNVcExXSEpxWlFwUVN6TXZhRFJ3ZVdkRE9IQTNielJCUVVGSFNVMUJUR0pFVVVGQlFrRk5RVkpxUWtWQmFVRkdaVGs0ZG01TVdsWlhOaXRQVFhGS2NFZFNNbnBtTW1wekNsVXlTRzFxVUZKSlIxVm1OelZwVG1WUlowbG5abXhSTlRORlFuRkxWbFZtVHpSU09ITlpaMHd4U1RCa1FubHhURW94UVdOellrdFNWbXR2TTJoQ01IY0tRMmRaU1V0dldrbDZhakJGUVhkTlJHRkJRWGRhVVVsM1JEZFJiRVZoU25sVVpHcENXSFpJV25aNk1XMW9Sa04yTDFCWVNuaG1PSEppUzJKVFRFUlBNZ3BuZDA1aFpEbE1hMWh3UkVwdFVXbFFabFU1YUdOSUt6ZEJha1ZCZEhWNE1GWm5hVFZFVmxocU5qQTJVMk5yVW1Kc1R6Tm9WVGhuYTJkMFFrSmxVRXBpQ21aVlZHbDROVWRKZW1oc2RGaFBSV2t3VjJOclVsWXZlR2t2ZHpVS0xTMHRMUzFGVGtRZ1EwVlNWRWxHU1VOQlZFVXRMUzB0TFE9PSIsInNpZyI6IlRVVlpRMGxSUkV0aE1IZHZjbVpUUVZKVWQyWTBURE53VjNCbk0xSm5iV2sxTVhKeVREQlVWRkZPU1V0eGJEVm9ibWRKYUVGS2FrUXZiMHR0UzIwM1ZFcEVUVEpuV0VZMWVDOXhiVGwwY2pKM1UzQTJVR3RvTTNGd1pGbHpWM1p5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6Ijg3OTA5ZGQzOGJlMThmMWQ0ZDhiMTYyOTRiZmNiMWM1NDY3MjNhNmQyOGI1MTc0YTYyOTRjZjI0OGUyYjY4ZjgifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIwZTljMDJkOTgwODBlM2NmZjJmYTllNjJmYzZmZTdhODYyOTg5OWE5NzA3N2QwZjEzZGQzZjJkMDJjYTIwNzJmIn19fX0="}],"timestampVerificationData":null},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtLyU0MGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QDEuMC41IiwiZGlnZXN0Ijp7InNoYTUxMiI6IjU2M2JjNmQ4OGM3Y2M2MDkxN2IxM2NmNDgzODQ3M2VlZWE2ZWM3ZWEwNDMwZjI2NzJiMTZmNDNjMmE1YzgyYzIzOTk0OWM3Y2FlN2ZlMTNiYmUzYjMwZDA1NzFjM2U1NmRlNjI0YWEzMWVhNDNjOThjMTJmMWYxOTBiOGE3Y2EwIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MC4yIiwicHJlZGljYXRlIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vc2xzYS1mcmFtZXdvcmsvc2xzYS1naXRodWItZ2VuZXJhdG9yLy5naXRodWIvd29ya2Zsb3dzL2J1aWxkZXJfbm9kZWpzX3Nsc2EzLnltbEByZWZzL3RhZ3MvdjEuNi4wIn0sImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1ld29yay9zbHNhLWdpdGh1Yi1nZW5lcmF0b3IvZGVsZWdhdG9yLWdlbmVyaWNAdjAiLCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6eyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJzaGExIjoiMzQ0OTBiNDRkYjU1N2YwMDk2MTdiY2I5MmI4NzgwZjk3MmMxODlhYiJ9LCJlbnRyeVBvaW50IjoiLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS1zbHNhMy55bWwifSwicGFyYW1ldGVycyI6eyJpbnB1dHMiOnsiZGlyZWN0b3J5IjoiLiIsIm5vZGUtdmVyc2lvbiI6IiIsIm5vZGUtdmVyc2lvbi1maWxlIjoiIiwicmVrb3ItbG9nLXB1YmxpYyI6ZmFsc2UsInJ1bi1zY3JpcHRzIjoiY2ksIGJ1aWxkIn19LCJlbnZpcm9ubWVudCI6eyJHSVRIVUJfQUNUT1JfSUQiOiI2NDUwNTA5OSIsIkdJVEhVQl9FVkVOVF9OQU1FIjoid29ya2Zsb3dfZGlzcGF0Y2giLCJHSVRIVUJfUkVGIjoicmVmcy9oZWFkcy9tYWluIiwiR0lUSFVCX1JFRl9UWVBFIjoiYnJhbmNoIiwiR0lUSFVCX1JFUE9TSVRPUlkiOiJsYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdCIsIkdJVEhVQl9SRVBPU0lUT1JZX0lEIjoiNjAyMjIzOTQ1IiwiR0lUSFVCX1JFUE9TSVRPUllfT1dORVJfSUQiOiI2NDUwNTA5OSIsIkdJVEhVQl9SVU5fQVRURU1QVCI6IjEiLCJHSVRIVUJfUlVOX0lEIjoiNTAxNjc4MjE5NiIsIkdJVEhVQl9SVU5fTlVNQkVSIjoiMjIiLCJHSVRIVUJfU0hBIjoiMzQ0OTBiNDRkYjU1N2YwMDk2MTdiY2I5MmI4NzgwZjk3MmMxODlhYiIsIkdJVEhVQl9UUklHR0VSSU5HX0FDVE9SX0lEIjoiNjQ1MDUwOTkiLCJHSVRIVUJfV09SS0ZMT1dfUkVGIjoibGF1cmVudHNpbW9uL3Byb3ZlbmFuY2UtbnBtLXRlc3QvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS1zbHNhMy55bWxAcmVmcy9oZWFkcy9tYWluIiwiR0lUSFVCX1dPUktGTE9XX1NIQSI6IjM0NDkwYjQ0ZGI1NTdmMDA5NjE3YmNiOTJiODc4MGY5NzJjMTg5YWIifX0sIm1ldGFkYXRhIjp7ImJ1aWxkSW52b2NhdGlvbklkIjoiNTAxNjc4MjE5Ni0xIiwiY29tcGxldGVuZXNzIjp7InBhcmFtZXRlcnMiOnRydWV9fSwibWF0ZXJpYWxzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJzaGExIjoiMzQ0OTBiNDRkYjU1N2YwMDk2MTdiY2I5MmI4NzgwZjk3MmMxODlhYiJ9fV19fQ==","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEYCIQDKa0worfSARTwf4L3pWpg3Rgmi51rrL0TTQNIKql5hngIhAJjD/oKmKm7TJDM2gXF5x/qm9tr2wSp6Pkh3qpdYsWvr","keyid":""}]}}}]}
\ No newline at end of file
diff --git a/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-ossf.tgz b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-ossf.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..99d0c64ba0912bb8c5e6fd0689aa493ba3db6d7b
GIT binary patch
literal 7304
zcmV;39Cza%iwFP!00002|Lr_$ciYC5`OIH2Vcd%Jk|3$4Lm#(RETvIvOFE*wX^-o5
zL10KC0s#~QkY-c=_q~sq!GNSBCuy|p9`X2CBrtR5&V4@y$o$~OpUU3rvsb6*qth>b
zjZeSdKiuCJ+phQfyN83l1M$V)!C`+eI6Umbxc;EOdxU?#cz{o-3O@%_{so(akFbCL
zLq6iZ&vE7lGbvt2flQQa+%fXMWv-$$5xZW$BmU?orJt|FZoj{O>!evxWW!!>xm<ca
zE#sy6v={SIs@K4Y*QZx+M&kJVM7+8<KRLTTyEq?-Z!fOI+tF!9T%BHCU7Wmqg_k=t
z>f~&6eRcNDTf9O52A(*PlPHM_Ku&oLjZIVUs43LUk7F^Hej*CkX(98u5`GejAWcG^
zB_?SuN+mlYmsy^MWq_AE8WfHVBUR+lxWwziS0cnEWhllgF_HlT836n|EvGZ_wMZxM
zBZ6^hP|jsitmBpD8;AvIw#uXFtPtrkk+}erU}99PgkKi3G>`s4>uEUKW)w5O5U}Vp
z_hDi(r9qkw4gzxO$KsSgZy-@7xIw~R3O^ty1`8kqjMZRL7@!f1q~fK4phcd>9pUHF
z{D=wZ4(<l8mPrWHf^<Gl6AeiZ6w9cXF&tjd6W^ve;gOYjmV(4oRJ9B@JZfqvP1=eQ
zt*FgY)1}Niz`h)~gh)gQfA5GQ6@d>-$8j18-y#a+V(uqkIgxp|t}26>Myw;2GfCSA
z?$f$H!FDOLj8K{YN-F|Ph&^f+We8~!O@Nx2%mW17I_UqVP0OV~9wxj2R2E>o0AJt%
zuql_yKm?FunE(-j2v}Kz?%-Lm{4Z(Q6fKyG-|}YL<vRRBnk=HQL|D0S<wFCI9|7A)
zAtHeHJW`4Tp5%;`fY`DjY9m-J02KuFny*V*mdlCEbC^zdCq(fZTw<Pv5p2yTtuhRb
zk{~XL6rhA6NedB2^9WZ5KB{z5EK$4^EeK2rf%-=G2#^ND13E_kC(*Rb={~R}mX7(j
z82<pGu!*{#toRzRql`&ECV4uCo59Ra0BfTlAQg$ik-iZqx)ST36X6Rc4}t5{H>hE(
zZ4=Zci%_9bLQZdU3X%YOfXlTFyVeVKx?t<A5Dx3^T!xV^idE)r`};J%*)R%AxJVe2
z9YRT~R3J*sHmm|L>GZbdeh7wS;YYDQj*b31cBzBb6a_HwwJ7=4E*R?uWPrieyfLL<
za71MFivoQMQOIDcL9}24@}ob`U}cyHrX9qbC*sKCER(SEM^L6XUA8MKoX9*{02LQf
zAVE}fT>@~8?KIH4*N~V72Jx}4ka-EIVu)*?^n>)Ut-_^<U8oDoSrp71V*t!5zz2Y4
z=5i4cD^ZGpG+IxD1PZ6Q`2`>}n_X?vz|hM{1(HJ4_hGR#CZ&LB(KJe6l}(;++GAs<
zCN=f%h;{O5>Y+4i-Vu21HF7!kBdeb>^K+6Eqzi3hE^`^LKo61|BHS3H1?431=dx{>
z9)TgsCw@RqqT~2TOVkadkUBD*R9t_Brd<2@tsGz10jsjkdX|7%;fyb}cp$JEPe_JC
z9f=r7Dbt2#!TsBi?>I_Ppw&-d>DZWURgS@SXyakx4w5dyoY2#%Knsx_-v}!Vm&x7T
z=`Gwq1+6kIkMcg2K+Fk{;`ZR>^Sr%i+C4QjEcW--EW;!jg97F$7~>9dVeH2wN6Q@N
zB@}#=iKf0lEpUl0D?%Zi3RNi!(O-4$bVb&7xog0`3Ma6LQH+yg2q^)Y<Fafhq*khs
zbLE<F@VTW#7ZQ+<)FYVv==nHWv9Xp*^p0ajYEs}(8|elyZcr-n^0eZd?4=GPzbA`V
zxhDD15TU+TBag5Zl|@0BmI{=2?&mjX`tm9|G9i~#(KI3352A=XBEoK!L^M{-bD*~`
zTwV2=n<~5(U)yaP4ZJtxaS4d_alW>wm;o|l3GxIXqa;fXNW1G)N~q-DOOT%!mkm;&
zH@j;Lcpdd)L$vFOKVVpe%f7PPH<6VXmF!%#tZq$a95r*TvIH+F90Cb6A%HVQaTFIo
za0t7E2rrWbP{xQKn7%k%Mi^@(Y0@RmE7&pq>_XI&Pcd;ySAJZqx|3YOuLuIWMH-+X
z-|*%-|HB1Mwgodl$1;@T4NF&<^Q;`hT%aNdY8Lw-==KWW%&u0^6&+Z(d7B&NTU$)Q
z^2Ul=+&S46X3(C)pi3W(?*9Ysv|yUd3REyiISLaZ0fLGXqPEC*uMYPhTnAt?e<3N#
zGYC;0olYhg=YbQDF_>TeA1q3m7t9!I2XvsUqe3z>W@ktO=8;*|&$1ZP%`^d~6P3|+
zY1D$)kAU7h*4Z3Tk$||=wRSTB?N!RpBht=E4%WwHG%_;2&sF@EYC{^FCQ^GuFn<t{
z*r=YStxqr;;tW@NTR@+KygG7vi6yea_&QIVO_2XK7gAuUP^K+YifGCx_){NmlabSj
zd#iF-Hnz@FrMg5g+(wX=7(elE;Jhzlf2qo-z^%q|%1!_%W{|I9f;Fpnmw_Xnz=$iI
zYFBWAia9H@EyIsFMXCUXL$SIfnvlsPqgqo;qEYFXc6lbMV()+|irh1@;wuxdg>cab
zpQSE9!#pu$Q?T!eE9q8-JX(70uPV#7ZiT=OMkcnY*`qt6JYorkjj&h=MvmkNBO3Ud
zT8~^$o7simV#zvHDntaSL~AZ3b9s`+kQ1?gH@0iouz6LRcUpp^O%Y#2kMj*+YXn<F
zqveLaHao=6#zuYe59^u4b8@3*&9Sp47jCLh8uKX3-?^xhqX<Fz5G5!loINUMc{FiW
zq!A{j?o%R$WH|Me183!27NB4q6E{04JY@%f(fa0`h3$fsKy*;UD(~3Q(%nI`7)p$r
zI!-V_B3e}HruW7rh%NZ6o78&b#@5roAmqZ70$T7gxJ@J{Yg}Gbj>|;w>l>{TEo`IF
zvi#SHAF{f6esO*F>a+>U_pu;)quS{;FywaDaka}a0b4X>gR;ag2b4)Yec+)VQjS>(
zo!m-RG)g|!c^xp?sF7vhjnEc4pF>v%%ytTIr7H;=z=)-<Fr9L%^m<CAtq>T&qC<nG
zZ*Z(=T~VkeRq9S0p1a1pCS<N&*9%Z0npAcMUFNj%fSd5syt7GV-^6-Ol}qOaTc|Wy
z(-aCIAOmD(0l+-$;wD#?Hwo6~AYsP9Li&(|Ue7oSL;JN!W{2MtJa8&)i+qqnRLLtw
zD0OtSZjr@W)oSzBZTMk`-*e1&T#0m`7}Pa|K1UNeOnn86aQ8&{6qYx_P$pqHH(_f{
zVvJ$o{Lip+-KG(NO%VgguvM9;S_L^1#{qe{E`Lmz+xiw;NmOMO6t+^ao&$ij!k5De
z1fuuhqKqZE2&2|ol)EK@uS$DcT1E`U=@q4uE!cD_wV6<|xVj}3ajSDyl?Wa#?NswB
z1U9-=H7{(VZmcC!D2;MdE6dnSWi1n^G30=f9o-4wT(yb<l_%aN;6)WNO@4%hf(X-J
zg6K3zY<*+39z{CEET@chYw4<r^l`=YLJo&|W4HSJQ&KY>W)Yf>z%U37T|?7-<oV}m
zfs<_ahWyJo<)jSNc1r0Tx)DN6mEaDP3?(;$Pz@ZG=!H1C-~uU7(WXRG$mvM%S6V|T
zBa<Ix;Fx$ayp|xjoccNUmDY0)-3vGbQ)mJZg=W!-qr;ReXTc%2(-A_#>xLSKFQ$#*
z&#`W1BO0uF$$Wt|ef<+~(lX40jnEp5J5|+5r>VL8dl~8O5ju1QJVBREECt7(&apj>
z*Z`Fw?g(ImniV$bz)I~#eb#7`;hXjbTU-EB>c|r(k)qTIo3<12J;a|tmz7lli|TmA
z2`pvam||6CfVfD>OH~EyR1DL)uPRhqh$|Ki)>Bk>G?p)G%xz;`3rv3VcqGn7P4Ug~
z=xk(&`~BJVcNcH3#rMZoSI6hqXQv}^apkt<FTNGW=YJ7@Iy*msa3|sp@JFnUs%j?@
z*_F^KlU5o;byDBhsTCx-L@G*%@=X&9#JoPcetp^js-Jhy&cD4nJO9J!o73~_j(Br=
z_3Aso^7xyx*Jsy%Arboa?E3t4#K#AYHH^#SD`42$*T+}l^6k~-#psm1Eq4oJ>?{EO
z87vx6*MT}SoE6r^1vr<dSsr0{P8*(pbm0(^zslk|^-``jDg`kSZr7OWNRee%X%N{o
znT@*cvr;wIZM1GCvn+ehJos%$ij!VP{y2)Md47hTS3vla6od!EfJ-qII{`<?w4G9m
z>12Tb6>iBOk<&PW=qr%zj_r1LYNcFT`MFo#TO250O+Svt6wncJQ>;hWzJ*z`z!M0H
zy5rmRgRN)HePB_>uq=*fVO<d**7|dQTCd^bY;z=_Ivk)fiM@5F`wR*Nfi1TZFo5Bj
zE;i&eP-CI7<_36UxjN^bIeKyHtFddmp6C)aOKW3Fz7i#xnT}m`D+aAQd*TKw+;*I@
zz)sUNTt=~5JG=p>oMxGiRYHsjN<@6(M{$|6H}d02nN-0IIl(O_L9h#e!t2t57nTYH
z2jvh0^z}lVhGC28ez=IJNjlNTH$Ve45zOHR4W2dNYfl^p=o63%#`5CI$CaaYl;Zmt
zhVFHBU2hiN*={pYXfR7tu7Xmfv({{<nk&R@6G`?2OdVn9CxPTmWLyT-)^9~}C+7(s
zEvX7(OxD=oF4A$Vt56iT^w8{J<jbuV*bnN9&aWa>Yxh8c@m;#aOo&rSOE99R1Gw5B
zooGp7ryF8pZrv84BCfuShO{!HgfB%pRTrhQ=vAf25d&Ql#+)gduzf~_XMHEyOe}3e
zIe~PAXFy~eZYiDn`J60~39c;_D|IgOyy}+e$}!kv$jUKU<sxclvu-?I>0qPU&<ZI~
z(bNX>OGg@=u+iee0(^RYf_`<|F*v$^e0d2&&i*_^7E-kUEb2-hUvQ7^;XOiSX?sa{
zyzVn6bo4QbdNsj>)hTFA4rzE{sv4atlb=K~4wV200m{xse~ev936j}-_r6&rDOj1%
z-fm@tiL9#5`kYMK6Rndp*|FyZ933^lzibQ2)+tR@5MF>JK!|Vg(Ak0Gww>NA>WW%{
zJ^yGMp_J4!0$?X#Vyv)1#iMnd)L3yE%W?x!h7l{LT@+?!#u=N|>R47sR;WX2Fi|+M
z3CL058f|bBeMP<VsSm#(njm<Q?Z<1%nZBzn&s0SYKM!Wuv1VbYnu+gL@OdxZ5#E63
zT9@@b4c9^vIyqBad^+xdP|?Bx_RMAbIf5|x2pR%*U%Gs5!uTlBX(*XSD^WJYakBn&
zOw}^KR<bjK>=#Dd?>lm;k3n|<Wt#Fi5&CVhhdy)GaI2IxdKvWa2!k`=wg~(ehTkUe
zCbEsBtf63poWdHA8Q5AfEkWQQBmlRNte@=D)siY+SDX9t8ecqq{@p*BKK~EVb`L%2
zNACyqpy&Vldq?|+>*xOm2mOP`^ZyU=X`<mp+Y=Pc=Z%G*iw_?Hh+qo&O~kdS7ihb|
zME&-+WT3sZ`)%>he~K3O4n4jjelJ=kCupS|G4BY7A8vNr;zu&W5W%%>cEyVqFUV-n
zLHV}8E8>P6gFrmcS;7?!c`A#GWpW9w8X~aOiFTxE-a_E)P6+OoG!0Q|!jz^d?f^<(
z&H;6)-lSm(rh7=2J+#(j%3%gwuxEbZV%s1r3^G4L_yEZ|-5m-nQRDI2Vkqo(VG6bY
z%RCYDcQ@~!i%;ScWA~|1oqhFq*Je9Nq?_Fitpa=b)CTl^AqCTSH@olQCm{h4+lIMH
z7EFQ@Iq@;o+~n{2kk4T8!eDmm{+b~JYj(C$apA`${8)%jh5%c^r|&Er+}#4lnw|0K
zkrAl#mOWKBX*UMAXwB2mr7HZyS@6e^mbPVS8dd_TQ+1GvPtR-fzkDH*GLGBiRa-a|
z+na(`BF@2x7ZpKpJxw+UMT-<qTzio4I`ZxXkWM3P6!!MIinbV&j?e=bn@v8t<MbfC
zFTMf9G_>@WeuRnsCL#5mH7erG;~b)%50KkZiw|<eOMCV_%?*w16hBO}qD5?XbcTM@
z`4tTL@B|e|8ebfWL@vc;t6CJWPUD51PG2>==O{&5;WS{J+qxt{zJy&}V)tKxhHrwy
zh7B^KQho>PNf|?c8q2W4yvSGZKcv@L%kI`oAnDLU5EB7GIOI+(jVpq05t<sw+8TWS
zz9rr@@nNE6^Zn0VhQKl7H3i|D7vjOC-&=a>s~VG`=34ElhfVjEB}~WSZ&|=cDqyt=
zdtgCDEJ{GPi4d~u-TQW%$=TL2OBUjJW4on+co*~>gs)ktFPR)|V9?qS1U=BB?COm|
zKetGuQ1qWSsQn0uL@wc?YdTsw4`?-C`ut2+4@Wf-GfP(kur*gxBSTsUt@hAnJ9@$D
zuYvJYv|Q=KH9SmyTYtm<hvLbP0Q=M5TzYKVkNNt%aew@We<AcslZSr(Q-@1y@n8So
z=rR6#$oOCX{Z&NZZvOA?A<x(2|NY1K|3N-zWtv#%X%0p6W$c%Dyg^0tH0fcNP$uYy
zyGb_h7E(d*hQsxfD>!4|^}PeW>J+!|&NU1dTB;}zs=)Dhe5eNpx|t{6VK@qIvJGqo
z5e@_-1bpK%Z*yEmafp`-6_{&Wox_V6Sll9l0H)i;5MPR&r%!uNy+ZBO$99963~ttD
z(6!AOdNYJd5C}p5M)UI--MOEcfiaj}93>TggCTSOV|VFO6-9}@P<hbPz|9m0@2V|g
zw1waDGSLM`_X@#uels4<1%sysO?*Raf>|p5+C0tkG#_H04{w-)j|~4xaj5(l6=Hxj
z*-ylZTxO}l2g_C!H!wa$fYYcjYm|AculyGl*wnDsgYUC)4EfZ&cb`;w2+1zV&j=wn
zmIhs$!wXzs#Nr&^8kbW?N;DEb1A!hrJfkWcX6amJn%6%A-dA{la4wBr;6sEm2_oqr
zTMr;$ng1DhgFbA`;t<Nk$@Z!ANM<idLp|}CHyC(d8(#2jQlTzOV2}TFv$&kH&i&7U
zw|}6ixP40I=St?=#xC%|<hTbaKzIAz-eGl@XVZ;m-tN)*4UIyVX-UKOy?t+BRZJ@(
z-P!eysyh{ide+xqcaT;P`aD+ge!2e#D@v7*Un2mx$NvuooBsdk@X`N2nE$7@BhZuM
z`33p!%GjXhVYgcQvqMOwZvFJ0iV=B}l{kI%=6FQfDtNki+I1*)PDgt?qNR%;?G9cz
z*r7kW{XzBZ(0)6z-=5iTU+-W?1HPZ1{`q>x6Hj{v-8rXxL)sJAXACOtLzn09BbGWX
zWn2@;hH*^;3cvgF5dZK4miVpY3sPzPHDZvm)(}g};v^!==3%w{c1i+b_|yo$kfJQI
z5)ZHDWl-RW3w?BvZ-ZNQSIE<}S^|QMTbFRQj=*qU1(D9!C%7uV@j$%gR<L>YlpbPc
zw5mB3g4Ct!c6qlhcDl%H3VwIW(WySGhesc28oh>q12Z~OmFZ)o75F4QoAWu+<79Q$
zDo9=*&rnH>gy`8@?va_smI!4K`}#q7-VZ+2%-u8Kf3n&kbllZVso@MClS(ta{#~0>
zLgK^E5l_HkC?De(%VLQKU0#vM{c%JXosI;<S7H(Qf~tSIiA={K!HP@$(g%I00Vv0H
z3n0>&KFPb|W7~eTN`Qq$6zHnp84s&u^^<Yg^t=M9(z_-G8y{FrP@kF{zGCbKG3@&W
zSGOO%>3^>OzdAiWd2{N`!-uc`>>h5^fBFY|kN*EbK3|C~`Aeg*CFz;Yy821}V%5Wu
z&cuw4!^tifFTWbqXkbdZh~!e-TUh{?fsv>9r}*LTq6;3>!y^%%U*JtP#U3PhJC7Rs
z>*#-&E|WO*!!87B5EpoA_E7r2-|z3O>;LZ2?(U=hKZyQ+*&9bmZ|tjCqoE*B@5(Y2
zS(HgU<J)LN6Y)+opM2F6-MA0~@%}kIWJwVMRg{`<70Ay}Jn5UlQ<ut#Jc7zejY-sK
z=$jw#=8NW&L9@~LN}On^(=YroRzW{K;VS<JQ2rNBTGpU6pSS><pKCtac1P>Ln*w{X
z*tczN*`$6pEte3D%7ru!gc=Cq?bT~%$Gfy+o_Xx7gTsJQ8%qOq?A|{(cRwH<VAt~-
zNHsFi>=pCOF`ga-k7<#5Dw?VSdqjWcPqW>i7hkB^{lIwK9gu3sZUa%H@$GPc+jtst
z^m=scaN27GKmgHITRBp3)4lhu|9(gO4kh4rqBZq$dVemje%6u$v*ayw#r3{Pi`qi!
zXDr04Y|wmDS-@zGDagk&k4;E66hHqKhca(^4SoCPX^o!jD2oH`r|XG9^>!V(u10`*
zxQjLHPS!+EU-pXWKU^WJC|*PPcg_W-r<(Z(gI!h5H}0V1T%24C>F6mw1vL8Zc=zDY
zK5<Z4Da_2a2$=FVKyb<qq{Vb^nq!_v=UjojONkG@iWaA|e%#(V*)&r4;WuFVn1v12
zw2Q*T>}EOyX7_%x-@h;5dWo%@KAt@Vs^h6>$nZkM9QX(3++7d{>G}=!_wiYhsMt}?
z<FNKAVC)wF!>1l|R>jKahypt+99j?t2K*ZF#a~H4x?Pu?Fc|i_O)Knh-GeFfNH`HI
zBGaP{m~pO$T33d~FGSf5hZ*6!>{B(31<2j8oqwCL`Pc6IF$jK)|FK-CyRgLrpa1O-
zjt(~a|9gYS`2Qh3TqG1v@wpN@@kFM4tv&g?p^q2As8te(&9hEqXXa`;q<Sqq7}Vwt
z!X1Z~K0T`6zm5KT>_2+=tk)z?mkPWHzE4JW(IM`6t9kru_5ThJHtK)y=kQVgAL4@{
zz>u@DJ#ndn*-IVj6e%7m`9U=rX)<gGEfGW1YwE`j#XCNT9KLS|BRL=NjXZb`bqHx~
z^~lhW-m28a$ATL_q+^9p=;#W8b001mnrCI%1o1@im3{O+u+Px{fn-)3>-X!+WD(_Q
z!mrae55aYd^hPE_!N-6Y3inR{$i>;oD?tOeZGx{Fh3lU4=6Q^vEeiMw+A_l=3}<V4
z&|{&6ez!-dkSr8LPI90vQl&>fS;4yY*y|RRBYMdE19n?}P#>)3y<7~uL$BX3FX}K9
z%FCpy4@*J15OtWK`es9z<b;MNQijMd8iE}goUOXp<}Al$Qk318(usyXtZUfN6<S1O
z0b3X6*dxv56rWe)_xa*ehJpJEbxi}~L4Y=8*2OKoJlvPzAUKl#cs~f_-rnKv<XNz{
z-w&mPTL;pYa`J3)6ab|cdv?cbo2FMBg|cfq%7bUs9fKK!#IbXB$6WSEobi!A^GaB=
zJxwYDDGE0({RGaMtur4@k;UcW=AQ5YVWsq{!P;Jt&PI@*{P-ijbTdbhJHLGM;rilF
zr|05Rb=106hvV_Ye2-Y~aqm`nwVYtvbXyYsJUF%CcLRjv8#3yj0Fo!vfjTMe-T2i9
z-Uj4zcYDi>d%@nj=Ue9>=*It<|Nljv|8xBRpnr6<?*9+^yN~_92lW5{a>uVdeC6P8
zaW;*uuD|Yg8{0g2W7AL7-42}<0p)tR*xNq9@k?gNJ&tB)@NDNcSF>}wt8wN8cz$(=
zv^6*ZUFbJI^AyLTJH?+bD`#9A6+|1C>>1#VJEk`2)~2wwMxJKP(Ln6v?EC!U<n+Vw
i+w1SxyWH+{9uug?&*SIu^Z5A>{roTLC)9BOasU9VgAUOE

literal 0
HcmV?d00001

diff --git a/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-ossf.tgz.json b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-ossf.tgz.json
new file mode 100644
index 000000000..8015aece1
--- /dev/null
+++ b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-ossf.tgz.json
@@ -0,0 +1 @@
+{"attestations":[{"predicateType":"https://github.com/npm/attestation/tree/main/specs/publish/v0.1","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.1","verificationMaterial":{"publicKey":{"hint":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"},"tlogEntries":[{"logIndex":"20994827","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1684432737","inclusionPromise":{"signedEntryTimestamp":"MEQCIAaehLQ3vo+OEcyokd/ksjiLzH+YkP6sQFutHqd1A5H1AiAU+Xzo6Xy38HYpETFnWGvHHnRAB1k/m2QWD9apTSSmrQ=="},"inclusionProof":null,"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7ImtleWlkIjoiU0hBMjU2OmpsM2J3c3d1ODBQampva0NnaDBvMnc1YzJVNExoUUFFNTdnajljejFrekEiLCJwdWJsaWNLZXkiOiJMUzB0TFMxQ1JVZEpUaUJRVlVKTVNVTWdTMFZaTFMwdExTMEtUVVpyZDBWM1dVaExiMXBKZW1vd1EwRlJXVWxMYjFwSmVtb3dSRUZSWTBSUlowRkZNVTlzWWpONlRVRkdSbmhZUzBocFNXdFJUelZqU2pOWmFHdzFhVFpWVUhBclNXaDFkR1ZDU21KMVNHTkJOVlZ2WjB0dk1FVlhkR3hYZDFjMlMxTmhTMjlVVGtWWlREZEtiRU5SYVZadWEyaENhM1JWWjJjOVBRb3RMUzB0TFVWT1JDQlFWVUpNU1VNZ1MwVlpMUzB0TFMwPSIsInNpZyI6IlRVVlZRMGxGWkVKWFowRnpUVFUzSzNOTVlWRk1OMnB3YVRsRGNXVXliR1FyT1ZsWFZXOU1URGhGZUdOcVMxSjBRV2xGUVRsRUwxaHFXVWw1VUVWbFlYRnVZemhFWlVZeVlXeGtTbFl5VmpJek5qWkRiRFpKVm5kT1prcHdhbGs5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6ImYzMWNmNDFkNzU2NDFlNzE0YTQ1MmU5MWQyM2RhM2M5YWVmMjlkYzk5ODA5YzllYWJjZDVmN2VkNDFkMzM0OTUifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJiYjhmYTMzNDJkZGQ0Nzg5ZTM0NmU0MTY3MzNhNTA5NTU5OTdlYjQwMTBjZGQwNjZkYTc1Y2RiYmIyZTVmMzEzIn19fX0="}],"timestampVerificationData":null},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtLyU0MGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QDEuMC41IiwiZGlnZXN0Ijp7InNoYTUxMiI6IjU2M2JjNmQ4OGM3Y2M2MDkxN2IxM2NmNDgzODQ3M2VlZWE2ZWM3ZWEwNDMwZjI2NzJiMTZmNDNjMmE1YzgyYzIzOTk0OWM3Y2FlN2ZlMTNiYmUzYjMwZDA1NzFjM2U1NmRlNjI0YWEzMWVhNDNjOThjMTJmMWYxOTBiOGE3Y2EwIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vYXR0ZXN0YXRpb24vdHJlZS9tYWluL3NwZWNzL3B1Ymxpc2gvdjAuMSIsInByZWRpY2F0ZSI6eyJuYW1lIjoiQGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0IiwidmVyc2lvbiI6IjEuMC41IiwicmVnaXN0cnkiOiJodHRwczovL3JlZ2lzdHJ5Lm5wbWpzLm9yZyJ9fQ==","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEUCIEdBWgAsM57+sLaQL7jpi9Cqe2ld+9YWUoLL8ExcjKRtAiEA9D/XjYIyPEeaqnc8DeF2aldJV2V2366Cl6IVwNfJpjY=","keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"}]}}},{"predicateType":"https://slsa.dev/provenance/v0.2","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.1","verificationMaterial":{"x509CertificateChain":{"certificates":[{"rawBytes":"MIIHYTCCBuegAwIBAgIUTL6lddYKR4C2nJkPNEnaRI3tbY4wCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwNTE4MTc1NzUzWhcNMjMwNTE4MTgwNzUzWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEt8wwi7GZYvLW8ZecTb32ZTy5Y1upwMjyDDuvqhndw/ONa/NDIPUFtylH/3xlwRcHD6vSElY+wrKckQRiSVjNb6OCBgYwggYCMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUxdHwVOS4gO1Bll9ipKdzxVDFJBUwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wgY8GA1UdEQEB/wSBhDCBgYZ/aHR0cHM6Ly9naXRodWIuY29tL3Nsc2EtZnJhbWV3b3JrL3Nsc2EtZ2l0aHViLWdlbmVyYXRvci8uZ2l0aHViL3dvcmtmbG93cy9kZWxlZ2F0b3JfbG93cGVybXMtZ2VuZXJpY19zbHNhMy55bWxAcmVmcy90YWdzL3YxLjYuMDA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMB8GCisGAQQBg78wAQIEEXdvcmtmbG93X2Rpc3BhdGNoMDYGCisGAQQBg78wAQMEKDM0NDkwYjQ0ZGI1NTdmMDA5NjE3YmNiOTJiODc4MGY5NzJjMTg5YWIwLQYKKwYBBAGDvzABBAQfU0xTQSAzIFB1Ymxpc2ggUGFja2FnZSB0byBucG1qczAuBgorBgEEAYO/MAEFBCBsYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdDAdBgorBgEEAYO/MAEGBA9yZWZzL2hlYWRzL21haW4wOwYKKwYBBAGDvzABCAQtDCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMIGQBgorBgEEAYO/MAEJBIGBDH9odHRwczovL2dpdGh1Yi5jb20vc2xzYS1mcmFtZXdvcmsvc2xzYS1naXRodWItZ2VuZXJhdG9yLy5naXRodWIvd29ya2Zsb3dzL2RlbGVnYXRvcl9sb3dwZXJtcy1nZW5lcmljX3Nsc2EzLnltbEByZWZzL3RhZ3MvdjEuNi4wMDgGCisGAQQBg78wAQoEKgwoMDc3OWY3YmVjNjhlMmJmNTRhN2IwYTMyYmY0NzYzZjI1YWIyOTcwMjAdBgorBgEEAYO/MAELBA8MDWdpdGh1Yi1ob3N0ZWQwQwYKKwYBBAGDvzABDAQ1DDNodHRwczovL2dpdGh1Yi5jb20vbGF1cmVudHNpbW9uL3Byb3ZlbmFuY2UtbnBtLXRlc3QwOAYKKwYBBAGDvzABDQQqDCgzNDQ5MGI0NGRiNTU3ZjAwOTYxN2JjYjkyYjg3ODBmOTcyYzE4OWFiMB8GCisGAQQBg78wAQ4EEQwPcmVmcy9oZWFkcy9tYWluMBkGCisGAQQBg78wAQ8ECwwJNjAyMjIzOTQ1MC8GCisGAQQBg78wARAEIQwfaHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbjAYBgorBgEEAYO/MAERBAoMCDY0NTA1MDk5MHcGCisGAQQBg78wARIEaQxnaHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0Ly5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2Utc2xzYTMueW1sQHJlZnMvaGVhZHMvbWFpbjA4BgorBgEEAYO/MAETBCoMKDM0NDkwYjQ0ZGI1NTdmMDA5NjE3YmNiOTJiODc4MGY5NzJjMTg5YWIwIQYKKwYBBAGDvzABFAQTDBF3b3JrZmxvd19kaXNwYXRjaDBmBgorBgEEAYO/MAEVBFgMVmh0dHBzOi8vZ2l0aHViLmNvbS9sYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdC9hY3Rpb25zL3J1bnMvNTAxNjc4MjE5Ni9hdHRlbXB0cy8xMIGJBgorBgEEAdZ5AgQCBHsEeQB3AHUA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGIMALbDQAABAMARjBEAiAFe98vnLZVW6+OMqJpGR2zf2jsU2HmjPRIGUf75iNeQgIgflQ53EBqKVUfO4R8sYgL1I0dByqLJ1AcsbKRVko3hB0wCgYIKoZIzj0EAwMDaAAwZQIwD7QlEaJyTdjBXvHZvz1mhFCv/PXJxf8rbKbSLDO2gwNad9LkXpDJmQiPfU9hcH+7AjEAtux0Vgi5DVXj606SckRblO3hU8gkgtBBePJbfUTix5GIzhltXOEi0WckRV/xi/w5"},{"rawBytes":"MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow="},{"rawBytes":"MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ"}]},"tlogEntries":[{"logIndex":"20994759","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1684432673","inclusionPromise":{"signedEntryTimestamp":"MEYCIQDCk3WOv3snfriWirXfHdXsFxcYk+QxV6oNtRJfc8slHQIhAJTGxdlC9hFTwYFo4k+4R+exU3d52x9Ksjh4Eo1pVHvq"},"inclusionProof":null,"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVWhaVkVORFFuVmxaMEYzU1VKQlowbFZWRXcyYkdSa1dVdFNORU15YmtwclVFNUZibUZTU1ROMFlsazBkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDA1VVJUUk5WR014VG5wVmVsZG9ZMDVOYWsxM1RsUkZORTFVWjNkT2VsVjZWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWME9IZDNhVGRIV2xsMlRGYzRXbVZqVkdJek1scFVlVFZaTVhWd2QwMXFlVVJFZFhZS2NXaHVaSGN2VDA1aEwwNUVTVkJWUm5SNWJFZ3ZNM2hzZDFKalNFUTJkbE5GYkZrcmQzSkxZMnRSVW1sVFZtcE9ZalpQUTBKbldYZG5aMWxEVFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWNFpFaDNDbFpQVXpSblR6RkNiR3c1YVhCTFpIcDRWa1JHU2tKVmQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQyZFpPRWRCTVZWa1JWRkZRaTkzVTBKb1JFTkNaMWxhTDJGSVVqQmpTRTAyVEhrNWJtRllVbTlrVjBsMVdUSTVkRXd6VG5Oak1rVjBXbTVLYUFwaVYxWXpZak5LY2t3elRuTmpNa1YwV2pKc01HRklWbWxNVjJSc1ltMVdlVmxZVW5aamFUaDFXakpzTUdGSVZtbE1NMlIyWTIxMGJXSkhPVE5qZVRsckNscFhlR3hhTWtZd1lqTktabUpIT1ROalIxWjVZbGhOZEZveVZuVmFXRXB3V1RFNWVtSklUbWhOZVRVMVlsZDRRV050Vm0xamVUa3dXVmRrZWt3eldYZ0tUR3BaZFUxRVFUVkNaMjl5UW1kRlJVRlpUeTlOUVVWQ1FrTjBiMlJJVW5kamVtOTJURE5TZG1FeVZuVk1iVVpxWkVkc2RtSnVUWFZhTW13d1lVaFdhUXBrV0U1c1kyMU9kbUp1VW14aWJsRjFXVEk1ZEUxQ09FZERhWE5IUVZGUlFtYzNPSGRCVVVsRlJWaGtkbU50ZEcxaVJ6a3pXREpTY0dNelFtaGtSMDV2Q2sxRVdVZERhWE5IUVZGUlFtYzNPSGRCVVUxRlMwUk5NRTVFYTNkWmFsRXdXa2RKTVU1VVpHMU5SRUUxVG1wRk0xbHRUbWxQVkVwcFQwUmpORTFIV1RVS1RucEthazFVWnpWWlYwbDNURkZaUzB0M1dVSkNRVWRFZG5wQlFrSkJVV1pWTUhoVVVWTkJla2xHUWpGWmJYaHdZekpuWjFWSFJtcGhNa1p1V2xOQ01BcGllVUoxWTBjeGNXTjZRWFZDWjI5eVFtZEZSVUZaVHk5TlFVVkdRa05DYzFsWVZubGFWelV3WXpKc2RHSXlOSFpqU0VwMlpHMVdkVmxYTldwYVV6RjFDbU5ITUhSa1IxWjZaRVJCWkVKbmIzSkNaMFZGUVZsUEwwMUJSVWRDUVRsNVdsZGFla3d5YUd4WlYxSjZUREl4YUdGWE5IZFBkMWxMUzNkWlFrSkJSMFFLZG5wQlFrTkJVWFJFUTNSdlpFaFNkMk42YjNaTU0xSjJZVEpXZFV4dFJtcGtSMngyWW01TmRWb3liREJoU0ZacFpGaE9iR050VG5aaWJsSnNZbTVSZFFwWk1qbDBUVWxIVVVKbmIzSkNaMFZGUVZsUEwwMUJSVXBDU1VkQ1JFZzViMlJJVW5kamVtOTJUREprY0dSSGFERlphVFZxWWpJd2RtTXllSHBaVXpGdENtTnRSblJhV0dSMlkyMXpkbU15ZUhwWlV6RnVZVmhTYjJSWFNYUmFNbFoxV2xoS2FHUkhPWGxNZVRWdVlWaFNiMlJYU1haa01qbDVZVEphYzJJelpIb0tUREpTYkdKSFZtNVpXRkoyWTJ3NWMySXpaSGRhV0VwMFkza3hibHBYTld4amJXeHFXRE5PYzJNeVJYcE1ibXgwWWtWQ2VWcFhXbnBNTTFKb1dqTk5kZ3BrYWtWMVRtazBkMDFFWjBkRGFYTkhRVkZSUW1jM09IZEJVVzlGUzJkM2IwMUVZek5QVjFreldXMVdhazVxYUd4TmJVcHRUbFJTYUU0eVNYZFpWRTE1Q2xsdFdUQk9lbGw2V21wSk1WbFhTWGxQVkdOM1RXcEJaRUpuYjNKQ1owVkZRVmxQTDAxQlJVeENRVGhOUkZka2NHUkhhREZaYVRGdllqTk9NRnBYVVhjS1VYZFpTMHQzV1VKQ1FVZEVkbnBCUWtSQlVURkVSRTV2WkVoU2QyTjZiM1pNTW1Sd1pFZG9NVmxwTldwaU1qQjJZa2RHTVdOdFZuVmtTRTV3WWxjNWRRcE1NMEo1WWpOYWJHSnRSblZaTWxWMFltNUNkRXhZVW14ak0xRjNUMEZaUzB0M1dVSkNRVWRFZG5wQlFrUlJVWEZFUTJkNlRrUlJOVTFIU1RCT1IxSnBDazVVVlROYWFrRjNUMVJaZUU0eVNtcFphbXQ1V1dwbk0wOUVRbTFQVkdONVdYcEZORTlYUm1sTlFqaEhRMmx6UjBGUlVVSm5OemgzUVZFMFJVVlJkMUFLWTIxV2JXTjVPVzlhVjBaclkzazVkRmxYYkhWTlFtdEhRMmx6UjBGUlVVSm5OemgzUVZFNFJVTjNkMHBPYWtGNVRXcEplazlVVVRGTlF6aEhRMmx6UndwQlVWRkNaemM0ZDBGU1FVVkpVWGRtWVVoU01HTklUVFpNZVRsdVlWaFNiMlJYU1hWWk1qbDBUREo0YUdSWVNteGlibEo2WVZjeGRtSnFRVmxDWjI5eUNrSm5SVVZCV1U4dlRVRkZVa0pCYjAxRFJGa3dUbFJCTVUxRWF6Vk5TR05IUTJselIwRlJVVUpuTnpoM1FWSkpSV0ZSZUc1aFNGSXdZMGhOTmt4NU9XNEtZVmhTYjJSWFNYVlpNamwwVERKNGFHUllTbXhpYmxKNllWY3hkbUpwT1hkamJUa3lXbGMxYUdKdFRteE1WelYzWWxNeE1GcFlUakJNZVRWdVlWaFNid3BrVjBsMlpESTVlV0V5V25OaU0yUjZURE5LYkdKSFZtaGpNbFYwWXpKNGVsbFVUWFZsVnpGelVVaEtiRnB1VFhaaFIxWm9Xa2hOZG1KWFJuQmlha0UwQ2tKbmIzSkNaMFZGUVZsUEwwMUJSVlJDUTI5TlMwUk5NRTVFYTNkWmFsRXdXa2RKTVU1VVpHMU5SRUUxVG1wRk0xbHRUbWxQVkVwcFQwUmpORTFIV1RVS1RucEthazFVWnpWWlYwbDNTVkZaUzB0M1dVSkNRVWRFZG5wQlFrWkJVVlJFUWtZellqTktjbHB0ZUhaa01UbHJZVmhPZDFsWVVtcGhSRUp0UW1kdmNncENaMFZGUVZsUEwwMUJSVlpDUm1kTlZtMW9NR1JJUW5wUGFUaDJXakpzTUdGSVZtbE1iVTUyWWxNNWMxbFlWbmxhVnpVd1l6SnNkR0l5TkhaalNFcDJDbVJ0Vm5WWlZ6VnFXbE14ZFdOSE1IUmtSMVo2WkVNNWFGa3pVbkJpTWpWNlRETktNV0p1VFhaT1ZFRjRUbXBqTkUxcVJUVk9hVGxvWkVoU2JHSllRakFLWTNrNGVFMUpSMHBDWjI5eVFtZEZSVUZrV2pWQloxRkRRa2h6UldWUlFqTkJTRlZCTTFRd2QyRnpZa2hGVkVwcVIxSTBZMjFYWXpOQmNVcExXSEpxWlFwUVN6TXZhRFJ3ZVdkRE9IQTNielJCUVVGSFNVMUJUR0pFVVVGQlFrRk5RVkpxUWtWQmFVRkdaVGs0ZG01TVdsWlhOaXRQVFhGS2NFZFNNbnBtTW1wekNsVXlTRzFxVUZKSlIxVm1OelZwVG1WUlowbG5abXhSTlRORlFuRkxWbFZtVHpSU09ITlpaMHd4U1RCa1FubHhURW94UVdOellrdFNWbXR2TTJoQ01IY0tRMmRaU1V0dldrbDZhakJGUVhkTlJHRkJRWGRhVVVsM1JEZFJiRVZoU25sVVpHcENXSFpJV25aNk1XMW9Sa04yTDFCWVNuaG1PSEppUzJKVFRFUlBNZ3BuZDA1aFpEbE1hMWh3UkVwdFVXbFFabFU1YUdOSUt6ZEJha1ZCZEhWNE1GWm5hVFZFVmxocU5qQTJVMk5yVW1Kc1R6Tm9WVGhuYTJkMFFrSmxVRXBpQ21aVlZHbDROVWRKZW1oc2RGaFBSV2t3VjJOclVsWXZlR2t2ZHpVS0xTMHRMUzFGVGtRZ1EwVlNWRWxHU1VOQlZFVXRMUzB0TFE9PSIsInNpZyI6IlRVVlpRMGxSUkV0aE1IZHZjbVpUUVZKVWQyWTBURE53VjNCbk0xSm5iV2sxTVhKeVREQlVWRkZPU1V0eGJEVm9ibWRKYUVGS2FrUXZiMHR0UzIwM1ZFcEVUVEpuV0VZMWVDOXhiVGwwY2pKM1UzQTJVR3RvTTNGd1pGbHpWM1p5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6Ijg3OTA5ZGQzOGJlMThmMWQ0ZDhiMTYyOTRiZmNiMWM1NDY3MjNhNmQyOGI1MTc0YTYyOTRjZjI0OGUyYjY4ZjgifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIwZTljMDJkOTgwODBlM2NmZjJmYTllNjJmYzZmZTdhODYyOTg5OWE5NzA3N2QwZjEzZGQzZjJkMDJjYTIwNzJmIn19fX0="}],"timestampVerificationData":null},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtLyU0MGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QDEuMC41IiwiZGlnZXN0Ijp7InNoYTUxMiI6IjU2M2JjNmQ4OGM3Y2M2MDkxN2IxM2NmNDgzODQ3M2VlZWE2ZWM3ZWEwNDMwZjI2NzJiMTZmNDNjMmE1YzgyYzIzOTk0OWM3Y2FlN2ZlMTNiYmUzYjMwZDA1NzFjM2U1NmRlNjI0YWEzMWVhNDNjOThjMTJmMWYxOTBiOGE3Y2EwIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MC4yIiwicHJlZGljYXRlIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vc2xzYS1mcmFtZXdvcmsvc2xzYS1naXRodWItZ2VuZXJhdG9yLy5naXRodWIvd29ya2Zsb3dzL2J1aWxkZXJfbm9kZWpzX3Nsc2EzLnltbEByZWZzL3RhZ3MvdjEuNi4wIn0sImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1ld29yay9zbHNhLWdpdGh1Yi1nZW5lcmF0b3IvZGVsZWdhdG9yLWdlbmVyaWNAdjAiLCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6eyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJzaGExIjoiMzQ0OTBiNDRkYjU1N2YwMDk2MTdiY2I5MmI4NzgwZjk3MmMxODlhYiJ9LCJlbnRyeVBvaW50IjoiLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS1zbHNhMy55bWwifSwicGFyYW1ldGVycyI6eyJpbnB1dHMiOnsiZGlyZWN0b3J5IjoiLiIsIm5vZGUtdmVyc2lvbiI6IiIsIm5vZGUtdmVyc2lvbi1maWxlIjoiIiwicmVrb3ItbG9nLXB1YmxpYyI6ZmFsc2UsInJ1bi1zY3JpcHRzIjoiY2ksIGJ1aWxkIn19LCJlbnZpcm9ubWVudCI6eyJHSVRIVUJfQUNUT1JfSUQiOiI2NDUwNTA5OSIsIkdJVEhVQl9FVkVOVF9OQU1FIjoid29ya2Zsb3dfZGlzcGF0Y2giLCJHSVRIVUJfUkVGIjoicmVmcy9oZWFkcy9tYWluIiwiR0lUSFVCX1JFRl9UWVBFIjoiYnJhbmNoIiwiR0lUSFVCX1JFUE9TSVRPUlkiOiJsYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdCIsIkdJVEhVQl9SRVBPU0lUT1JZX0lEIjoiNjAyMjIzOTQ1IiwiR0lUSFVCX1JFUE9TSVRPUllfT1dORVJfSUQiOiI2NDUwNTA5OSIsIkdJVEhVQl9SVU5fQVRURU1QVCI6IjEiLCJHSVRIVUJfUlVOX0lEIjoiNTAxNjc4MjE5NiIsIkdJVEhVQl9SVU5fTlVNQkVSIjoiMjIiLCJHSVRIVUJfU0hBIjoiMzQ0OTBiNDRkYjU1N2YwMDk2MTdiY2I5MmI4NzgwZjk3MmMxODlhYiIsIkdJVEhVQl9UUklHR0VSSU5HX0FDVE9SX0lEIjoiNjQ1MDUwOTkiLCJHSVRIVUJfV09SS0ZMT1dfUkVGIjoibGF1cmVudHNpbW9uL3Byb3ZlbmFuY2UtbnBtLXRlc3QvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS1zbHNhMy55bWxAcmVmcy9oZWFkcy9tYWluIiwiR0lUSFVCX1dPUktGTE9XX1NIQSI6IjM0NDkwYjQ0ZGI1NTdmMDA5NjE3YmNiOTJiODc4MGY5NzJjMTg5YWIifX0sIm1ldGFkYXRhIjp7ImJ1aWxkSW52b2NhdGlvbklkIjoiNTAxNjc4MjE5Ni0xIiwiY29tcGxldGVuZXNzIjp7InBhcmFtZXRlcnMiOnRydWV9fSwibWF0ZXJpYWxzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJzaGExIjoiMzQ0OTBiNDRkYjU1N2YwMDk2MTdiY2I5MmI4NzgwZjk3MmMxODlhYiJ9fV19fQ==","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEYCIQDKa0worfSARTwf4L3pWpg3Rgmi51rrL0TTQNIKql5hngIhAJjD/oKmKm7TJDM2gXF5x/qm9tr2wSp6Pkh3qpdYsWvr","keyid":""}]}}}]}
\ No newline at end of file
diff --git a/cli/slsa-verifier/testdata/npm/gha/supreme-googles-cli-v02-tag-invalidsigprov.tgz b/cli/slsa-verifier/testdata/npm/gha/supreme-googles-cli-v02-tag-invalidsigprov.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..693c7fffa891db14fa2cf20de032ce96eceedbbe
GIT binary patch
literal 1709
zcmV;e22%MSiwFP!00002|Ls_9Z`(K$?q~gqfqPgqI9s-pCI!4Wpo+!B!a9;qlA8^-
zheDPZTa82-B9$~K`rmhkl4G~&UUz}pV6ST;h^gUl=9!0YL#~tbCRy_S)EhHDV$c4J
zG8ha_UcQ8{$*~;1I>NT2<CDQ~cycnp`d~;x{C)NWrB*tr5X%1`NG$O1`+rhSBNvW(
z<07dQhiRU2p}1v@<@&zLmn#h~(gQdg93FMSO>~mUWfwe=+LjgaELXb97q!l%fJ9_K
zCUOBv)>X=lWRZ)cx`%67m8uJOxn6;+%&)AqRmv>C&eMbpbRnrYta(-DTJsFnmAuU}
ztmsvu@gGMcMIrBUv4m8LET>M&bSk+XS=P{o&mk$0*BdOU%uo-98Y-?6#7G8{g}kMv
zO{hX@jK7O*xv~JDKx1TM*PY0|z=9srBFRf$At#5AF`%y<5;hnxx~xWA{{;piAS8bj
z2DH&-GObH4v|*QwVW&QlFR`(LGSR%slR|BYHlt&D?gW5A9ogXX-1MSWk(8X^P<;z}
zC5sFdgxo3_{&Q`pMC^@8St;~=4+~DS1*4F_MTSyN69ci7QgdkN(F)LJev4|?*ziDz
zlGpl<2ELs~pw>L4iG=-fnqC!6A<;}GrJ5+>i5Ec>oW++;$N=lJFnHs+%!Sh{h$jrj
z!R#vZ&L=TUf~m{G2pr!<sUL^l={ycl&~YN{*|Dg>@vngWJPTPAK@fs>F`Ig546TQb
zAA2mqb>fewbJz3FyMPA34`P^l7ha5NanL2F*5hsvoWTVP#}oW?PQ9rYUl|~0UhI>v
zGj!&_%n4&}JfAut%;w=Nh!|j4mg`01spDNR*GBK?5!f5%#}G}N>GZ2n686txJY@*d
zIh``gc)}=MFJ$AG!r9iw$Q<IEb|IRvu}2m5Gs9q<@T%L|jM%^DsDzD{>s&bJ7~6|)
zP=aGJo`>v$Fe4Aq{4|Qacpfu24+58nwjvh3!J{hr5vD<8*qTQSHzy}{jAJx`RADpL
zPv?<mNb~%dh2eY_dx3v|kzXP$p*41}t83T|d=n}%6ogk~lsGWtcj0ovP#zMYhAD?A
zh>)>yyrX8JKO`{Ti4lBuKK0I-KW2m`AS;(%#13$*yoeOM#_gqpKIbN68Y4tynd;7r
z?V6DU?+hIGjYqIsWgPp+Yv+lfY&?O6Zrl1j`~SK<|8tS?5B7WY^ymLzcrti&{=Ygr
z+@JqXQTT_othBOm>lFGzE#Y5qU5k|V{uc-E(K36tk_ER5xqQ)yX#>W;1W#S1aN?M)
z+3fkRvnE04t9o7WlJ}N!xh(J)Xs1}`;799|^=x1MQf0IL+h5!Pq<Gr(KO8(>|HI>#
z`~3e&3a#)CrE8rLbY5eUrdEl#N%U_l<__hhom*Z}T18!k_P{=Fq#0Lfm9KT%(g;h;
zw&`ngzBJNCQDFo5M}g)_lNwJ~65e*)x-9R3gl{|W!w<ke<QfJY)cs`oV+Ji%j@jh>
zj*0uV31XRR;{-)@RkV_SuC!jOQNNG%RlTrNS@ypj?1R6g#!Ry!TffIn6Jya_rl=F9
zWsPi6FL#1&;eEv<-L>4ufcluu*1Nb?vgB*pTmO)m=M_&f9C2e}T`%y4u^LNpoiDf8
z=vu%<B2u!gtD2L~{r>&k?*Ack+zV!x+0*BLgTvvY{O|Z^u;2fmqCAH$Hi!L^_*<@j
zyE!)cce1*<F65o+i*?y+4+s0cEdIRw@71g0FW3L^$?<;uKhgR(SGvux!(Cn!P}RaD
zUkYkPuZx17PuoXF0qvx~J77C`=oRlg*OPhyvqpjjNi%_p7d)Y7VFf8>9hzs>b2yU~
zl(M47VtN!cFO;A-AHgPv$z-bRokWI<eq!#Vs^5A?SiRQ$XEK8NUOhBf7Ui}h@KKD}
z=LVl;Nio8VriC{$IS(a}Y6QQuK>uS|@8v>K+oH~ktWiR0R1Z5ty{Lt*dqqM-nWpV~
zqiS@UcTX-fTBVe$73Nt_%Nve1=%tbysnUG?(5pvpqu6H?a=PN_jjZ+S+oRvmP+Zq*
z6Z=*N%=_r*;S0<#_S)Qi1jCaDV;Iy3aJ@sCKbD#JP~4K-Ls?@~aGoIsL(ccgjR}h{
z=|%j$hxz(;if*Jf^6_5TvRd{ZbC(O;U2sA5mh}00hmdd5zFB3x-ZmA-k0edGQcY|6
z0FsN_-C+E{W$&DMJb4!fKQVs<|M>V(ah%s$5!`o%;!pczeqZ+GZ(e={%C-AZ03ZMW
DS2b#{

literal 0
HcmV?d00001

diff --git a/cli/slsa-verifier/testdata/npm/gha/supreme-googles-cli-v02-tag-invalidsigprov.tgz.json b/cli/slsa-verifier/testdata/npm/gha/supreme-googles-cli-v02-tag-invalidsigprov.tgz.json
new file mode 100644
index 000000000..e64205b33
--- /dev/null
+++ b/cli/slsa-verifier/testdata/npm/gha/supreme-googles-cli-v02-tag-invalidsigprov.tgz.json
@@ -0,0 +1 @@
+{"attestations":[{"predicateType":"https://github.com/npm/attestation/tree/main/specs/publish/v0.1","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.1","verificationMaterial":{"publicKey":{"hint":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"},"tlogEntries":[{"logIndex":"20783673","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1684258381","inclusionPromise":{"signedEntryTimestamp":"MEYCIQCl9eQtjdbH3NYhjRI2NhrP68kBYs9LCLAF3zPUA7WWeAIhAJGvcgIZRzJYRC0yaeGlKdeJ7lvTxH6nkGk5T1kuwi6v"},"inclusionProof":null,"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7ImtleWlkIjoiU0hBMjU2OmpsM2J3c3d1ODBQampva0NnaDBvMnc1YzJVNExoUUFFNTdnajljejFrekEiLCJwdWJsaWNLZXkiOiJMUzB0TFMxQ1JVZEpUaUJRVlVKTVNVTWdTMFZaTFMwdExTMEtUVVpyZDBWM1dVaExiMXBKZW1vd1EwRlJXVWxMYjFwSmVtb3dSRUZSWTBSUlowRkZNVTlzWWpONlRVRkdSbmhZUzBocFNXdFJUelZqU2pOWmFHdzFhVFpWVUhBclNXaDFkR1ZDU21KMVNHTkJOVlZ2WjB0dk1FVlhkR3hYZDFjMlMxTmhTMjlVVGtWWlREZEtiRU5SYVZadWEyaENhM1JWWjJjOVBRb3RMUzB0TFVWT1JDQlFWVUpNU1VNZ1MwVlpMUzB0TFMwPSIsInNpZyI6IlRVVlJRMGxJT1ZWUWF5OXhRUzlFV0ZOeVp6VXJhVVpCVTNWTFYxRmhRVnBwTDIxUVIwUkJhMDF4YlhCcE0zVkZRV2xDV210MWFVRkRhbFpDVTI5U04wWlVabkoxY0dkSmREQjNZbFJMWm10SGRFRlFlSFJ0U0RkaWEwZDVkejA5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjlhMTViMmJmNTNlOTA5MjdjZmFkZjcyOTEzYTRiNWNkMDA1YmI4NjU1ZTYyZTdjZjY3NWNkYmY5MjY1NjEyYTQifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI5NjljYzgyZmZiZDcwOGY5NTkyOTdjMDk5N2U0NTdiZjY4YjhiM2JjYWM2ODNlMGE1MjdmNDg2MDNkOTBjM2Q1In19fX0="}],"timestampVerificationData":null},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtLyU0MHRyaXNoYW5rYXRkYXRhZG9nL3N1cHJlbWUtZ29nZ2xlc0AxLjAuNSIsImRpZ2VzdCI6eyJzaGE1MTIiOiIxZTJlYmVjZTc1NzI1MDg3NmNkZTlkMGY2YzYzNmVkNmUwMDg4YTIzYTZjNDc3ZmUwY2QxYWZjYzExODAwYTViYTBjOTMyZjRhNTdhMTI1MzcwNjNkNDlkNzE3YmI3YWU3NmI4YTI5MzhiM2Q0OGU3ZjAyNjE3ZjY1NjRhZDkxOSJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL2dpdGh1Yi5jb20vbnBtL2F0dGVzdGF0aW9uL3RyZWUvbWFpbi9zcGVjcy9wdWJsaXNoL3YwLjEiLCJwcmVkaWNhdGUiOnsibmFtZSI6IkB0cmlzaGFua2F0ZGF0YWRvZy9zdXByZW1lLWdvZ2dsZXMiLCJ2ZXJzaW9uIjoiMS4wLjUiLCJyZWdpc3RyeSI6Imh0dHBzOi8vcmVnaXN0cnkubnBtanMub3JnIn19","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEQCIH9UPk/qA/DXSrg5+iFASuKWQaAZi/mPGDAkMqmpi3uEAiBZkuiACjVBSoR7FTfrupgIt0wbTKfkGtAPxtmH7bkGyw==","keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"}]}}},{"predicateType":"https://slsa.dev/provenance/v0.2","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.1","verificationMaterial":{"x509CertificateChain":{"certificates":[{"rawBytes":"MIIHFDCCBpqgAwIBAgIUHL+BNbHdSg4O69i14vUNUahGhTIwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwNTE2MTczMjU0WhcNMjMwNTE2MTc0MjU0WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZyNWKDbf0pbVfSTzQlKNlTAewjQEUF6xaOMNGBfMM6FMtfKZr0wBLQOu8vux/A8wBAL4PbciK5k/qtdL2hm4m6OCBbkwggW1MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUewxAvG6lI9uyfqIKr4sWvklQvMswHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wdQYDVR0RAQH/BGswaYZnaHR0cHM6Ly9naXRodWIuY29tL3RyaXNoYW5rYXRkYXRhZG9nL3N1cHJlbWUtZ29nZ2xlcy8uZ2l0aHViL3dvcmtmbG93cy9ucG0tcHVibGlzaC55bWxAcmVmcy90YWdzL3YxLjAuNTA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMBUGCisGAQQBg78wAQIEB3JlbGVhc2UwNgYKKwYBBAGDvzABAwQoMzhlYmY5OTQ0NGUwMzNiMmYxNTUwYzlhYWFlYWNkNjJkMDJhMTJiYTAdBgorBgEEAYO/MAEEBA9Ob2RlLmpzIFBhY2thZ2UwLwYKKwYBBAGDvzABBQQhdHJpc2hhbmthdGRhdGFkb2cvc3VwcmVtZS1nb2dnbGVzMB4GCisGAQQBg78wAQYEEHJlZnMvdGFncy92MS4wLjUwOwYKKwYBBAGDvzABCAQtDCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMHcGCisGAQQBg78wAQkEaQxnaHR0cHM6Ly9naXRodWIuY29tL3RyaXNoYW5rYXRkYXRhZG9nL3N1cHJlbWUtZ29nZ2xlcy8uZ2l0aHViL3dvcmtmbG93cy9ucG0tcHVibGlzaC55bWxAcmVmcy90YWdzL3YxLjAuNTA4BgorBgEEAYO/MAEKBCoMKDM4ZWJmOTk0NDRlMDMzYjJmMTU1MGM5YWFhZWFjZDYyZDAyYTEyYmEwHQYKKwYBBAGDvzABCwQPDA1naXRodWItaG9zdGVkMEQGCisGAQQBg78wAQwENgw0aHR0cHM6Ly9naXRodWIuY29tL3RyaXNoYW5rYXRkYXRhZG9nL3N1cHJlbWUtZ29nZ2xlczA4BgorBgEEAYO/MAENBCoMKDM4ZWJmOTk0NDRlMDMzYjJmMTU1MGM5YWFhZWFjZDYyZDAyYTEyYmEwIAYKKwYBBAGDvzABDgQSDBByZWZzL3RhZ3MvdjEuMC41MBkGCisGAQQBg78wAQ8ECwwJNjM2MjkyMDA2MDQGCisGAQQBg78wARAEJgwkaHR0cHM6Ly9naXRodWIuY29tL3RyaXNoYW5rYXRkYXRhZG9nMBgGCisGAQQBg78wAREECgwIMzMxMzMwNzMwdwYKKwYBBAGDvzABEgRpDGdodHRwczovL2dpdGh1Yi5jb20vdHJpc2hhbmthdGRhdGFkb2cvc3VwcmVtZS1nb2dnbGVzLy5naXRodWIvd29ya2Zsb3dzL25wbS1wdWJsaXNoLnltbEByZWZzL3RhZ3MvdjEuMC41MDgGCisGAQQBg78wARMEKgwoMzhlYmY5OTQ0NGUwMzNiMmYxNTUwYzlhYWFlYWNkNjJkMDJhMTJiYTAXBgorBgEEAYO/MAEUBAkMB3JlbGVhc2UwZwYKKwYBBAGDvzABFQRZDFdodHRwczovL2dpdGh1Yi5jb20vdHJpc2hhbmthdGRhdGFkb2cvc3VwcmVtZS1nb2dnbGVzL2FjdGlvbnMvcnVucy80OTk0OTc1NzkwL2F0dGVtcHRzLzEwgYsGCisGAQQB1nkCBAIEfQR7AHkAdwDdPTBqxscRMmMZHhyZZzcCokpeuN48rf+HinKALynujgAAAYgln0QYAAAEAwBIMEYCIQCjPaEw3QhFVvRKG6+meXZBRgwT6REqZuYT8aRpvvR4vwIhAMzrzbmcGFhyxGBKalsAd6GugHPehSekzf3XxXEdjBrFMAoGCCqGSM49BAMDA2gAMGUCMCGafTs9V/SBghWPbcyu8P//1Cqp2GWV3QLAA2Q+BwJzUQ+amx/jQuwttjyRPnV2DgIxAIB1DThrHXR70rs4bGMLrU6eis9q8kqhfgAHll4nkpCbXV1UFk93dB1CFo9RID5suA=="},{"rawBytes":"MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow="},{"rawBytes":"MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ"}]},"tlogEntries":[{"logIndex":"20783663","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1684258374","inclusionPromise":{"signedEntryTimestamp":"MEYCIQCPJ3WKZudSVvTRYl6s3WEBiWQviNfwkk/MsFI/B1rcGgIhAJs9r4sDUp/IPm+fJ0TegrQrTugkAs1pxxtIYXq705eY"},"inclusionProof":null,"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVWhHUkVORFFuQnhaMEYzU1VKQlowbFZTRXdyUWs1aVNHUlRaelJQTmpscE1UUjJWVTVWWVdoSGFGUkpkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDA1VVJUSk5WR042VFdwVk1GZG9ZMDVOYWsxM1RsUkZNazFVWXpCTmFsVXdWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWYWVVNVhTMFJpWmpCd1lsWm1VMVI2VVd4TFRteFVRV1YzYWxGRlZVWTJlR0ZQVFU0S1IwSm1UVTAyUmsxMFprdGFjakIzUWt4UlQzVTRkblY0TDBFNGQwSkJURFJRWW1OcFN6VnJMM0YwWkV3eWFHMDBiVFpQUTBKaWEzZG5aMWN4VFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWbGQzaEJDblpITm14Sk9YVjVabkZKUzNJMGMxZDJhMnhSZGsxemQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQyUlJXVVJXVWpCU1FWRklMMEpIYzNkaFdWcHVZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRETlNlV0ZZVG05WlZ6VnlXVmhTYXdwWldGSm9Xa2M1Ymt3elRqRmpTRXBzWWxkVmRGb3lPVzVhTW5oc1kzazRkVm95YkRCaFNGWnBURE5rZG1OdGRHMWlSemt6WTNrNWRXTkhNSFJqU0ZacENtSkhiSHBoUXpVMVlsZDRRV050Vm0xamVUa3dXVmRrZWt3eldYaE1ha0YxVGxSQk5VSm5iM0pDWjBWRlFWbFBMMDFCUlVKQ1EzUnZaRWhTZDJONmIzWUtURE5TZG1FeVZuVk1iVVpxWkVkc2RtSnVUWFZhTW13d1lVaFdhV1JZVG14amJVNTJZbTVTYkdKdVVYVlpNamwwVFVKVlIwTnBjMGRCVVZGQ1p6YzRkd3BCVVVsRlFqTktiR0pIVm1oak1sVjNUbWRaUzB0M1dVSkNRVWRFZG5wQlFrRjNVVzlOZW1oc1dXMVpOVTlVVVRCT1IxVjNUWHBPYVUxdFdYaE9WRlYzQ2xsNmJHaFpWMFpzV1ZkT2EwNXFTbXROUkVwb1RWUkthVmxVUVdSQ1oyOXlRbWRGUlVGWlR5OU5RVVZGUWtFNVQySXlVbXhNYlhCNlNVWkNhRmt5ZEdnS1dqSlZkMHgzV1V0TGQxbENRa0ZIUkhaNlFVSkNVVkZvWkVoS2NHTXlhR2hpYlhSb1pFZFNhR1JIUm10aU1tTjJZek5XZDJOdFZuUmFVekZ1WWpKa2JncGlSMVo2VFVJMFIwTnBjMGRCVVZGQ1p6YzRkMEZSV1VWRlNFcHNXbTVOZG1SSFJtNWplVGt5VFZNMGQweHFWWGRQZDFsTFMzZFpRa0pCUjBSMmVrRkNDa05CVVhSRVEzUnZaRWhTZDJONmIzWk1NMUoyWVRKV2RVeHRSbXBrUjJ4MlltNU5kVm95YkRCaFNGWnBaRmhPYkdOdFRuWmlibEpzWW01UmRWa3lPWFFLVFVoalIwTnBjMGRCVVZGQ1p6YzRkMEZSYTBWaFVYaHVZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRETlNlV0ZZVG05WlZ6VnlXVmhTYXdwWldGSm9Xa2M1Ymt3elRqRmpTRXBzWWxkVmRGb3lPVzVhTW5oc1kzazRkVm95YkRCaFNGWnBURE5rZG1OdGRHMWlSemt6WTNrNWRXTkhNSFJqU0ZacENtSkhiSHBoUXpVMVlsZDRRV050Vm0xamVUa3dXVmRrZWt3eldYaE1ha0YxVGxSQk5FSm5iM0pDWjBWRlFWbFBMMDFCUlV0Q1EyOU5TMFJOTkZwWFNtMEtUMVJyTUU1RVVteE5SRTE2V1dwS2JVMVVWVEZOUjAwMVdWZEdhRnBYUm1wYVJGbDVXa1JCZVZsVVJYbFpiVVYzU0ZGWlMwdDNXVUpDUVVkRWRucEJRZ3BEZDFGUVJFRXhibUZZVW05a1YwbDBZVWM1ZW1SSFZtdE5SVkZIUTJselIwRlJVVUpuTnpoM1FWRjNSVTVuZHpCaFNGSXdZMGhOTmt4NU9XNWhXRkp2Q21SWFNYVlpNamwwVEROU2VXRllUbTlaVnpWeVdWaFNhMWxZVW1oYVJ6bHVURE5PTVdOSVNteGlWMVYwV2pJNWJsb3llR3hqZWtFMFFtZHZja0puUlVVS1FWbFBMMDFCUlU1Q1EyOU5TMFJOTkZwWFNtMVBWR3N3VGtSU2JFMUVUWHBaYWtwdFRWUlZNVTFIVFRWWlYwWm9XbGRHYWxwRVdYbGFSRUY1V1ZSRmVRcFpiVVYzU1VGWlMwdDNXVUpDUVVkRWRucEJRa1JuVVZORVFrSjVXbGRhZWt3elVtaGFNMDEyWkdwRmRVMUROREZOUW10SFEybHpSMEZSVVVKbk56aDNDa0ZST0VWRGQzZEtUbXBOTWsxcWEzbE5SRUV5VFVSUlIwTnBjMGRCVVZGQ1p6YzRkMEZTUVVWS1ozZHJZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFVLV1RJNWRFd3pVbmxoV0U1dldWYzFjbGxZVW10WldGSm9Xa2M1YmsxQ1owZERhWE5IUVZGUlFtYzNPSGRCVWtWRlEyZDNTVTE2VFhoTmVrMTNUbnBOZHdwa2QxbExTM2RaUWtKQlIwUjJla0ZDUldkU2NFUkhaRzlrU0ZKM1kzcHZka3d5WkhCa1IyZ3hXV2sxYW1JeU1IWmtTRXB3WXpKb2FHSnRkR2hrUjFKb0NtUkhSbXRpTW1OMll6TldkMk50Vm5SYVV6RnVZakprYm1KSFZucE1lVFZ1WVZoU2IyUlhTWFprTWpsNVlUSmFjMkl6WkhwTU1qVjNZbE14ZDJSWFNuTUtZVmhPYjB4dWJIUmlSVUo1V2xkYWVrd3pVbWhhTTAxMlpHcEZkVTFETkRGTlJHZEhRMmx6UjBGUlVVSm5OemgzUVZKTlJVdG5kMjlOZW1oc1dXMVpOUXBQVkZFd1RrZFZkMDE2VG1sTmJWbDRUbFJWZDFsNmJHaFpWMFpzV1ZkT2EwNXFTbXROUkVwb1RWUkthVmxVUVZoQ1oyOXlRbWRGUlVGWlR5OU5RVVZWQ2tKQmEwMUNNMHBzWWtkV2FHTXlWWGRhZDFsTFMzZFpRa0pCUjBSMmVrRkNSbEZTV2tSR1pHOWtTRkozWTNwdmRrd3laSEJrUjJneFdXazFhbUl5TUhZS1pFaEtjR015YUdoaWJYUm9aRWRTYUdSSFJtdGlNbU4yWXpOV2QyTnRWblJhVXpGdVlqSmtibUpIVm5wTU1rWnFaRWRzZG1KdVRYWmpibFoxWTNrNE1BcFBWR3N3VDFSak1VNTZhM2RNTWtZd1pFZFdkR05JVW5wTWVrVjNaMWx6UjBOcGMwZEJVVkZDTVc1clEwSkJTVVZtVVZJM1FVaHJRV1IzUkdSUVZFSnhDbmh6WTFKTmJVMWFTR2g1V2xwNlkwTnZhM0JsZFU0ME9ISm1LMGhwYmt0QlRIbHVkV3BuUVVGQldXZHNiakJSV1VGQlFVVkJkMEpKVFVWWlEwbFJRMm9LVUdGRmR6TlJhRVpXZGxKTFJ6WXJiV1ZZV2tKU1ozZFVObEpGY1ZwMVdWUTRZVkp3ZG5aU05IWjNTV2hCVFhweWVtSnRZMGRHYUhsNFIwSkxZV3h6UVFwa05rZDFaMGhRWldoVFpXdDZaak5ZZUZoRlpHcENja1pOUVc5SFEwTnhSMU5OTkRsQ1FVMUVRVEpuUVUxSFZVTk5RMGRoWmxSek9WWXZVMEpuYUZkUUNtSmplWFU0VUM4dk1VTnhjREpIVjFZelVVeEJRVEpSSzBKM1NucFZVU3RoYlhndmFsRjFkM1IwYW5sU1VHNVdNa1JuU1hoQlNVSXhSRlJvY2toWVVqY0tNSEp6TkdKSFRVeHlWVFpsYVhNNWNUaHJjV2htWjBGSWJHdzBibXR3UTJKWVZqRlZSbXM1TTJSQ01VTkdiemxTU1VRMWMzVkJQVDBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUT09Iiwic2lnIjoiVFVWUlEwbERTSGhWWjJSbVJtcFhja3hvTlRsSmRsaG1PRXQyVnpNeFN6bHRVVEJsTlZWaFlUVkJiV1F2YVhoVlFXbENaekZWZG1WUWMyRTJaR0V2YWpSbWIyWlZTR1pMV1VaVFoybENUeTgwY0hKeFFuWXJhV3N3ZFdSNVp6MDkifV19LCJoYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiMDQ3Mjg3NjhlYjBmNTEwNzc1YTkxNzNlYmJlMDVmMzM3MTMyMDg2MTRlYmVhMjZhYWQxNjk1M2UwYWJlN2JjNiJ9LCJwYXlsb2FkSGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjNmNWQ2M2MwOTM4N2Y2OTZhNDNiMWFiNDc0YzE5NzYxODg4NGY0NTIyZjllNWVkOGZiN2YxYzgzZjU5MGZiYjYifX19fQ=="}],"timestampVerificationData":null},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtLyU0MHRyaXNoYW5rYXRkYXRhZG9nL3N1cHJlbWUtZ29nZ2xlc0AxLjAuNSIsImRpZ2VzdCI6eyJzaGE1MTIiOiIxZTJlYmVjZTc1NzI1MDg3NmNkZTlkMGY2YzYzNmVkNmUwMDg4YTIzYTZjNDc3ZmUwY2QxYWZjYzExODAwYTViYTBjOTMyZjRhNTdhMTI1MzcwNjNkNDlkNzE3YmI3YWU3NmI4YTI5MzhiM2Q0OGU3ZjAyNjE3ZjY1NjRhZDkxOSJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInByZWRpY2F0ZSI6eyJidWlsZFR5cGUiOiJodHRwczovL2dpdGh1Yi5jb20vbnBtL2NsaS9naGEvdjIiLCJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9naXRodWIuY29tL2FjdGlvbnMvcnVubmVyIn0sImludm9jYXRpb24iOnsiY29uZmlnU291cmNlIjp7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vdHJpc2hhbmthdGRhdGFkb2cvc3VwcmVtZS1nb2dnbGVzQHJlZnMvdGFncy92MS4wLjUiLCJkaWdlc3QiOnsic2hhMSI6IjM4ZWJmOTk0NDRlMDMzYjJmMTU1MGM5YWFhZWFjZDYyZDAyYTEyYmEifSwiZW50cnlQb2ludCI6Ii5naXRodWIvd29ya2Zsb3dzL25wbS1wdWJsaXNoLnltbCJ9LCJwYXJhbWV0ZXJzIjp7fSwiZW52aXJvbm1lbnQiOnsiR0lUSFVCX0VWRU5UX05BTUUiOiJyZWxlYXNlIiwiR0lUSFVCX1JFRiI6InJlZnMvdGFncy92MS4wLjUiLCJHSVRIVUJfUkVQT1NJVE9SWSI6InRyaXNoYW5rYXRkYXRhZG9nL3N1cHJlbWUtZ29nZ2xlcyIsIkdJVEhVQl9SRVBPU0lUT1JZX0lEIjoiNjM2MjkyMDA2IiwiR0lUSFVCX1JFUE9TSVRPUllfT1dORVJfSUQiOiIzMzEzMzA3MyIsIkdJVEhVQl9SVU5fQVRURU1QVCI6IjEiLCJHSVRIVUJfUlVOX0lEIjoiNDk5NDk3NTc5MCIsIkdJVEhVQl9TSEEiOiIzOGViZjk5NDQ0ZTAzM2IyZjE1NTBjOWFhYWVhY2Q2MmQwMmExMmJhIiwiR0lUSFVCX1dPUktGTE9XX1JFRiI6InRyaXNoYW5rYXRkYXRhZG9nL3N1cHJlbWUtZ29nZ2xlcy8uZ2l0aHViL3dvcmtmbG93cy9ucG0tcHVibGlzaC55bWxAcmVmcy90YWdzL3YxLjAuNSIsIkdJVEhVQl9XT1JLRkxPV19TSEEiOiIzOGViZjk5NDQ0ZTAzM2IyZjE1NTBjOWFhYWVhY2Q2MmQwMmExMmJhIn19LCJtZXRhZGF0YSI6eyJidWlsZEludm9jYXRpb25JZCI6IjQ5OTQ5NzU3OTAtMSIsImNvbXBsZXRlbmVzcyI6eyJwYXJhbWV0ZXJzIjpmYWxzZSwiZW52aXJvbm1lbnQiOmZhbHNlLCJtYXRlcmlhbHMiOmZhbHNlfSwicmVwcm9kdWNpYmxlIjpmYWxzZX0sIm1hdGVyaWFscyI6W3sidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS90cmlzaGFua2F0ZGF0YWRvZy9zdXByZW1lLWdvZ2dsZXNAcmVmcy90YWdzL3YxLjAuNSIsImRpZ2VzdCI6eyJzaGExIjoiMzhlYmY5OTQ0NGUwMzNiMmYxNTUwYzlhYWFlYWNkNjJkMDJhMTJiYiJ9fV19fQo=","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEQCICHxUgdfFjWrLh59IvXf8KvW31K9mQ0e5Uaa5Amd/ixUAiBg1UvePsa6da/j4fofUHfKYFSgiBO/4prqBv+ik0udyg==","keyid":""}]}}}]}
\ No newline at end of file
diff --git a/cli/slsa-verifier/testdata/npm/gha/supreme-googles-cli-v02-tag-invalidsigpub.tgz b/cli/slsa-verifier/testdata/npm/gha/supreme-googles-cli-v02-tag-invalidsigpub.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..693c7fffa891db14fa2cf20de032ce96eceedbbe
GIT binary patch
literal 1709
zcmV;e22%MSiwFP!00002|Ls_9Z`(K$?q~gqfqPgqI9s-pCI!4Wpo+!B!a9;qlA8^-
zheDPZTa82-B9$~K`rmhkl4G~&UUz}pV6ST;h^gUl=9!0YL#~tbCRy_S)EhHDV$c4J
zG8ha_UcQ8{$*~;1I>NT2<CDQ~cycnp`d~;x{C)NWrB*tr5X%1`NG$O1`+rhSBNvW(
z<07dQhiRU2p}1v@<@&zLmn#h~(gQdg93FMSO>~mUWfwe=+LjgaELXb97q!l%fJ9_K
zCUOBv)>X=lWRZ)cx`%67m8uJOxn6;+%&)AqRmv>C&eMbpbRnrYta(-DTJsFnmAuU}
ztmsvu@gGMcMIrBUv4m8LET>M&bSk+XS=P{o&mk$0*BdOU%uo-98Y-?6#7G8{g}kMv
zO{hX@jK7O*xv~JDKx1TM*PY0|z=9srBFRf$At#5AF`%y<5;hnxx~xWA{{;piAS8bj
z2DH&-GObH4v|*QwVW&QlFR`(LGSR%slR|BYHlt&D?gW5A9ogXX-1MSWk(8X^P<;z}
zC5sFdgxo3_{&Q`pMC^@8St;~=4+~DS1*4F_MTSyN69ci7QgdkN(F)LJev4|?*ziDz
zlGpl<2ELs~pw>L4iG=-fnqC!6A<;}GrJ5+>i5Ec>oW++;$N=lJFnHs+%!Sh{h$jrj
z!R#vZ&L=TUf~m{G2pr!<sUL^l={ycl&~YN{*|Dg>@vngWJPTPAK@fs>F`Ig546TQb
zAA2mqb>fewbJz3FyMPA34`P^l7ha5NanL2F*5hsvoWTVP#}oW?PQ9rYUl|~0UhI>v
zGj!&_%n4&}JfAut%;w=Nh!|j4mg`01spDNR*GBK?5!f5%#}G}N>GZ2n686txJY@*d
zIh``gc)}=MFJ$AG!r9iw$Q<IEb|IRvu}2m5Gs9q<@T%L|jM%^DsDzD{>s&bJ7~6|)
zP=aGJo`>v$Fe4Aq{4|Qacpfu24+58nwjvh3!J{hr5vD<8*qTQSHzy}{jAJx`RADpL
zPv?<mNb~%dh2eY_dx3v|kzXP$p*41}t83T|d=n}%6ogk~lsGWtcj0ovP#zMYhAD?A
zh>)>yyrX8JKO`{Ti4lBuKK0I-KW2m`AS;(%#13$*yoeOM#_gqpKIbN68Y4tynd;7r
z?V6DU?+hIGjYqIsWgPp+Yv+lfY&?O6Zrl1j`~SK<|8tS?5B7WY^ymLzcrti&{=Ygr
z+@JqXQTT_othBOm>lFGzE#Y5qU5k|V{uc-E(K36tk_ER5xqQ)yX#>W;1W#S1aN?M)
z+3fkRvnE04t9o7WlJ}N!xh(J)Xs1}`;799|^=x1MQf0IL+h5!Pq<Gr(KO8(>|HI>#
z`~3e&3a#)CrE8rLbY5eUrdEl#N%U_l<__hhom*Z}T18!k_P{=Fq#0Lfm9KT%(g;h;
zw&`ngzBJNCQDFo5M}g)_lNwJ~65e*)x-9R3gl{|W!w<ke<QfJY)cs`oV+Ji%j@jh>
zj*0uV31XRR;{-)@RkV_SuC!jOQNNG%RlTrNS@ypj?1R6g#!Ry!TffIn6Jya_rl=F9
zWsPi6FL#1&;eEv<-L>4ufcluu*1Nb?vgB*pTmO)m=M_&f9C2e}T`%y4u^LNpoiDf8
z=vu%<B2u!gtD2L~{r>&k?*Ack+zV!x+0*BLgTvvY{O|Z^u;2fmqCAH$Hi!L^_*<@j
zyE!)cce1*<F65o+i*?y+4+s0cEdIRw@71g0FW3L^$?<;uKhgR(SGvux!(Cn!P}RaD
zUkYkPuZx17PuoXF0qvx~J77C`=oRlg*OPhyvqpjjNi%_p7d)Y7VFf8>9hzs>b2yU~
zl(M47VtN!cFO;A-AHgPv$z-bRokWI<eq!#Vs^5A?SiRQ$XEK8NUOhBf7Ui}h@KKD}
z=LVl;Nio8VriC{$IS(a}Y6QQuK>uS|@8v>K+oH~ktWiR0R1Z5ty{Lt*dqqM-nWpV~
zqiS@UcTX-fTBVe$73Nt_%Nve1=%tbysnUG?(5pvpqu6H?a=PN_jjZ+S+oRvmP+Zq*
z6Z=*N%=_r*;S0<#_S)Qi1jCaDV;Iy3aJ@sCKbD#JP~4K-Ls?@~aGoIsL(ccgjR}h{
z=|%j$hxz(;if*Jf^6_5TvRd{ZbC(O;U2sA5mh}00hmdd5zFB3x-ZmA-k0edGQcY|6
z0FsN_-C+E{W$&DMJb4!fKQVs<|M>V(ah%s$5!`o%;!pczeqZ+GZ(e={%C-AZ03ZMW
DS2b#{

literal 0
HcmV?d00001

diff --git a/cli/slsa-verifier/testdata/npm/gha/supreme-googles-cli-v02-tag-invalidsigpub.tgz.json b/cli/slsa-verifier/testdata/npm/gha/supreme-googles-cli-v02-tag-invalidsigpub.tgz.json
new file mode 100644
index 000000000..0390536fa
--- /dev/null
+++ b/cli/slsa-verifier/testdata/npm/gha/supreme-googles-cli-v02-tag-invalidsigpub.tgz.json
@@ -0,0 +1 @@
+{"attestations":[{"predicateType":"https://github.com/npm/attestation/tree/main/specs/publish/v0.1","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.1","verificationMaterial":{"publicKey":{"hint":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"},"tlogEntries":[{"logIndex":"20783673","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1684258381","inclusionPromise":{"signedEntryTimestamp":"MEYCIQCl9eQtjdbH3NYhjRI2NhrP68kBYs9LCLAF3zPUA7WWeAIhAJGvcgIZRzJYRC0yaeGlKdeJ7lvTxH6nkGk5T1kuwi6v"},"inclusionProof":null,"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7ImtleWlkIjoiU0hBMjU2OmpsM2J3c3d1ODBQampva0NnaDBvMnc1YzJVNExoUUFFNTdnajljejFrekEiLCJwdWJsaWNLZXkiOiJMUzB0TFMxQ1JVZEpUaUJRVlVKTVNVTWdTMFZaTFMwdExTMEtUVVpyZDBWM1dVaExiMXBKZW1vd1EwRlJXVWxMYjFwSmVtb3dSRUZSWTBSUlowRkZNVTlzWWpONlRVRkdSbmhZUzBocFNXdFJUelZqU2pOWmFHdzFhVFpWVUhBclNXaDFkR1ZDU21KMVNHTkJOVlZ2WjB0dk1FVlhkR3hYZDFjMlMxTmhTMjlVVGtWWlREZEtiRU5SYVZadWEyaENhM1JWWjJjOVBRb3RMUzB0TFVWT1JDQlFWVUpNU1VNZ1MwVlpMUzB0TFMwPSIsInNpZyI6IlRVVlJRMGxJT1ZWUWF5OXhRUzlFV0ZOeVp6VXJhVVpCVTNWTFYxRmhRVnBwTDIxUVIwUkJhMDF4YlhCcE0zVkZRV2xDV210MWFVRkRhbFpDVTI5U04wWlVabkoxY0dkSmREQjNZbFJMWm10SGRFRlFlSFJ0U0RkaWEwZDVkejA5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjlhMTViMmJmNTNlOTA5MjdjZmFkZjcyOTEzYTRiNWNkMDA1YmI4NjU1ZTYyZTdjZjY3NWNkYmY5MjY1NjEyYTQifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI5NjljYzgyZmZiZDcwOGY5NTkyOTdjMDk5N2U0NTdiZjY4YjhiM2JjYWM2ODNlMGE1MjdmNDg2MDNkOTBjM2Q1In19fX0="}],"timestampVerificationData":null},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtLyU0MHRyaXNoYW5rYXRkYXRhZG9nL3N1cHJlbWUtZ29nZ2xlc0AxLjAuNSIsImRpZ2VzdCI6eyJzaGE1MTIiOiIxZTJlYmVjZTc1NzI1MDg3NmNkZTlkMGY2YzYzNmVkNmUwMDg4YTIzYTZjNDc3ZmUwY2QxYWZjYzExODAwYTViYTBjOTMyZjRhNTdhMTI1MzcwNjNkNDlkNzE3YmI3YWU3NmI4YTI5MzhiM2Q0OGU3ZjAyNjE3ZjY1NjRhZDkxOSJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL2dpdGh1Yi5jb20vbnBtL2F0dGVzdGF0aW9uL3RyZWUvbWFpbi9zcGVjcy9wdWJsaXNoL3YwLjEiLCJwcmVkaWNhdGUiOnsibmFtZSI6IkB0cmlzaGFua2F0ZGF0YWRvZy9zdXByZW1lLWdvZ2dsZXMiLCJ2ZXJzaW9uIjoiMS4wLjAiLCJyZWdpc3RyeSI6Imh0dHBzOi8vcmVnaXN0cnkubnBtanMub3JnIn19Cg==","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEQCIH9UPk/qA/DXSrg5+iFASuKWQaAZi/mPGDAkMqmpi3uEAiBZkuiACjVBSoR7FTfrupgIt0wbTKfkGtAPxtmH7bkGyw==","keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"}]}}},{"predicateType":"https://slsa.dev/provenance/v0.2","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.1","verificationMaterial":{"x509CertificateChain":{"certificates":[{"rawBytes":"MIIHFDCCBpqgAwIBAgIUHL+BNbHdSg4O69i14vUNUahGhTIwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwNTE2MTczMjU0WhcNMjMwNTE2MTc0MjU0WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZyNWKDbf0pbVfSTzQlKNlTAewjQEUF6xaOMNGBfMM6FMtfKZr0wBLQOu8vux/A8wBAL4PbciK5k/qtdL2hm4m6OCBbkwggW1MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUewxAvG6lI9uyfqIKr4sWvklQvMswHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wdQYDVR0RAQH/BGswaYZnaHR0cHM6Ly9naXRodWIuY29tL3RyaXNoYW5rYXRkYXRhZG9nL3N1cHJlbWUtZ29nZ2xlcy8uZ2l0aHViL3dvcmtmbG93cy9ucG0tcHVibGlzaC55bWxAcmVmcy90YWdzL3YxLjAuNTA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMBUGCisGAQQBg78wAQIEB3JlbGVhc2UwNgYKKwYBBAGDvzABAwQoMzhlYmY5OTQ0NGUwMzNiMmYxNTUwYzlhYWFlYWNkNjJkMDJhMTJiYTAdBgorBgEEAYO/MAEEBA9Ob2RlLmpzIFBhY2thZ2UwLwYKKwYBBAGDvzABBQQhdHJpc2hhbmthdGRhdGFkb2cvc3VwcmVtZS1nb2dnbGVzMB4GCisGAQQBg78wAQYEEHJlZnMvdGFncy92MS4wLjUwOwYKKwYBBAGDvzABCAQtDCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMHcGCisGAQQBg78wAQkEaQxnaHR0cHM6Ly9naXRodWIuY29tL3RyaXNoYW5rYXRkYXRhZG9nL3N1cHJlbWUtZ29nZ2xlcy8uZ2l0aHViL3dvcmtmbG93cy9ucG0tcHVibGlzaC55bWxAcmVmcy90YWdzL3YxLjAuNTA4BgorBgEEAYO/MAEKBCoMKDM4ZWJmOTk0NDRlMDMzYjJmMTU1MGM5YWFhZWFjZDYyZDAyYTEyYmEwHQYKKwYBBAGDvzABCwQPDA1naXRodWItaG9zdGVkMEQGCisGAQQBg78wAQwENgw0aHR0cHM6Ly9naXRodWIuY29tL3RyaXNoYW5rYXRkYXRhZG9nL3N1cHJlbWUtZ29nZ2xlczA4BgorBgEEAYO/MAENBCoMKDM4ZWJmOTk0NDRlMDMzYjJmMTU1MGM5YWFhZWFjZDYyZDAyYTEyYmEwIAYKKwYBBAGDvzABDgQSDBByZWZzL3RhZ3MvdjEuMC41MBkGCisGAQQBg78wAQ8ECwwJNjM2MjkyMDA2MDQGCisGAQQBg78wARAEJgwkaHR0cHM6Ly9naXRodWIuY29tL3RyaXNoYW5rYXRkYXRhZG9nMBgGCisGAQQBg78wAREECgwIMzMxMzMwNzMwdwYKKwYBBAGDvzABEgRpDGdodHRwczovL2dpdGh1Yi5jb20vdHJpc2hhbmthdGRhdGFkb2cvc3VwcmVtZS1nb2dnbGVzLy5naXRodWIvd29ya2Zsb3dzL25wbS1wdWJsaXNoLnltbEByZWZzL3RhZ3MvdjEuMC41MDgGCisGAQQBg78wARMEKgwoMzhlYmY5OTQ0NGUwMzNiMmYxNTUwYzlhYWFlYWNkNjJkMDJhMTJiYTAXBgorBgEEAYO/MAEUBAkMB3JlbGVhc2UwZwYKKwYBBAGDvzABFQRZDFdodHRwczovL2dpdGh1Yi5jb20vdHJpc2hhbmthdGRhdGFkb2cvc3VwcmVtZS1nb2dnbGVzL2FjdGlvbnMvcnVucy80OTk0OTc1NzkwL2F0dGVtcHRzLzEwgYsGCisGAQQB1nkCBAIEfQR7AHkAdwDdPTBqxscRMmMZHhyZZzcCokpeuN48rf+HinKALynujgAAAYgln0QYAAAEAwBIMEYCIQCjPaEw3QhFVvRKG6+meXZBRgwT6REqZuYT8aRpvvR4vwIhAMzrzbmcGFhyxGBKalsAd6GugHPehSekzf3XxXEdjBrFMAoGCCqGSM49BAMDA2gAMGUCMCGafTs9V/SBghWPbcyu8P//1Cqp2GWV3QLAA2Q+BwJzUQ+amx/jQuwttjyRPnV2DgIxAIB1DThrHXR70rs4bGMLrU6eis9q8kqhfgAHll4nkpCbXV1UFk93dB1CFo9RID5suA=="},{"rawBytes":"MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow="},{"rawBytes":"MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ"}]},"tlogEntries":[{"logIndex":"20783663","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1684258374","inclusionPromise":{"signedEntryTimestamp":"MEYCIQCPJ3WKZudSVvTRYl6s3WEBiWQviNfwkk/MsFI/B1rcGgIhAJs9r4sDUp/IPm+fJ0TegrQrTugkAs1pxxtIYXq705eY"},"inclusionProof":null,"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVWhHUkVORFFuQnhaMEYzU1VKQlowbFZTRXdyUWs1aVNHUlRaelJQTmpscE1UUjJWVTVWWVdoSGFGUkpkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDA1VVJUSk5WR042VFdwVk1GZG9ZMDVOYWsxM1RsUkZNazFVWXpCTmFsVXdWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWYWVVNVhTMFJpWmpCd1lsWm1VMVI2VVd4TFRteFVRV1YzYWxGRlZVWTJlR0ZQVFU0S1IwSm1UVTAyUmsxMFprdGFjakIzUWt4UlQzVTRkblY0TDBFNGQwSkJURFJRWW1OcFN6VnJMM0YwWkV3eWFHMDBiVFpQUTBKaWEzZG5aMWN4VFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWbGQzaEJDblpITm14Sk9YVjVabkZKUzNJMGMxZDJhMnhSZGsxemQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQyUlJXVVJXVWpCU1FWRklMMEpIYzNkaFdWcHVZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRETlNlV0ZZVG05WlZ6VnlXVmhTYXdwWldGSm9Xa2M1Ymt3elRqRmpTRXBzWWxkVmRGb3lPVzVhTW5oc1kzazRkVm95YkRCaFNGWnBURE5rZG1OdGRHMWlSemt6WTNrNWRXTkhNSFJqU0ZacENtSkhiSHBoUXpVMVlsZDRRV050Vm0xamVUa3dXVmRrZWt3eldYaE1ha0YxVGxSQk5VSm5iM0pDWjBWRlFWbFBMMDFCUlVKQ1EzUnZaRWhTZDJONmIzWUtURE5TZG1FeVZuVk1iVVpxWkVkc2RtSnVUWFZhTW13d1lVaFdhV1JZVG14amJVNTJZbTVTYkdKdVVYVlpNamwwVFVKVlIwTnBjMGRCVVZGQ1p6YzRkd3BCVVVsRlFqTktiR0pIVm1oak1sVjNUbWRaUzB0M1dVSkNRVWRFZG5wQlFrRjNVVzlOZW1oc1dXMVpOVTlVVVRCT1IxVjNUWHBPYVUxdFdYaE9WRlYzQ2xsNmJHaFpWMFpzV1ZkT2EwNXFTbXROUkVwb1RWUkthVmxVUVdSQ1oyOXlRbWRGUlVGWlR5OU5RVVZGUWtFNVQySXlVbXhNYlhCNlNVWkNhRmt5ZEdnS1dqSlZkMHgzV1V0TGQxbENRa0ZIUkhaNlFVSkNVVkZvWkVoS2NHTXlhR2hpYlhSb1pFZFNhR1JIUm10aU1tTjJZek5XZDJOdFZuUmFVekZ1WWpKa2JncGlSMVo2VFVJMFIwTnBjMGRCVVZGQ1p6YzRkMEZSV1VWRlNFcHNXbTVOZG1SSFJtNWplVGt5VFZNMGQweHFWWGRQZDFsTFMzZFpRa0pCUjBSMmVrRkNDa05CVVhSRVEzUnZaRWhTZDJONmIzWk1NMUoyWVRKV2RVeHRSbXBrUjJ4MlltNU5kVm95YkRCaFNGWnBaRmhPYkdOdFRuWmlibEpzWW01UmRWa3lPWFFLVFVoalIwTnBjMGRCVVZGQ1p6YzRkMEZSYTBWaFVYaHVZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRETlNlV0ZZVG05WlZ6VnlXVmhTYXdwWldGSm9Xa2M1Ymt3elRqRmpTRXBzWWxkVmRGb3lPVzVhTW5oc1kzazRkVm95YkRCaFNGWnBURE5rZG1OdGRHMWlSemt6WTNrNWRXTkhNSFJqU0ZacENtSkhiSHBoUXpVMVlsZDRRV050Vm0xamVUa3dXVmRrZWt3eldYaE1ha0YxVGxSQk5FSm5iM0pDWjBWRlFWbFBMMDFCUlV0Q1EyOU5TMFJOTkZwWFNtMEtUMVJyTUU1RVVteE5SRTE2V1dwS2JVMVVWVEZOUjAwMVdWZEdhRnBYUm1wYVJGbDVXa1JCZVZsVVJYbFpiVVYzU0ZGWlMwdDNXVUpDUVVkRWRucEJRZ3BEZDFGUVJFRXhibUZZVW05a1YwbDBZVWM1ZW1SSFZtdE5SVkZIUTJselIwRlJVVUpuTnpoM1FWRjNSVTVuZHpCaFNGSXdZMGhOTmt4NU9XNWhXRkp2Q21SWFNYVlpNamwwVEROU2VXRllUbTlaVnpWeVdWaFNhMWxZVW1oYVJ6bHVURE5PTVdOSVNteGlWMVYwV2pJNWJsb3llR3hqZWtFMFFtZHZja0puUlVVS1FWbFBMMDFCUlU1Q1EyOU5TMFJOTkZwWFNtMVBWR3N3VGtSU2JFMUVUWHBaYWtwdFRWUlZNVTFIVFRWWlYwWm9XbGRHYWxwRVdYbGFSRUY1V1ZSRmVRcFpiVVYzU1VGWlMwdDNXVUpDUVVkRWRucEJRa1JuVVZORVFrSjVXbGRhZWt3elVtaGFNMDEyWkdwRmRVMUROREZOUW10SFEybHpSMEZSVVVKbk56aDNDa0ZST0VWRGQzZEtUbXBOTWsxcWEzbE5SRUV5VFVSUlIwTnBjMGRCVVZGQ1p6YzRkMEZTUVVWS1ozZHJZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFVLV1RJNWRFd3pVbmxoV0U1dldWYzFjbGxZVW10WldGSm9Xa2M1YmsxQ1owZERhWE5IUVZGUlFtYzNPSGRCVWtWRlEyZDNTVTE2VFhoTmVrMTNUbnBOZHdwa2QxbExTM2RaUWtKQlIwUjJla0ZDUldkU2NFUkhaRzlrU0ZKM1kzcHZka3d5WkhCa1IyZ3hXV2sxYW1JeU1IWmtTRXB3WXpKb2FHSnRkR2hrUjFKb0NtUkhSbXRpTW1OMll6TldkMk50Vm5SYVV6RnVZakprYm1KSFZucE1lVFZ1WVZoU2IyUlhTWFprTWpsNVlUSmFjMkl6WkhwTU1qVjNZbE14ZDJSWFNuTUtZVmhPYjB4dWJIUmlSVUo1V2xkYWVrd3pVbWhhTTAxMlpHcEZkVTFETkRGTlJHZEhRMmx6UjBGUlVVSm5OemgzUVZKTlJVdG5kMjlOZW1oc1dXMVpOUXBQVkZFd1RrZFZkMDE2VG1sTmJWbDRUbFJWZDFsNmJHaFpWMFpzV1ZkT2EwNXFTbXROUkVwb1RWUkthVmxVUVZoQ1oyOXlRbWRGUlVGWlR5OU5RVVZWQ2tKQmEwMUNNMHBzWWtkV2FHTXlWWGRhZDFsTFMzZFpRa0pCUjBSMmVrRkNSbEZTV2tSR1pHOWtTRkozWTNwdmRrd3laSEJrUjJneFdXazFhbUl5TUhZS1pFaEtjR015YUdoaWJYUm9aRWRTYUdSSFJtdGlNbU4yWXpOV2QyTnRWblJhVXpGdVlqSmtibUpIVm5wTU1rWnFaRWRzZG1KdVRYWmpibFoxWTNrNE1BcFBWR3N3VDFSak1VNTZhM2RNTWtZd1pFZFdkR05JVW5wTWVrVjNaMWx6UjBOcGMwZEJVVkZDTVc1clEwSkJTVVZtVVZJM1FVaHJRV1IzUkdSUVZFSnhDbmh6WTFKTmJVMWFTR2g1V2xwNlkwTnZhM0JsZFU0ME9ISm1LMGhwYmt0QlRIbHVkV3BuUVVGQldXZHNiakJSV1VGQlFVVkJkMEpKVFVWWlEwbFJRMm9LVUdGRmR6TlJhRVpXZGxKTFJ6WXJiV1ZZV2tKU1ozZFVObEpGY1ZwMVdWUTRZVkp3ZG5aU05IWjNTV2hCVFhweWVtSnRZMGRHYUhsNFIwSkxZV3h6UVFwa05rZDFaMGhRWldoVFpXdDZaak5ZZUZoRlpHcENja1pOUVc5SFEwTnhSMU5OTkRsQ1FVMUVRVEpuUVUxSFZVTk5RMGRoWmxSek9WWXZVMEpuYUZkUUNtSmplWFU0VUM4dk1VTnhjREpIVjFZelVVeEJRVEpSSzBKM1NucFZVU3RoYlhndmFsRjFkM1IwYW5sU1VHNVdNa1JuU1hoQlNVSXhSRlJvY2toWVVqY0tNSEp6TkdKSFRVeHlWVFpsYVhNNWNUaHJjV2htWjBGSWJHdzBibXR3UTJKWVZqRlZSbXM1TTJSQ01VTkdiemxTU1VRMWMzVkJQVDBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUT09Iiwic2lnIjoiVFVWUlEwbERTSGhWWjJSbVJtcFhja3hvTlRsSmRsaG1PRXQyVnpNeFN6bHRVVEJsTlZWaFlUVkJiV1F2YVhoVlFXbENaekZWZG1WUWMyRTJaR0V2YWpSbWIyWlZTR1pMV1VaVFoybENUeTgwY0hKeFFuWXJhV3N3ZFdSNVp6MDkifV19LCJoYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiMDQ3Mjg3NjhlYjBmNTEwNzc1YTkxNzNlYmJlMDVmMzM3MTMyMDg2MTRlYmVhMjZhYWQxNjk1M2UwYWJlN2JjNiJ9LCJwYXlsb2FkSGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjNmNWQ2M2MwOTM4N2Y2OTZhNDNiMWFiNDc0YzE5NzYxODg4NGY0NTIyZjllNWVkOGZiN2YxYzgzZjU5MGZiYjYifX19fQ=="}],"timestampVerificationData":null},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtLyU0MHRyaXNoYW5rYXRkYXRhZG9nL3N1cHJlbWUtZ29nZ2xlc0AxLjAuNSIsImRpZ2VzdCI6eyJzaGE1MTIiOiIxZTJlYmVjZTc1NzI1MDg3NmNkZTlkMGY2YzYzNmVkNmUwMDg4YTIzYTZjNDc3ZmUwY2QxYWZjYzExODAwYTViYTBjOTMyZjRhNTdhMTI1MzcwNjNkNDlkNzE3YmI3YWU3NmI4YTI5MzhiM2Q0OGU3ZjAyNjE3ZjY1NjRhZDkxOSJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInByZWRpY2F0ZSI6eyJidWlsZFR5cGUiOiJodHRwczovL2dpdGh1Yi5jb20vbnBtL2NsaS9naGEvdjIiLCJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9naXRodWIuY29tL2FjdGlvbnMvcnVubmVyIn0sImludm9jYXRpb24iOnsiY29uZmlnU291cmNlIjp7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vdHJpc2hhbmthdGRhdGFkb2cvc3VwcmVtZS1nb2dnbGVzQHJlZnMvdGFncy92MS4wLjUiLCJkaWdlc3QiOnsic2hhMSI6IjM4ZWJmOTk0NDRlMDMzYjJmMTU1MGM5YWFhZWFjZDYyZDAyYTEyYmEifSwiZW50cnlQb2ludCI6Ii5naXRodWIvd29ya2Zsb3dzL25wbS1wdWJsaXNoLnltbCJ9LCJwYXJhbWV0ZXJzIjp7fSwiZW52aXJvbm1lbnQiOnsiR0lUSFVCX0VWRU5UX05BTUUiOiJyZWxlYXNlIiwiR0lUSFVCX1JFRiI6InJlZnMvdGFncy92MS4wLjUiLCJHSVRIVUJfUkVQT1NJVE9SWSI6InRyaXNoYW5rYXRkYXRhZG9nL3N1cHJlbWUtZ29nZ2xlcyIsIkdJVEhVQl9SRVBPU0lUT1JZX0lEIjoiNjM2MjkyMDA2IiwiR0lUSFVCX1JFUE9TSVRPUllfT1dORVJfSUQiOiIzMzEzMzA3MyIsIkdJVEhVQl9SVU5fQVRURU1QVCI6IjEiLCJHSVRIVUJfUlVOX0lEIjoiNDk5NDk3NTc5MCIsIkdJVEhVQl9TSEEiOiIzOGViZjk5NDQ0ZTAzM2IyZjE1NTBjOWFhYWVhY2Q2MmQwMmExMmJhIiwiR0lUSFVCX1dPUktGTE9XX1JFRiI6InRyaXNoYW5rYXRkYXRhZG9nL3N1cHJlbWUtZ29nZ2xlcy8uZ2l0aHViL3dvcmtmbG93cy9ucG0tcHVibGlzaC55bWxAcmVmcy90YWdzL3YxLjAuNSIsIkdJVEhVQl9XT1JLRkxPV19TSEEiOiIzOGViZjk5NDQ0ZTAzM2IyZjE1NTBjOWFhYWVhY2Q2MmQwMmExMmJhIn19LCJtZXRhZGF0YSI6eyJidWlsZEludm9jYXRpb25JZCI6IjQ5OTQ5NzU3OTAtMSIsImNvbXBsZXRlbmVzcyI6eyJwYXJhbWV0ZXJzIjpmYWxzZSwiZW52aXJvbm1lbnQiOmZhbHNlLCJtYXRlcmlhbHMiOmZhbHNlfSwicmVwcm9kdWNpYmxlIjpmYWxzZX0sIm1hdGVyaWFscyI6W3sidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS90cmlzaGFua2F0ZGF0YWRvZy9zdXByZW1lLWdvZ2dsZXNAcmVmcy90YWdzL3YxLjAuNSIsImRpZ2VzdCI6eyJzaGExIjoiMzhlYmY5OTQ0NGUwMzNiMmYxNTUwYzlhYWFlYWNkNjJkMDJhMTJiYSJ9fV19fQ==","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEQCICHxUgdfFjWrLh59IvXf8KvW31K9mQ0e5Uaa5Amd/ixUAiBg1UvePsa6da/j4fofUHfKYFSgiBO/4prqBv+ik0udyg==","keyid":""}]}}}]}
\ No newline at end of file
diff --git a/cli/slsa-verifier/testdata/npm/gha/supreme-googles-cli-v02-tag.tgz b/cli/slsa-verifier/testdata/npm/gha/supreme-googles-cli-v02-tag.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..693c7fffa891db14fa2cf20de032ce96eceedbbe
GIT binary patch
literal 1709
zcmV;e22%MSiwFP!00002|Ls_9Z`(K$?q~gqfqPgqI9s-pCI!4Wpo+!B!a9;qlA8^-
zheDPZTa82-B9$~K`rmhkl4G~&UUz}pV6ST;h^gUl=9!0YL#~tbCRy_S)EhHDV$c4J
zG8ha_UcQ8{$*~;1I>NT2<CDQ~cycnp`d~;x{C)NWrB*tr5X%1`NG$O1`+rhSBNvW(
z<07dQhiRU2p}1v@<@&zLmn#h~(gQdg93FMSO>~mUWfwe=+LjgaELXb97q!l%fJ9_K
zCUOBv)>X=lWRZ)cx`%67m8uJOxn6;+%&)AqRmv>C&eMbpbRnrYta(-DTJsFnmAuU}
ztmsvu@gGMcMIrBUv4m8LET>M&bSk+XS=P{o&mk$0*BdOU%uo-98Y-?6#7G8{g}kMv
zO{hX@jK7O*xv~JDKx1TM*PY0|z=9srBFRf$At#5AF`%y<5;hnxx~xWA{{;piAS8bj
z2DH&-GObH4v|*QwVW&QlFR`(LGSR%slR|BYHlt&D?gW5A9ogXX-1MSWk(8X^P<;z}
zC5sFdgxo3_{&Q`pMC^@8St;~=4+~DS1*4F_MTSyN69ci7QgdkN(F)LJev4|?*ziDz
zlGpl<2ELs~pw>L4iG=-fnqC!6A<;}GrJ5+>i5Ec>oW++;$N=lJFnHs+%!Sh{h$jrj
z!R#vZ&L=TUf~m{G2pr!<sUL^l={ycl&~YN{*|Dg>@vngWJPTPAK@fs>F`Ig546TQb
zAA2mqb>fewbJz3FyMPA34`P^l7ha5NanL2F*5hsvoWTVP#}oW?PQ9rYUl|~0UhI>v
zGj!&_%n4&}JfAut%;w=Nh!|j4mg`01spDNR*GBK?5!f5%#}G}N>GZ2n686txJY@*d
zIh``gc)}=MFJ$AG!r9iw$Q<IEb|IRvu}2m5Gs9q<@T%L|jM%^DsDzD{>s&bJ7~6|)
zP=aGJo`>v$Fe4Aq{4|Qacpfu24+58nwjvh3!J{hr5vD<8*qTQSHzy}{jAJx`RADpL
zPv?<mNb~%dh2eY_dx3v|kzXP$p*41}t83T|d=n}%6ogk~lsGWtcj0ovP#zMYhAD?A
zh>)>yyrX8JKO`{Ti4lBuKK0I-KW2m`AS;(%#13$*yoeOM#_gqpKIbN68Y4tynd;7r
z?V6DU?+hIGjYqIsWgPp+Yv+lfY&?O6Zrl1j`~SK<|8tS?5B7WY^ymLzcrti&{=Ygr
z+@JqXQTT_othBOm>lFGzE#Y5qU5k|V{uc-E(K36tk_ER5xqQ)yX#>W;1W#S1aN?M)
z+3fkRvnE04t9o7WlJ}N!xh(J)Xs1}`;799|^=x1MQf0IL+h5!Pq<Gr(KO8(>|HI>#
z`~3e&3a#)CrE8rLbY5eUrdEl#N%U_l<__hhom*Z}T18!k_P{=Fq#0Lfm9KT%(g;h;
zw&`ngzBJNCQDFo5M}g)_lNwJ~65e*)x-9R3gl{|W!w<ke<QfJY)cs`oV+Ji%j@jh>
zj*0uV31XRR;{-)@RkV_SuC!jOQNNG%RlTrNS@ypj?1R6g#!Ry!TffIn6Jya_rl=F9
zWsPi6FL#1&;eEv<-L>4ufcluu*1Nb?vgB*pTmO)m=M_&f9C2e}T`%y4u^LNpoiDf8
z=vu%<B2u!gtD2L~{r>&k?*Ack+zV!x+0*BLgTvvY{O|Z^u;2fmqCAH$Hi!L^_*<@j
zyE!)cce1*<F65o+i*?y+4+s0cEdIRw@71g0FW3L^$?<;uKhgR(SGvux!(Cn!P}RaD
zUkYkPuZx17PuoXF0qvx~J77C`=oRlg*OPhyvqpjjNi%_p7d)Y7VFf8>9hzs>b2yU~
zl(M47VtN!cFO;A-AHgPv$z-bRokWI<eq!#Vs^5A?SiRQ$XEK8NUOhBf7Ui}h@KKD}
z=LVl;Nio8VriC{$IS(a}Y6QQuK>uS|@8v>K+oH~ktWiR0R1Z5ty{Lt*dqqM-nWpV~
zqiS@UcTX-fTBVe$73Nt_%Nve1=%tbysnUG?(5pvpqu6H?a=PN_jjZ+S+oRvmP+Zq*
z6Z=*N%=_r*;S0<#_S)Qi1jCaDV;Iy3aJ@sCKbD#JP~4K-Ls?@~aGoIsL(ccgjR}h{
z=|%j$hxz(;if*Jf^6_5TvRd{ZbC(O;U2sA5mh}00hmdd5zFB3x-ZmA-k0edGQcY|6
z0FsN_-C+E{W$&DMJb4!fKQVs<|M>V(ah%s$5!`o%;!pczeqZ+GZ(e={%C-AZ03ZMW
DS2b#{

literal 0
HcmV?d00001

diff --git a/cli/slsa-verifier/testdata/npm/gha/supreme-googles-cli-v02-tag.tgz.json b/cli/slsa-verifier/testdata/npm/gha/supreme-googles-cli-v02-tag.tgz.json
new file mode 100644
index 000000000..fbb4b7b41
--- /dev/null
+++ b/cli/slsa-verifier/testdata/npm/gha/supreme-googles-cli-v02-tag.tgz.json
@@ -0,0 +1 @@
+{"attestations":[{"predicateType":"https://github.com/npm/attestation/tree/main/specs/publish/v0.1","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.1","verificationMaterial":{"publicKey":{"hint":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"},"tlogEntries":[{"logIndex":"20783673","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1684258381","inclusionPromise":{"signedEntryTimestamp":"MEYCIQCl9eQtjdbH3NYhjRI2NhrP68kBYs9LCLAF3zPUA7WWeAIhAJGvcgIZRzJYRC0yaeGlKdeJ7lvTxH6nkGk5T1kuwi6v"},"inclusionProof":null,"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7ImtleWlkIjoiU0hBMjU2OmpsM2J3c3d1ODBQampva0NnaDBvMnc1YzJVNExoUUFFNTdnajljejFrekEiLCJwdWJsaWNLZXkiOiJMUzB0TFMxQ1JVZEpUaUJRVlVKTVNVTWdTMFZaTFMwdExTMEtUVVpyZDBWM1dVaExiMXBKZW1vd1EwRlJXVWxMYjFwSmVtb3dSRUZSWTBSUlowRkZNVTlzWWpONlRVRkdSbmhZUzBocFNXdFJUelZqU2pOWmFHdzFhVFpWVUhBclNXaDFkR1ZDU21KMVNHTkJOVlZ2WjB0dk1FVlhkR3hYZDFjMlMxTmhTMjlVVGtWWlREZEtiRU5SYVZadWEyaENhM1JWWjJjOVBRb3RMUzB0TFVWT1JDQlFWVUpNU1VNZ1MwVlpMUzB0TFMwPSIsInNpZyI6IlRVVlJRMGxJT1ZWUWF5OXhRUzlFV0ZOeVp6VXJhVVpCVTNWTFYxRmhRVnBwTDIxUVIwUkJhMDF4YlhCcE0zVkZRV2xDV210MWFVRkRhbFpDVTI5U04wWlVabkoxY0dkSmREQjNZbFJMWm10SGRFRlFlSFJ0U0RkaWEwZDVkejA5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjlhMTViMmJmNTNlOTA5MjdjZmFkZjcyOTEzYTRiNWNkMDA1YmI4NjU1ZTYyZTdjZjY3NWNkYmY5MjY1NjEyYTQifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI5NjljYzgyZmZiZDcwOGY5NTkyOTdjMDk5N2U0NTdiZjY4YjhiM2JjYWM2ODNlMGE1MjdmNDg2MDNkOTBjM2Q1In19fX0="}],"timestampVerificationData":null},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtLyU0MHRyaXNoYW5rYXRkYXRhZG9nL3N1cHJlbWUtZ29nZ2xlc0AxLjAuNSIsImRpZ2VzdCI6eyJzaGE1MTIiOiIxZTJlYmVjZTc1NzI1MDg3NmNkZTlkMGY2YzYzNmVkNmUwMDg4YTIzYTZjNDc3ZmUwY2QxYWZjYzExODAwYTViYTBjOTMyZjRhNTdhMTI1MzcwNjNkNDlkNzE3YmI3YWU3NmI4YTI5MzhiM2Q0OGU3ZjAyNjE3ZjY1NjRhZDkxOSJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL2dpdGh1Yi5jb20vbnBtL2F0dGVzdGF0aW9uL3RyZWUvbWFpbi9zcGVjcy9wdWJsaXNoL3YwLjEiLCJwcmVkaWNhdGUiOnsibmFtZSI6IkB0cmlzaGFua2F0ZGF0YWRvZy9zdXByZW1lLWdvZ2dsZXMiLCJ2ZXJzaW9uIjoiMS4wLjUiLCJyZWdpc3RyeSI6Imh0dHBzOi8vcmVnaXN0cnkubnBtanMub3JnIn19","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEQCIH9UPk/qA/DXSrg5+iFASuKWQaAZi/mPGDAkMqmpi3uEAiBZkuiACjVBSoR7FTfrupgIt0wbTKfkGtAPxtmH7bkGyw==","keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"}]}}},{"predicateType":"https://slsa.dev/provenance/v0.2","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.1","verificationMaterial":{"x509CertificateChain":{"certificates":[{"rawBytes":"MIIHFDCCBpqgAwIBAgIUHL+BNbHdSg4O69i14vUNUahGhTIwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwNTE2MTczMjU0WhcNMjMwNTE2MTc0MjU0WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZyNWKDbf0pbVfSTzQlKNlTAewjQEUF6xaOMNGBfMM6FMtfKZr0wBLQOu8vux/A8wBAL4PbciK5k/qtdL2hm4m6OCBbkwggW1MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUewxAvG6lI9uyfqIKr4sWvklQvMswHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wdQYDVR0RAQH/BGswaYZnaHR0cHM6Ly9naXRodWIuY29tL3RyaXNoYW5rYXRkYXRhZG9nL3N1cHJlbWUtZ29nZ2xlcy8uZ2l0aHViL3dvcmtmbG93cy9ucG0tcHVibGlzaC55bWxAcmVmcy90YWdzL3YxLjAuNTA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMBUGCisGAQQBg78wAQIEB3JlbGVhc2UwNgYKKwYBBAGDvzABAwQoMzhlYmY5OTQ0NGUwMzNiMmYxNTUwYzlhYWFlYWNkNjJkMDJhMTJiYTAdBgorBgEEAYO/MAEEBA9Ob2RlLmpzIFBhY2thZ2UwLwYKKwYBBAGDvzABBQQhdHJpc2hhbmthdGRhdGFkb2cvc3VwcmVtZS1nb2dnbGVzMB4GCisGAQQBg78wAQYEEHJlZnMvdGFncy92MS4wLjUwOwYKKwYBBAGDvzABCAQtDCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMHcGCisGAQQBg78wAQkEaQxnaHR0cHM6Ly9naXRodWIuY29tL3RyaXNoYW5rYXRkYXRhZG9nL3N1cHJlbWUtZ29nZ2xlcy8uZ2l0aHViL3dvcmtmbG93cy9ucG0tcHVibGlzaC55bWxAcmVmcy90YWdzL3YxLjAuNTA4BgorBgEEAYO/MAEKBCoMKDM4ZWJmOTk0NDRlMDMzYjJmMTU1MGM5YWFhZWFjZDYyZDAyYTEyYmEwHQYKKwYBBAGDvzABCwQPDA1naXRodWItaG9zdGVkMEQGCisGAQQBg78wAQwENgw0aHR0cHM6Ly9naXRodWIuY29tL3RyaXNoYW5rYXRkYXRhZG9nL3N1cHJlbWUtZ29nZ2xlczA4BgorBgEEAYO/MAENBCoMKDM4ZWJmOTk0NDRlMDMzYjJmMTU1MGM5YWFhZWFjZDYyZDAyYTEyYmEwIAYKKwYBBAGDvzABDgQSDBByZWZzL3RhZ3MvdjEuMC41MBkGCisGAQQBg78wAQ8ECwwJNjM2MjkyMDA2MDQGCisGAQQBg78wARAEJgwkaHR0cHM6Ly9naXRodWIuY29tL3RyaXNoYW5rYXRkYXRhZG9nMBgGCisGAQQBg78wAREECgwIMzMxMzMwNzMwdwYKKwYBBAGDvzABEgRpDGdodHRwczovL2dpdGh1Yi5jb20vdHJpc2hhbmthdGRhdGFkb2cvc3VwcmVtZS1nb2dnbGVzLy5naXRodWIvd29ya2Zsb3dzL25wbS1wdWJsaXNoLnltbEByZWZzL3RhZ3MvdjEuMC41MDgGCisGAQQBg78wARMEKgwoMzhlYmY5OTQ0NGUwMzNiMmYxNTUwYzlhYWFlYWNkNjJkMDJhMTJiYTAXBgorBgEEAYO/MAEUBAkMB3JlbGVhc2UwZwYKKwYBBAGDvzABFQRZDFdodHRwczovL2dpdGh1Yi5jb20vdHJpc2hhbmthdGRhdGFkb2cvc3VwcmVtZS1nb2dnbGVzL2FjdGlvbnMvcnVucy80OTk0OTc1NzkwL2F0dGVtcHRzLzEwgYsGCisGAQQB1nkCBAIEfQR7AHkAdwDdPTBqxscRMmMZHhyZZzcCokpeuN48rf+HinKALynujgAAAYgln0QYAAAEAwBIMEYCIQCjPaEw3QhFVvRKG6+meXZBRgwT6REqZuYT8aRpvvR4vwIhAMzrzbmcGFhyxGBKalsAd6GugHPehSekzf3XxXEdjBrFMAoGCCqGSM49BAMDA2gAMGUCMCGafTs9V/SBghWPbcyu8P//1Cqp2GWV3QLAA2Q+BwJzUQ+amx/jQuwttjyRPnV2DgIxAIB1DThrHXR70rs4bGMLrU6eis9q8kqhfgAHll4nkpCbXV1UFk93dB1CFo9RID5suA=="},{"rawBytes":"MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow="},{"rawBytes":"MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ"}]},"tlogEntries":[{"logIndex":"20783663","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1684258374","inclusionPromise":{"signedEntryTimestamp":"MEYCIQCPJ3WKZudSVvTRYl6s3WEBiWQviNfwkk/MsFI/B1rcGgIhAJs9r4sDUp/IPm+fJ0TegrQrTugkAs1pxxtIYXq705eY"},"inclusionProof":null,"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVWhHUkVORFFuQnhaMEYzU1VKQlowbFZTRXdyUWs1aVNHUlRaelJQTmpscE1UUjJWVTVWWVdoSGFGUkpkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDA1VVJUSk5WR042VFdwVk1GZG9ZMDVOYWsxM1RsUkZNazFVWXpCTmFsVXdWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWYWVVNVhTMFJpWmpCd1lsWm1VMVI2VVd4TFRteFVRV1YzYWxGRlZVWTJlR0ZQVFU0S1IwSm1UVTAyUmsxMFprdGFjakIzUWt4UlQzVTRkblY0TDBFNGQwSkJURFJRWW1OcFN6VnJMM0YwWkV3eWFHMDBiVFpQUTBKaWEzZG5aMWN4VFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWbGQzaEJDblpITm14Sk9YVjVabkZKUzNJMGMxZDJhMnhSZGsxemQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQyUlJXVVJXVWpCU1FWRklMMEpIYzNkaFdWcHVZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRETlNlV0ZZVG05WlZ6VnlXVmhTYXdwWldGSm9Xa2M1Ymt3elRqRmpTRXBzWWxkVmRGb3lPVzVhTW5oc1kzazRkVm95YkRCaFNGWnBURE5rZG1OdGRHMWlSemt6WTNrNWRXTkhNSFJqU0ZacENtSkhiSHBoUXpVMVlsZDRRV050Vm0xamVUa3dXVmRrZWt3eldYaE1ha0YxVGxSQk5VSm5iM0pDWjBWRlFWbFBMMDFCUlVKQ1EzUnZaRWhTZDJONmIzWUtURE5TZG1FeVZuVk1iVVpxWkVkc2RtSnVUWFZhTW13d1lVaFdhV1JZVG14amJVNTJZbTVTYkdKdVVYVlpNamwwVFVKVlIwTnBjMGRCVVZGQ1p6YzRkd3BCVVVsRlFqTktiR0pIVm1oak1sVjNUbWRaUzB0M1dVSkNRVWRFZG5wQlFrRjNVVzlOZW1oc1dXMVpOVTlVVVRCT1IxVjNUWHBPYVUxdFdYaE9WRlYzQ2xsNmJHaFpWMFpzV1ZkT2EwNXFTbXROUkVwb1RWUkthVmxVUVdSQ1oyOXlRbWRGUlVGWlR5OU5RVVZGUWtFNVQySXlVbXhNYlhCNlNVWkNhRmt5ZEdnS1dqSlZkMHgzV1V0TGQxbENRa0ZIUkhaNlFVSkNVVkZvWkVoS2NHTXlhR2hpYlhSb1pFZFNhR1JIUm10aU1tTjJZek5XZDJOdFZuUmFVekZ1WWpKa2JncGlSMVo2VFVJMFIwTnBjMGRCVVZGQ1p6YzRkMEZSV1VWRlNFcHNXbTVOZG1SSFJtNWplVGt5VFZNMGQweHFWWGRQZDFsTFMzZFpRa0pCUjBSMmVrRkNDa05CVVhSRVEzUnZaRWhTZDJONmIzWk1NMUoyWVRKV2RVeHRSbXBrUjJ4MlltNU5kVm95YkRCaFNGWnBaRmhPYkdOdFRuWmlibEpzWW01UmRWa3lPWFFLVFVoalIwTnBjMGRCVVZGQ1p6YzRkMEZSYTBWaFVYaHVZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRETlNlV0ZZVG05WlZ6VnlXVmhTYXdwWldGSm9Xa2M1Ymt3elRqRmpTRXBzWWxkVmRGb3lPVzVhTW5oc1kzazRkVm95YkRCaFNGWnBURE5rZG1OdGRHMWlSemt6WTNrNWRXTkhNSFJqU0ZacENtSkhiSHBoUXpVMVlsZDRRV050Vm0xamVUa3dXVmRrZWt3eldYaE1ha0YxVGxSQk5FSm5iM0pDWjBWRlFWbFBMMDFCUlV0Q1EyOU5TMFJOTkZwWFNtMEtUMVJyTUU1RVVteE5SRTE2V1dwS2JVMVVWVEZOUjAwMVdWZEdhRnBYUm1wYVJGbDVXa1JCZVZsVVJYbFpiVVYzU0ZGWlMwdDNXVUpDUVVkRWRucEJRZ3BEZDFGUVJFRXhibUZZVW05a1YwbDBZVWM1ZW1SSFZtdE5SVkZIUTJselIwRlJVVUpuTnpoM1FWRjNSVTVuZHpCaFNGSXdZMGhOTmt4NU9XNWhXRkp2Q21SWFNYVlpNamwwVEROU2VXRllUbTlaVnpWeVdWaFNhMWxZVW1oYVJ6bHVURE5PTVdOSVNteGlWMVYwV2pJNWJsb3llR3hqZWtFMFFtZHZja0puUlVVS1FWbFBMMDFCUlU1Q1EyOU5TMFJOTkZwWFNtMVBWR3N3VGtSU2JFMUVUWHBaYWtwdFRWUlZNVTFIVFRWWlYwWm9XbGRHYWxwRVdYbGFSRUY1V1ZSRmVRcFpiVVYzU1VGWlMwdDNXVUpDUVVkRWRucEJRa1JuVVZORVFrSjVXbGRhZWt3elVtaGFNMDEyWkdwRmRVMUROREZOUW10SFEybHpSMEZSVVVKbk56aDNDa0ZST0VWRGQzZEtUbXBOTWsxcWEzbE5SRUV5VFVSUlIwTnBjMGRCVVZGQ1p6YzRkMEZTUVVWS1ozZHJZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFVLV1RJNWRFd3pVbmxoV0U1dldWYzFjbGxZVW10WldGSm9Xa2M1YmsxQ1owZERhWE5IUVZGUlFtYzNPSGRCVWtWRlEyZDNTVTE2VFhoTmVrMTNUbnBOZHdwa2QxbExTM2RaUWtKQlIwUjJla0ZDUldkU2NFUkhaRzlrU0ZKM1kzcHZka3d5WkhCa1IyZ3hXV2sxYW1JeU1IWmtTRXB3WXpKb2FHSnRkR2hrUjFKb0NtUkhSbXRpTW1OMll6TldkMk50Vm5SYVV6RnVZakprYm1KSFZucE1lVFZ1WVZoU2IyUlhTWFprTWpsNVlUSmFjMkl6WkhwTU1qVjNZbE14ZDJSWFNuTUtZVmhPYjB4dWJIUmlSVUo1V2xkYWVrd3pVbWhhTTAxMlpHcEZkVTFETkRGTlJHZEhRMmx6UjBGUlVVSm5OemgzUVZKTlJVdG5kMjlOZW1oc1dXMVpOUXBQVkZFd1RrZFZkMDE2VG1sTmJWbDRUbFJWZDFsNmJHaFpWMFpzV1ZkT2EwNXFTbXROUkVwb1RWUkthVmxVUVZoQ1oyOXlRbWRGUlVGWlR5OU5RVVZWQ2tKQmEwMUNNMHBzWWtkV2FHTXlWWGRhZDFsTFMzZFpRa0pCUjBSMmVrRkNSbEZTV2tSR1pHOWtTRkozWTNwdmRrd3laSEJrUjJneFdXazFhbUl5TUhZS1pFaEtjR015YUdoaWJYUm9aRWRTYUdSSFJtdGlNbU4yWXpOV2QyTnRWblJhVXpGdVlqSmtibUpIVm5wTU1rWnFaRWRzZG1KdVRYWmpibFoxWTNrNE1BcFBWR3N3VDFSak1VNTZhM2RNTWtZd1pFZFdkR05JVW5wTWVrVjNaMWx6UjBOcGMwZEJVVkZDTVc1clEwSkJTVVZtVVZJM1FVaHJRV1IzUkdSUVZFSnhDbmh6WTFKTmJVMWFTR2g1V2xwNlkwTnZhM0JsZFU0ME9ISm1LMGhwYmt0QlRIbHVkV3BuUVVGQldXZHNiakJSV1VGQlFVVkJkMEpKVFVWWlEwbFJRMm9LVUdGRmR6TlJhRVpXZGxKTFJ6WXJiV1ZZV2tKU1ozZFVObEpGY1ZwMVdWUTRZVkp3ZG5aU05IWjNTV2hCVFhweWVtSnRZMGRHYUhsNFIwSkxZV3h6UVFwa05rZDFaMGhRWldoVFpXdDZaak5ZZUZoRlpHcENja1pOUVc5SFEwTnhSMU5OTkRsQ1FVMUVRVEpuUVUxSFZVTk5RMGRoWmxSek9WWXZVMEpuYUZkUUNtSmplWFU0VUM4dk1VTnhjREpIVjFZelVVeEJRVEpSSzBKM1NucFZVU3RoYlhndmFsRjFkM1IwYW5sU1VHNVdNa1JuU1hoQlNVSXhSRlJvY2toWVVqY0tNSEp6TkdKSFRVeHlWVFpsYVhNNWNUaHJjV2htWjBGSWJHdzBibXR3UTJKWVZqRlZSbXM1TTJSQ01VTkdiemxTU1VRMWMzVkJQVDBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUT09Iiwic2lnIjoiVFVWUlEwbERTSGhWWjJSbVJtcFhja3hvTlRsSmRsaG1PRXQyVnpNeFN6bHRVVEJsTlZWaFlUVkJiV1F2YVhoVlFXbENaekZWZG1WUWMyRTJaR0V2YWpSbWIyWlZTR1pMV1VaVFoybENUeTgwY0hKeFFuWXJhV3N3ZFdSNVp6MDkifV19LCJoYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiMDQ3Mjg3NjhlYjBmNTEwNzc1YTkxNzNlYmJlMDVmMzM3MTMyMDg2MTRlYmVhMjZhYWQxNjk1M2UwYWJlN2JjNiJ9LCJwYXlsb2FkSGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjNmNWQ2M2MwOTM4N2Y2OTZhNDNiMWFiNDc0YzE5NzYxODg4NGY0NTIyZjllNWVkOGZiN2YxYzgzZjU5MGZiYjYifX19fQ=="}],"timestampVerificationData":null},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtLyU0MHRyaXNoYW5rYXRkYXRhZG9nL3N1cHJlbWUtZ29nZ2xlc0AxLjAuNSIsImRpZ2VzdCI6eyJzaGE1MTIiOiIxZTJlYmVjZTc1NzI1MDg3NmNkZTlkMGY2YzYzNmVkNmUwMDg4YTIzYTZjNDc3ZmUwY2QxYWZjYzExODAwYTViYTBjOTMyZjRhNTdhMTI1MzcwNjNkNDlkNzE3YmI3YWU3NmI4YTI5MzhiM2Q0OGU3ZjAyNjE3ZjY1NjRhZDkxOSJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInByZWRpY2F0ZSI6eyJidWlsZFR5cGUiOiJodHRwczovL2dpdGh1Yi5jb20vbnBtL2NsaS9naGEvdjIiLCJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9naXRodWIuY29tL2FjdGlvbnMvcnVubmVyIn0sImludm9jYXRpb24iOnsiY29uZmlnU291cmNlIjp7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vdHJpc2hhbmthdGRhdGFkb2cvc3VwcmVtZS1nb2dnbGVzQHJlZnMvdGFncy92MS4wLjUiLCJkaWdlc3QiOnsic2hhMSI6IjM4ZWJmOTk0NDRlMDMzYjJmMTU1MGM5YWFhZWFjZDYyZDAyYTEyYmEifSwiZW50cnlQb2ludCI6Ii5naXRodWIvd29ya2Zsb3dzL25wbS1wdWJsaXNoLnltbCJ9LCJwYXJhbWV0ZXJzIjp7fSwiZW52aXJvbm1lbnQiOnsiR0lUSFVCX0VWRU5UX05BTUUiOiJyZWxlYXNlIiwiR0lUSFVCX1JFRiI6InJlZnMvdGFncy92MS4wLjUiLCJHSVRIVUJfUkVQT1NJVE9SWSI6InRyaXNoYW5rYXRkYXRhZG9nL3N1cHJlbWUtZ29nZ2xlcyIsIkdJVEhVQl9SRVBPU0lUT1JZX0lEIjoiNjM2MjkyMDA2IiwiR0lUSFVCX1JFUE9TSVRPUllfT1dORVJfSUQiOiIzMzEzMzA3MyIsIkdJVEhVQl9SVU5fQVRURU1QVCI6IjEiLCJHSVRIVUJfUlVOX0lEIjoiNDk5NDk3NTc5MCIsIkdJVEhVQl9TSEEiOiIzOGViZjk5NDQ0ZTAzM2IyZjE1NTBjOWFhYWVhY2Q2MmQwMmExMmJhIiwiR0lUSFVCX1dPUktGTE9XX1JFRiI6InRyaXNoYW5rYXRkYXRhZG9nL3N1cHJlbWUtZ29nZ2xlcy8uZ2l0aHViL3dvcmtmbG93cy9ucG0tcHVibGlzaC55bWxAcmVmcy90YWdzL3YxLjAuNSIsIkdJVEhVQl9XT1JLRkxPV19TSEEiOiIzOGViZjk5NDQ0ZTAzM2IyZjE1NTBjOWFhYWVhY2Q2MmQwMmExMmJhIn19LCJtZXRhZGF0YSI6eyJidWlsZEludm9jYXRpb25JZCI6IjQ5OTQ5NzU3OTAtMSIsImNvbXBsZXRlbmVzcyI6eyJwYXJhbWV0ZXJzIjpmYWxzZSwiZW52aXJvbm1lbnQiOmZhbHNlLCJtYXRlcmlhbHMiOmZhbHNlfSwicmVwcm9kdWNpYmxlIjpmYWxzZX0sIm1hdGVyaWFscyI6W3sidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS90cmlzaGFua2F0ZGF0YWRvZy9zdXByZW1lLWdvZ2dsZXNAcmVmcy90YWdzL3YxLjAuNSIsImRpZ2VzdCI6eyJzaGExIjoiMzhlYmY5OTQ0NGUwMzNiMmYxNTUwYzlhYWFlYWNkNjJkMDJhMTJiYSJ9fV19fQ==","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEQCICHxUgdfFjWrLh59IvXf8KvW31K9mQ0e5Uaa5Amd/ixUAiBg1UvePsa6da/j4fofUHfKYFSgiBO/4prqBv+ik0udyg==","keyid":""}]}}}]}
\ No newline at end of file
diff --git a/errors/errors.go b/errors/errors.go
index 8deeea0d5..9701262d7 100644
--- a/errors/errors.go
+++ b/errors/errors.go
@@ -43,4 +43,5 @@ var (
 	ErrorInvalidSubject            = errors.New("invalid subject")
 	ErrorInvalidHash               = errors.New("invalid hash")
 	ErrorNotPresent                = errors.New("not present")
+	ErrorInvalidPublicKey          = errors.New("invalid public key")
 )
diff --git a/verifiers/internal/gha/npm.go b/verifiers/internal/gha/npm.go
index 1b35b7834..e492dcdc3 100644
--- a/verifiers/internal/gha/npm.go
+++ b/verifiers/internal/gha/npm.go
@@ -2,8 +2,6 @@ package gha
 
 import (
 	"context"
-	"crypto/ecdsa"
-	"crypto/sha256"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
@@ -33,7 +31,7 @@ const (
 var errrorInvalidAttestations = errors.New("invalid npm attestations")
 
 /*
-NOTE: key available at https://registry.npmjs.org/-/npm/v1/keys
+NOTE: key available at https://registry.npmjs.org/-/npm/v1/keys and https://github.com/sigstore/root-signing/blob/main/repository/repository/targets/registry.npmjs.org/7a8ec9678ad824cdccaa7a6dc0961caf8f8df61bc7274189122c123446248426.keys.json
 
 			https://docs.npmjs.com/about-registry-signatures
 		{
@@ -48,7 +46,8 @@ NOTE: key available at https://registry.npmjs.org/-/npm/v1/keys
 		]
 	}
 */
-var npmRegistryPublicKey = "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg=="
+const npmRegistryPublicKey = "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg=="
+const npmRegistryPublicKeyID = "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"
 
 type attestationSet struct {
 	Attestations []attestation `json:"attestations"`
@@ -138,54 +137,27 @@ func (n *Npm) verifyProvenanceAttestationSignature() error {
 	return nil
 }
 
-func (n *Npm) verifyPublishAttesttationSignature() error {
+func (n *Npm) verifyPublishAttestationSignature() error {
 	// First verify the bundle and its rekor entry.
 	signedPublish, err := verifyBundleAndEntryFromBytes(n.ctx, n.publishAttestation.BundleBytes, n.root, false)
 	if err != nil {
 		return err
 	}
 
-	// Second, we verify the signature, which uses a static key.
-	// Extract payload.
-	env := signedPublish.Envelope
-	payload, err := utils.PayloadFromEnvelope(env)
-	if err != nil {
-		return err
-	}
-
-	// Extract the signature.
-	if len(env.Signatures) == 0 {
-		return fmt.Errorf("%w: no signatures found in envelope", serrors.ErrorNoValidSignature)
-	}
-
-	// The registry signs with a single, static, non-rotated key.
-	sig := env.Signatures[0].Sig
-	// TODO(#496): verify the keyid, both in DSSE and hint.
-
-	// Verify the signature.
-	payloadHash := sha256.Sum256(payload)
-	rawKey, err := base64.StdEncoding.DecodeString(npmRegistryPublicKey)
+	// Verify the PAE signature.
+	derKey, err := base64.StdEncoding.DecodeString(npmRegistryPublicKey)
 	if err != nil {
 		return fmt.Errorf("DecodeString: %w", err)
 	}
 
-	key, err := x509.ParsePKIXPublicKey(rawKey)
+	envVerifier, err := utils.DsseVerifierNew(derKey, utils.KeyFormatDER, npmRegistryPublicKeyID, nil)
 	if err != nil {
-		return fmt.Errorf("x509.ParsePKIXPublicKey: %w", err)
-	}
-
-	pubKey, ok := key.(*ecdsa.PublicKey)
-	if !ok {
-		return fmt.Errorf("%w: public key not of type ECDSA", err)
+		return err
 	}
 
-	rsig, err := utils.DecodeSignature(sig)
+	_, err = envVerifier.Verify(context.Background(), signedPublish.Envelope)
 	if err != nil {
-		return fmt.Errorf("decodeSigature: %w: %s", serrors.ErrorInvalidEncoding, err)
-	}
-
-	if ecdsa.VerifyASN1(pubKey, payloadHash[:], rsig) {
-		return fmt.Errorf("%w: %s", serrors.ErrorInvalidSignature, sig)
+		return fmt.Errorf("%w: %w", serrors.ErrorInvalidSignature, err)
 	}
 
 	// Verification done.
@@ -314,7 +286,7 @@ func (n *Npm) verifyBuilderID(
 }
 
 func verifyPublishPredicateVersion(att *SignedAttestation, expectedVersion string) error {
-	_, version, err := getPublishPredicateData(att)
+	_, version, err := publishPredicateData(att)
 	if err != nil {
 		return err
 	}
@@ -326,7 +298,7 @@ func verifyPublishPredicateVersion(att *SignedAttestation, expectedVersion strin
 }
 
 func verifyPublishPredicateName(att *SignedAttestation, expectedName string) error {
-	name, _, err := getPublishPredicateData(att)
+	name, _, err := publishPredicateData(att)
 	if err != nil {
 		return err
 	}
@@ -337,7 +309,26 @@ func verifyPublishPredicateName(att *SignedAttestation, expectedName string) err
 	return nil
 }
 
-func getPublishPredicateData(att *SignedAttestation) (string, string, error) {
+func subjectsFromAttestation(att *SignedAttestation) ([]intoto.Subject, error) {
+	env := att.Envelope
+	pyld, err := base64.StdEncoding.DecodeString(env.Payload)
+	if err != nil {
+		return nil, fmt.Errorf("%w: %w", serrors.ErrorInvalidDssePayload, err)
+	}
+	statement := struct {
+		intoto.StatementHeader
+	}{}
+	if err := json.Unmarshal(pyld, &statement); err != nil {
+		return nil, fmt.Errorf("%w: %w", serrors.ErrorInvalidDssePayload, err)
+	}
+
+	if len(statement.Subject) == 0 {
+		return nil, fmt.Errorf("%w: no subjects", serrors.ErrorInvalidDssePayload)
+	}
+	return statement.Subject, nil
+}
+
+func publishPredicateData(att *SignedAttestation) (string, string, error) {
 	env := att.Envelope
 	pyld, err := base64.StdEncoding.DecodeString(env.Payload)
 	if err != nil {
@@ -377,8 +368,37 @@ func verifyProvenanceSubjectVersion(b *utils.TrustedBuilderID, att *SignedAttest
 	return nil
 }
 
+func (n *Npm) verifySubjectDigest(expectedHash string) error {
+	publishSubjects, err := subjectsFromAttestation(n.verifiedPublishAtt)
+	if err != nil {
+		return err
+	}
+
+	// 8 bit represented in hex, so 8/2=4.
+	bitLength := len(expectedHash) * 4
+	expectedAlgo := fmt.Sprintf("sha%v", bitLength)
+	if bitLength < 256 {
+		return fmt.Errorf("%w: expected minimum sha256, got %s", serrors.ErrorInvalidHash, expectedAlgo)
+	}
+
+	for _, subject := range publishSubjects {
+		digestSet := subject.Digest
+		hash, exists := digestSet[expectedAlgo]
+		if !exists {
+			continue
+		}
+		if hash == expectedHash {
+			return nil
+		}
+	}
+
+	// NOTE: We don't need to verify that the digest matches the one in the provenance
+	// because the provenance verification will verify the hash as well.
+	return fmt.Errorf("expected hash '%s' not found: %w", expectedHash, serrors.ErrorMismatchHash)
+}
+
 func verifyPublishSubjectVersion(att *SignedAttestation, expectedVersion string) error {
-	_, version, err := getPublishPredicateData(att)
+	_, version, err := publishPredicateData(att)
 	if err != nil {
 		return err
 	}
@@ -392,7 +412,7 @@ func verifyPublishSubjectVersion(att *SignedAttestation, expectedVersion string)
 }
 
 func verifyPublishSubjectName(att *SignedAttestation, expectedName string) error {
-	name, _, err := getPublishPredicateData(att)
+	name, _, err := publishPredicateData(att)
 	if err != nil {
 		return err
 	}
diff --git a/verifiers/internal/gha/npm_test.go b/verifiers/internal/gha/npm_test.go
index ddcd0b014..e7f45f93e 100644
--- a/verifiers/internal/gha/npm_test.go
+++ b/verifiers/internal/gha/npm_test.go
@@ -798,6 +798,84 @@ func Test_verifyPackageName(t *testing.T) {
 	}
 }
 
+func Test_verifySubjectDigest(t *testing.T) {
+	t.Parallel()
+	ctx := context.Background()
+
+	trustedRoot, err := TrustedRootSingleton(ctx)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	tests := []struct {
+		name string
+		path string
+		hash string
+		err  error
+	}{
+		{
+			name: "correct hash",
+			path: "npm-attestations.intoto.sigstore",
+			hash: "29d19f26233f4441328412b34fd73ed104ecfef62f14097890cccf7455b521b65c5acff851849faa85c85395aa22d401436f01f3afb61b19c780e906c88c7f20",
+		},
+		{
+			name: "incorrect hash",
+			path: "npm-attestations.intoto.sigstore",
+			hash: "39d19f26233f4441328412b34fd73ed104ecfef62f14097890cccf7455b521b65c5acff851849faa85c85395aa22d401436f01f3afb61b19c780e906c88c7f20",
+			err:  serrors.ErrorMismatchHash,
+		},
+		{
+			name: "no subjects",
+			path: "npm-att-publish-nosubjects.intoto.sigstore",
+			hash: "29d19f26233f4441328412b34fd73ed104ecfef62f14097890cccf7455b521b65c5acff851849faa85c85395aa22d401436f01f3afb61b19c780e906c88c7f20",
+			err:  serrors.ErrorInvalidDssePayload,
+		},
+		{
+			name: "no digest",
+			path: "npm-att-publish-nodigest.intoto.sigstore",
+			hash: "29d19f26233f4441328412b34fd73ed104ecfef62f14097890cccf7455b521b65c5acff851849faa85c85395aa22d401436f01f3afb61b19c780e906c88c7f20",
+			err:  serrors.ErrorMismatchHash,
+		},
+	}
+	for _, tt := range tests {
+		tt := tt // Re-initializing variable so it is not changed while executing the closure below
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			content, err := os.ReadFile(filepath.Join("testdata", tt.path))
+			if err != nil {
+				panic(fmt.Errorf("os.ReadFile: %w", err))
+			}
+
+			npm, err := NpmNew(ctx, trustedRoot, content)
+			if err != nil {
+				panic(fmt.Errorf("NpmNew: %w", err))
+			}
+			// Set provenance attestation.
+			env, err := getEnvelopeFromBundleBytes(npm.provenanceAttestation.BundleBytes)
+			if err != nil {
+				panic(fmt.Errorf("getEnvelopeFromBundleBytes: %w", err))
+			}
+			npm.verifiedProvenanceAtt = &SignedAttestation{
+				Envelope: env,
+			}
+
+			env, err = getEnvelopeFromBundleBytes(npm.publishAttestation.BundleBytes)
+			if err != nil {
+				panic(fmt.Errorf("getEnvelopeFromBundleBytes: %w", err))
+			}
+			npm.verifiedPublishAtt = &SignedAttestation{
+				Envelope: env,
+			}
+
+			err = npm.verifySubjectDigest(tt.hash)
+			if !errCmp(err, tt.err) {
+				t.Errorf(cmp.Diff(err, tt.err))
+			}
+		})
+	}
+}
+
 func Test_verifyPackageVersion(t *testing.T) {
 	t.Parallel()
 	ctx := context.Background()
@@ -1115,3 +1193,97 @@ func Test_NpmNew(t *testing.T) {
 		})
 	}
 }
+
+func Test_verifyPublishAttestationSignature(t *testing.T) {
+	t.Parallel()
+	ctx := context.Background()
+
+	trustedRoot, err := TrustedRootSingleton(ctx)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	tests := []struct {
+		name    string
+		path    string
+		version string
+		err     error
+	}{
+		{
+			name: "correct",
+			path: "npm-attestations.intoto.sigstore",
+		},
+		{
+			name: "incorrect signature",
+			path: "npm-att-publish-invalid-signature.intoto.sigstore",
+			err:  serrors.ErrorInvalidSignature,
+		},
+	}
+	for _, tt := range tests {
+		tt := tt // Re-initializing variable so it is not changed while executing the closure below
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			content, err := os.ReadFile(filepath.Join("testdata", tt.path))
+			if err != nil {
+				panic(fmt.Errorf("os.ReadFile: %w", err))
+			}
+
+			npm, err := NpmNew(ctx, trustedRoot, content)
+			if err != nil {
+				t.Fatalf("unexpected error: \n%s", err)
+			}
+			err = npm.verifyPublishAttestationSignature()
+			if diff := cmp.Diff(tt.err, err, cmpopts.EquateErrors()); diff != "" {
+				t.Fatalf("unexpected error (-want +got): \n%s", diff)
+			}
+		})
+	}
+}
+
+func Test_verifyProvenanceAttestationSignature(t *testing.T) {
+	t.Parallel()
+	ctx := context.Background()
+
+	trustedRoot, err := TrustedRootSingleton(ctx)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	tests := []struct {
+		name    string
+		path    string
+		version string
+		err     error
+	}{
+		{
+			name: "correct",
+			path: "npm-attestations.intoto.sigstore",
+		},
+		{
+			name: "incorrect signature",
+			path: "npm-att-prov-invalid-signature.intoto.sigstore",
+			err:  serrors.ErrorInvalidSignature,
+		},
+	}
+	for _, tt := range tests {
+		tt := tt // Re-initializing variable so it is not changed while executing the closure below
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			content, err := os.ReadFile(filepath.Join("testdata", tt.path))
+			if err != nil {
+				panic(fmt.Errorf("os.ReadFile: %w", err))
+			}
+
+			npm, err := NpmNew(ctx, trustedRoot, content)
+			if err != nil {
+				t.Fatalf("unexpected error: \n%s", err)
+			}
+			err = npm.verifyProvenanceAttestationSignature()
+			if diff := cmp.Diff(tt.err, err, cmpopts.EquateErrors()); diff != "" {
+				t.Fatalf("unexpected error (-want +got): \n%s", diff)
+			}
+		})
+	}
+}
diff --git a/verifiers/internal/gha/testdata/npm-att-prov-invalid-signature.intoto.sigstore b/verifiers/internal/gha/testdata/npm-att-prov-invalid-signature.intoto.sigstore
new file mode 100644
index 000000000..e761f59de
--- /dev/null
+++ b/verifiers/internal/gha/testdata/npm-att-prov-invalid-signature.intoto.sigstore
@@ -0,0 +1,94 @@
+{
+  "attestations": [
+    {
+      "predicateType": "https://slsa.dev/provenance/v0.2",
+      "bundle": {
+        "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1",
+        "verificationMaterial": {
+          "x509CertificateChain": {
+            "certificates": [
+              {
+                "rawBytes": "MIIDzTCCA1SgAwIBAgIUSUNeEjOTOlxw2mAmVuog6waz+NcwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwMjE1MTkzMzMyWhcNMjMwMjE1MTk0MzMyWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEVWrN2Ayc3U80RBnqrFssCXrFETeyMskQhLAXaOAbaPylLa6GiuhrZUEd+i2Q+kvtlOJN6WvJaoIirGUUw84scKOCAnMwggJvMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUgYNyCZHUpkzBfqlfSh2+dV/nqg8wHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wbwYDVR0RAQH/BGUwY4ZhaHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0Ly5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sQHJlZnMvaGVhZHMvbWFpbjA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMB8GCisGAQQBg78wAQIEEXdvcmtmbG93X2Rpc3BhdGNoMDYGCisGAQQBg78wAQMEKDE2YmFiZmZiOTE1MzgxMWUxOTNjMDE5OTM5MzkxMzU3MzcyYjI1Y2UwJgYKKwYBBAGDvzABBAQYUHVibGlzaCBQYWNrYWdlIHRvIG5wbWpzMC4GCisGAQQBg78wAQUEIGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0MB0GCisGAQQBg78wAQYED3JlZnMvaGVhZHMvbWFpbjCBiwYKKwYBBAHWeQIEAgR9BHsAeQB3AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABhlaRXNMAAAQDAEgwRgIhAOZYHC2AyB4Mm5uV6etiegcdoB5t/3Q6e8pah2BH60urAiEAv9rv6WNIyPfXrP1yzykQldw9iExSBh/brNNjTLzP+wYwCgYIKoZIzj0EAwMDZwAwZAIwT+nOUcGmT+K1gtU/ETiJewRTXtX5bjFh0AEDWzVFlLQKk+CMCr+CmhJgfobd83qwAjAz9Wp4/krIgy+qD7oeCwlUH74MNgWpy2QU5Ox3J61wP2/0O7bhH5fDaGtYUFKZzwA="
+              },
+              {
+                "rawBytes": "MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow="
+              },
+              {
+                "rawBytes": "MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ"
+              }
+            ]
+          },
+          "tlogEntries": [
+            {
+              "logIndex": "13420286",
+              "logId": {
+                "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="
+              },
+              "kindVersion": {
+                "kind": "intoto",
+                "version": "0.0.2"
+              },
+              "integratedTime": "1676489612",
+              "inclusionPromise": {
+                "signedEntryTimestamp": "MEUCIG/LjJ5tqTgKvbA0F+96CJHIk2X0S+9cBz1Z04BfU7dLAiEA7cpf1Agv0VyEu0wR41nEZ9AZ6GVaYR5rf4AAYIZr4hk="
+              },
+              "inclusionProof": null,
+              "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVVI2VkVORFFURlRaMEYzU1VKQlowbFZVMVZPWlVWcVQxUlBiSGgzTW0xQmJWWjFiMmMyZDJGNkswNWpkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDAxcVJURk5WR3Q2VFhwTmVWZG9ZMDVOYWsxM1RXcEZNVTFVYXpCTmVrMTVWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWV1YzSk9Na0Y1WXpOVk9EQlNRbTV4Y2taemMwTllja1pGVkdWNVRYTnJVV2hNUVZnS1lVOUJZbUZRZVd4TVlUWkhhWFZvY2xwVlJXUXJhVEpSSzJ0MmRHeFBTazQyVjNaS1lXOUphWEpIVlZWM09EUnpZMHRQUTBGdVRYZG5aMHAyVFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWbldVNTVDa05hU0ZWd2EzcENabkZzWmxOb01pdGtWaTl1Y1djNGQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQySjNXVVJXVWpCU1FWRklMMEpIVlhkWk5GcG9ZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRESjRhR1JZU214aWJsSjZZVmN4ZGdwaWFUbDNZMjA1TWxwWE5XaGliVTVzVEZjMWQySlRNVEJhV0U0d1RIazFibUZZVW05a1YwbDJaREk1ZVdFeVduTmlNMlI2VEROS2JHSkhWbWhqTWxWMUNtVlhNWE5SU0Vwc1dtNU5kbUZIVm1oYVNFMTJZbGRHY0dKcVFUVkNaMjl5UW1kRlJVRlpUeTlOUVVWQ1FrTjBiMlJJVW5kamVtOTJURE5TZG1FeVZuVUtURzFHYW1SSGJIWmliazExV2pKc01HRklWbWxrV0U1c1kyMU9kbUp1VW14aWJsRjFXVEk1ZEUxQ09FZERhWE5IUVZGUlFtYzNPSGRCVVVsRlJWaGtkZ3BqYlhSdFlrYzVNMWd5VW5Cak0wSm9aRWRPYjAxRVdVZERhWE5IUVZGUlFtYzNPSGRCVVUxRlMwUkZNbGx0Um1sYWJWcHBUMVJGTVUxNlozaE5WMVY0Q2s5VVRtcE5SRVUxVDFSTk5VMTZhM2hOZWxVelRYcGplVmxxU1RGWk1sVjNTbWRaUzB0M1dVSkNRVWRFZG5wQlFrSkJVVmxWU0ZacFlrZHNlbUZEUWxFS1dWZE9jbGxYWkd4SlNGSjJTVWMxZDJKWGNIcE5RelJIUTJselIwRlJVVUpuTnpoM1FWRlZSVWxIZUdoa1dFcHNZbTVTZW1GWE1YWmlhVGwzWTIwNU1ncGFWelZvWW0xT2JFeFhOWGRpVXpFd1dsaE9NRTFDTUVkRGFYTkhRVkZSUW1jM09IZEJVVmxGUkROS2JGcHVUWFpoUjFab1draE5kbUpYUm5CaWFrTkNDbWwzV1V0TGQxbENRa0ZJVjJWUlNVVkJaMUk1UWtoelFXVlJRak5CVGpBNVRVZHlSM2g0UlhsWmVHdGxTRXBzYms1M1MybFRiRFkwTTJwNWRDODBaVXNLWTI5QmRrdGxOazlCUVVGQ2FHeGhVbGhPVFVGQlFWRkVRVVZuZDFKblNXaEJUMXBaU0VNeVFYbENORTF0TlhWV05tVjBhV1ZuWTJSdlFqVjBMek5STmdwbE9IQmhhREpDU0RZd2RYSkJhVVZCZGpseWRqWlhUa2w1VUdaWWNsQXhlWHA1YTFGc1pIYzVhVVY0VTBKb0wySnlUazVxVkV4NlVDdDNXWGREWjFsSkNrdHZXa2w2YWpCRlFYZE5SRnAzUVhkYVFVbDNWQ3R1VDFWalIyMVVLMHN4WjNSVkwwVlVhVXBsZDFKVVdIUllOV0pxUm1nd1FVVkVWM3BXUm14TVVVc0theXREVFVOeUswTnRhRXBuWm05aVpEZ3pjWGRCYWtGNk9WZHdOQzlyY2tsbmVTdHhSRGR2WlVOM2JGVklOelJOVG1kWGNIa3lVVlUxVDNnelNqWXhkd3BRTWk4d1R6ZGlhRWcxWmtSaFIzUlpWVVpMV25wM1FUMEtMUzB0TFMxRlRrUWdRMFZTVkVsR1NVTkJWRVV0TFMwdExRbz0iLCJzaWciOiJUVVZWUTBsUlJFcGhhRlJ3VTI1c2RqWkllbFZxTW5reEwxQkNXVXhHZVRob2FFb3JOV1ZCUWxrM2RYazRVbEJ6UjFGSlowcFdkVXd6UjNJNWVXSXlWRkJWUlUxek5rbGxhVFZJVUVoaWVVZHNObWw0WjJRME1YbDJlVEEzVWxFOSJ9XX0sImhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIyYzVhZjNiZThjNzcxYzAwYzVhZGYwNDAxMzQ5YTg1NjM5NjA3Nzg4MzQwNjRhMmYyOTk5YzY4YmZiMWI0Njg4In0sInBheWxvYWRIYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiNjg5ZTE2NmNlM2I1Zjk5MTgxZDExYjcyYjg2OTJkODEwYjJlM2NkMTdmZWNiZjBiNzRmNDBmYTRmNmUzNjNkNSJ9fX19"
+            }
+          ],
+          "timestampVerificationData": null
+        },
+        "dsseEnvelope": {
+          "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtLyU0MGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QDEuMC4wIiwiZGlnZXN0Ijp7InNoYTUxMiI6IjI5ZDE5ZjI2MjMzZjQ0NDEzMjg0MTJiMzRmZDczZWQxMDRlY2ZlZjYyZjE0MDk3ODkwY2NjZjc0NTViNTIxYjY1YzVhY2ZmODUxODQ5ZmFhODVjODUzOTVhYTIyZDQwMTQzNmYwMWYzYWZiNjFiMTljNzgwZTkwNmM4OGM3ZjIwIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MC4yIiwicHJlZGljYXRlIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vY2xpL2doYUB2MSIsImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vbnBtL2NsaUA5LjUuMCJ9LCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6eyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJzaGExIjoiMTZiYWJmZmI5MTUzODExZTE5M2MwMTk5MzkzOTEzNTczNzJiMjVjZSJ9LCJlbnRyeVBvaW50IjoibGF1cmVudHNpbW9uL3Byb3ZlbmFuY2UtbnBtLXRlc3QvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9tYWluIn0sInBhcmFtZXRlcnMiOnt9LCJlbnZpcm9ubWVudCI6eyJHSVRIVUJfQUNUT1JfSUQiOiI2NDUwNTA5OSIsIkdJVEhVQl9FVkVOVF9OQU1FIjoid29ya2Zsb3dfZGlzcGF0Y2giLCJHSVRIVUJfUkVGIjoicmVmcy9oZWFkcy9tYWluIiwiR0lUSFVCX1JFRl9UWVBFIjoiYnJhbmNoIiwiR0lUSFVCX1JFUE9TSVRPUlkiOiJsYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdCIsIkdJVEhVQl9SRVBPU0lUT1JZX0lEIjoiNjAyMjIzOTQ1IiwiR0lUSFVCX1JFUE9TSVRPUllfT1dORVJfSUQiOiI2NDUwNTA5OSIsIkdJVEhVQl9SVU5fQVRURU1QVCI6IjEiLCJHSVRIVUJfUlVOX0lEIjoiNDE4NzQ2NDU3NyIsIkdJVEhVQl9SVU5fTlVNQkVSIjoiMiIsIkdJVEhVQl9TSEEiOiIxNmJhYmZmYjkxNTM4MTFlMTkzYzAxOTkzOTM5MTM1NzM3MmIyNWNlIiwiR0lUSFVCX1dPUktGTE9XX1JFRiI6ImxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0Ly5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sQHJlZnMvaGVhZHMvbWFpbiIsIkdJVEhVQl9XT1JLRkxPV19TSEEiOiIxNmJhYmZmYjkxNTM4MTFlMTkzYzAxOTkzOTM5MTM1NzM3MmIyNWNlIn19LCJtZXRhZGF0YSI6eyJidWlsZEludm9jYXRpb25JZCI6IjQxODc0NjQ1NzctMSIsImNvbXBsZXRlbmVzcyI6eyJwYXJhbWV0ZXJzIjpmYWxzZSwiZW52aXJvbm1lbnQiOmZhbHNlLCJtYXRlcmlhbHMiOmZhbHNlfSwicmVwcm9kdWNpYmxlIjpmYWxzZX0sIm1hdGVyaWFscyI6W3sidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9sYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdCIsImRpZ2VzdCI6eyJzaGExIjoiMTZiYWJmZmI5MTUzODExZTE5M2MwMTk5MzkzOTEzNTczNzJiMjVjZiJ9fV19fQo=",
+          "payloadType": "application/vnd.in-toto+json",
+          "signatures": [
+            {
+              "sig": "MEUCIQDJahTpSnlv6HzUj2y1/PBYLFy8hhJ+5eABY7uy8RPsGQIgJVuL3Gr9yb2TPUEMs6Iei5HPHbyGl6ixgd41yvy07RQ=",
+              "keyid": ""
+            }
+          ]
+        }
+      }
+    },
+    {
+      "predicateType": "https://github.com/npm/attestation/tree/main/specs/publish/v0.1",
+      "bundle": {
+        "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1",
+        "verificationMaterial": {
+          "publicKey": {
+            "hint": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"
+          },
+          "tlogEntries": [
+            {
+              "logIndex": "13420289",
+              "logId": {
+                "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="
+              },
+              "kindVersion": {
+                "kind": "intoto",
+                "version": "0.0.2"
+              },
+              "integratedTime": "1676489615",
+              "inclusionPromise": {
+                "signedEntryTimestamp": "MEUCICYgQbiFj7t0A9B/p4Hkq5H0gB41InPBFFnhEeuP4Fo0AiEA7fGqVACs5cFpoQGHX8HVDq/jKBWbS0gutPXpcOz6r6g="
+              },
+              "inclusionProof": null,
+              "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7ImtleWlkIjoiU0hBMjU2OmpsM2J3c3d1ODBQampva0NnaDBvMnc1YzJVNExoUUFFNTdnajljejFrekEiLCJwdWJsaWNLZXkiOiJMUzB0TFMxQ1JVZEpUaUJRVlVKTVNVTWdTMFZaTFMwdExTMEtUVVpyZDBWM1dVaExiMXBKZW1vd1EwRlJXVWxMYjFwSmVtb3dSRUZSWTBSUlowRkZNVTlzWWpONlRVRkdSbmhZUzBocFNXdFJUelZqU2pOWmFHdzFhVFpWVUhBclNXaDFkR1ZDU21KMVNHTkJOVlZ2WjB0dk1FVlhkR3hYZDFjMlMxTmhTMjlVVGtWWlREZEtiRU5SYVZadWEyaENhM1JWWjJjOVBRb3RMUzB0TFVWT1JDQlFWVUpNU1VNZ1MwVlpMUzB0TFMwPSIsInNpZyI6IlRVVlJRMGxETURGaFJqbFFZVWxtSzNOcVkzRlBiVzQwUVZaVU56bFBWMFJuVkZGVk5XVXZiVkp0TVcweVNIWjVRV2xCY0hCNk1FWkxWVzFEVjJwdVUyUnJORzB5VkdGTlpXMXFSRXRqUlcxTVdFSTRWVVpFTlZsYWRETTJaejA5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjkxNDU3YjdiYzg1NTgwY2Y2NTAxNDM5NDU5ZDYyOWI0YzBlOTUxNmFjNzc3NTllNGQwNzMwZjVlMTUxNjRkMDcifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1ZmFmZTQwMmJiYzBiMTNhMmFmMmIzMjhjYmNjNmFiZTlmZTA1MGRkNDUzNjNkNTE1YWIyYzk4MjA3NDMwNjVkIn19fX0="
+            }
+          ],
+          "timestampVerificationData": null
+        },
+        "dsseEnvelope": {
+          "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtLyU0MGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QDEuMC4wIiwiZGlnZXN0Ijp7InNoYTUxMiI6IjI5ZDE5ZjI2MjMzZjQ0NDEzMjg0MTJiMzRmZDczZWQxMDRlY2ZlZjYyZjE0MDk3ODkwY2NjZjc0NTViNTIxYjY1YzVhY2ZmODUxODQ5ZmFhODVjODUzOTVhYTIyZDQwMTQzNmYwMWYzYWZiNjFiMTljNzgwZTkwNmM4OGM3ZjIwIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vYXR0ZXN0YXRpb24vdHJlZS9tYWluL3NwZWNzL3B1Ymxpc2gvdjAuMSIsInByZWRpY2F0ZSI6eyJuYW1lIjoiQGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0IiwidmVyc2lvbiI6IjEuMC4wIiwicmVnaXN0cnkiOiJodHRwczovL3JlZ2lzdHJ5Lm5wbWpzLm9yZyJ9fQ==",
+          "payloadType": "application/vnd.in-toto+json",
+          "signatures": [
+            {
+              "sig": "MEQCIC01aF9PaIf+sjcqOmn4AVT79OWDgTQU5e/mRm1m2HvyAiAppz0FKUmCWjnSdk4m2TaMemjDKcEmLXB8UFD5YZt36g==",
+              "keyid": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"
+            }
+          ]
+        }
+      }
+    }
+  ]
+}
diff --git a/verifiers/internal/gha/testdata/npm-att-publish-invalid-signature.intoto.sigstore b/verifiers/internal/gha/testdata/npm-att-publish-invalid-signature.intoto.sigstore
new file mode 100644
index 000000000..d2b08ff59
--- /dev/null
+++ b/verifiers/internal/gha/testdata/npm-att-publish-invalid-signature.intoto.sigstore
@@ -0,0 +1,94 @@
+{
+  "attestations": [
+    {
+      "predicateType": "https://slsa.dev/provenance/v0.2",
+      "bundle": {
+        "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1",
+        "verificationMaterial": {
+          "x509CertificateChain": {
+            "certificates": [
+              {
+                "rawBytes": "MIIDzTCCA1SgAwIBAgIUSUNeEjOTOlxw2mAmVuog6waz+NcwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwMjE1MTkzMzMyWhcNMjMwMjE1MTk0MzMyWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEVWrN2Ayc3U80RBnqrFssCXrFETeyMskQhLAXaOAbaPylLa6GiuhrZUEd+i2Q+kvtlOJN6WvJaoIirGUUw84scKOCAnMwggJvMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUgYNyCZHUpkzBfqlfSh2+dV/nqg8wHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wbwYDVR0RAQH/BGUwY4ZhaHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0Ly5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sQHJlZnMvaGVhZHMvbWFpbjA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMB8GCisGAQQBg78wAQIEEXdvcmtmbG93X2Rpc3BhdGNoMDYGCisGAQQBg78wAQMEKDE2YmFiZmZiOTE1MzgxMWUxOTNjMDE5OTM5MzkxMzU3MzcyYjI1Y2UwJgYKKwYBBAGDvzABBAQYUHVibGlzaCBQYWNrYWdlIHRvIG5wbWpzMC4GCisGAQQBg78wAQUEIGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0MB0GCisGAQQBg78wAQYED3JlZnMvaGVhZHMvbWFpbjCBiwYKKwYBBAHWeQIEAgR9BHsAeQB3AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABhlaRXNMAAAQDAEgwRgIhAOZYHC2AyB4Mm5uV6etiegcdoB5t/3Q6e8pah2BH60urAiEAv9rv6WNIyPfXrP1yzykQldw9iExSBh/brNNjTLzP+wYwCgYIKoZIzj0EAwMDZwAwZAIwT+nOUcGmT+K1gtU/ETiJewRTXtX5bjFh0AEDWzVFlLQKk+CMCr+CmhJgfobd83qwAjAz9Wp4/krIgy+qD7oeCwlUH74MNgWpy2QU5Ox3J61wP2/0O7bhH5fDaGtYUFKZzwA="
+              },
+              {
+                "rawBytes": "MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow="
+              },
+              {
+                "rawBytes": "MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ"
+              }
+            ]
+          },
+          "tlogEntries": [
+            {
+              "logIndex": "13420286",
+              "logId": {
+                "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="
+              },
+              "kindVersion": {
+                "kind": "intoto",
+                "version": "0.0.2"
+              },
+              "integratedTime": "1676489612",
+              "inclusionPromise": {
+                "signedEntryTimestamp": "MEUCIG/LjJ5tqTgKvbA0F+96CJHIk2X0S+9cBz1Z04BfU7dLAiEA7cpf1Agv0VyEu0wR41nEZ9AZ6GVaYR5rf4AAYIZr4hk="
+              },
+              "inclusionProof": null,
+              "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVVI2VkVORFFURlRaMEYzU1VKQlowbFZVMVZPWlVWcVQxUlBiSGgzTW0xQmJWWjFiMmMyZDJGNkswNWpkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDAxcVJURk5WR3Q2VFhwTmVWZG9ZMDVOYWsxM1RXcEZNVTFVYXpCTmVrMTVWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWV1YzSk9Na0Y1WXpOVk9EQlNRbTV4Y2taemMwTllja1pGVkdWNVRYTnJVV2hNUVZnS1lVOUJZbUZRZVd4TVlUWkhhWFZvY2xwVlJXUXJhVEpSSzJ0MmRHeFBTazQyVjNaS1lXOUphWEpIVlZWM09EUnpZMHRQUTBGdVRYZG5aMHAyVFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWbldVNTVDa05hU0ZWd2EzcENabkZzWmxOb01pdGtWaTl1Y1djNGQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQySjNXVVJXVWpCU1FWRklMMEpIVlhkWk5GcG9ZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRESjRhR1JZU214aWJsSjZZVmN4ZGdwaWFUbDNZMjA1TWxwWE5XaGliVTVzVEZjMWQySlRNVEJhV0U0d1RIazFibUZZVW05a1YwbDJaREk1ZVdFeVduTmlNMlI2VEROS2JHSkhWbWhqTWxWMUNtVlhNWE5SU0Vwc1dtNU5kbUZIVm1oYVNFMTJZbGRHY0dKcVFUVkNaMjl5UW1kRlJVRlpUeTlOUVVWQ1FrTjBiMlJJVW5kamVtOTJURE5TZG1FeVZuVUtURzFHYW1SSGJIWmliazExV2pKc01HRklWbWxrV0U1c1kyMU9kbUp1VW14aWJsRjFXVEk1ZEUxQ09FZERhWE5IUVZGUlFtYzNPSGRCVVVsRlJWaGtkZ3BqYlhSdFlrYzVNMWd5VW5Cak0wSm9aRWRPYjAxRVdVZERhWE5IUVZGUlFtYzNPSGRCVVUxRlMwUkZNbGx0Um1sYWJWcHBUMVJGTVUxNlozaE5WMVY0Q2s5VVRtcE5SRVUxVDFSTk5VMTZhM2hOZWxVelRYcGplVmxxU1RGWk1sVjNTbWRaUzB0M1dVSkNRVWRFZG5wQlFrSkJVVmxWU0ZacFlrZHNlbUZEUWxFS1dWZE9jbGxYWkd4SlNGSjJTVWMxZDJKWGNIcE5RelJIUTJselIwRlJVVUpuTnpoM1FWRlZSVWxIZUdoa1dFcHNZbTVTZW1GWE1YWmlhVGwzWTIwNU1ncGFWelZvWW0xT2JFeFhOWGRpVXpFd1dsaE9NRTFDTUVkRGFYTkhRVkZSUW1jM09IZEJVVmxGUkROS2JGcHVUWFpoUjFab1draE5kbUpYUm5CaWFrTkNDbWwzV1V0TGQxbENRa0ZJVjJWUlNVVkJaMUk1UWtoelFXVlJRak5CVGpBNVRVZHlSM2g0UlhsWmVHdGxTRXBzYms1M1MybFRiRFkwTTJwNWRDODBaVXNLWTI5QmRrdGxOazlCUVVGQ2FHeGhVbGhPVFVGQlFWRkVRVVZuZDFKblNXaEJUMXBaU0VNeVFYbENORTF0TlhWV05tVjBhV1ZuWTJSdlFqVjBMek5STmdwbE9IQmhhREpDU0RZd2RYSkJhVVZCZGpseWRqWlhUa2w1VUdaWWNsQXhlWHA1YTFGc1pIYzVhVVY0VTBKb0wySnlUazVxVkV4NlVDdDNXWGREWjFsSkNrdHZXa2w2YWpCRlFYZE5SRnAzUVhkYVFVbDNWQ3R1VDFWalIyMVVLMHN4WjNSVkwwVlVhVXBsZDFKVVdIUllOV0pxUm1nd1FVVkVWM3BXUm14TVVVc0theXREVFVOeUswTnRhRXBuWm05aVpEZ3pjWGRCYWtGNk9WZHdOQzlyY2tsbmVTdHhSRGR2WlVOM2JGVklOelJOVG1kWGNIa3lVVlUxVDNnelNqWXhkd3BRTWk4d1R6ZGlhRWcxWmtSaFIzUlpWVVpMV25wM1FUMEtMUzB0TFMxRlRrUWdRMFZTVkVsR1NVTkJWRVV0TFMwdExRbz0iLCJzaWciOiJUVVZWUTBsUlJFcGhhRlJ3VTI1c2RqWkllbFZxTW5reEwxQkNXVXhHZVRob2FFb3JOV1ZCUWxrM2RYazRVbEJ6UjFGSlowcFdkVXd6UjNJNWVXSXlWRkJWUlUxek5rbGxhVFZJVUVoaWVVZHNObWw0WjJRME1YbDJlVEEzVWxFOSJ9XX0sImhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIyYzVhZjNiZThjNzcxYzAwYzVhZGYwNDAxMzQ5YTg1NjM5NjA3Nzg4MzQwNjRhMmYyOTk5YzY4YmZiMWI0Njg4In0sInBheWxvYWRIYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiNjg5ZTE2NmNlM2I1Zjk5MTgxZDExYjcyYjg2OTJkODEwYjJlM2NkMTdmZWNiZjBiNzRmNDBmYTRmNmUzNjNkNSJ9fX19"
+            }
+          ],
+          "timestampVerificationData": null
+        },
+        "dsseEnvelope": {
+          "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtLyU0MGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QDEuMC4wIiwiZGlnZXN0Ijp7InNoYTUxMiI6IjI5ZDE5ZjI2MjMzZjQ0NDEzMjg0MTJiMzRmZDczZWQxMDRlY2ZlZjYyZjE0MDk3ODkwY2NjZjc0NTViNTIxYjY1YzVhY2ZmODUxODQ5ZmFhODVjODUzOTVhYTIyZDQwMTQzNmYwMWYzYWZiNjFiMTljNzgwZTkwNmM4OGM3ZjIwIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MC4yIiwicHJlZGljYXRlIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vY2xpL2doYUB2MSIsImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vbnBtL2NsaUA5LjUuMCJ9LCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6eyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJzaGExIjoiMTZiYWJmZmI5MTUzODExZTE5M2MwMTk5MzkzOTEzNTczNzJiMjVjZSJ9LCJlbnRyeVBvaW50IjoibGF1cmVudHNpbW9uL3Byb3ZlbmFuY2UtbnBtLXRlc3QvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9tYWluIn0sInBhcmFtZXRlcnMiOnt9LCJlbnZpcm9ubWVudCI6eyJHSVRIVUJfQUNUT1JfSUQiOiI2NDUwNTA5OSIsIkdJVEhVQl9FVkVOVF9OQU1FIjoid29ya2Zsb3dfZGlzcGF0Y2giLCJHSVRIVUJfUkVGIjoicmVmcy9oZWFkcy9tYWluIiwiR0lUSFVCX1JFRl9UWVBFIjoiYnJhbmNoIiwiR0lUSFVCX1JFUE9TSVRPUlkiOiJsYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdCIsIkdJVEhVQl9SRVBPU0lUT1JZX0lEIjoiNjAyMjIzOTQ1IiwiR0lUSFVCX1JFUE9TSVRPUllfT1dORVJfSUQiOiI2NDUwNTA5OSIsIkdJVEhVQl9SVU5fQVRURU1QVCI6IjEiLCJHSVRIVUJfUlVOX0lEIjoiNDE4NzQ2NDU3NyIsIkdJVEhVQl9SVU5fTlVNQkVSIjoiMiIsIkdJVEhVQl9TSEEiOiIxNmJhYmZmYjkxNTM4MTFlMTkzYzAxOTkzOTM5MTM1NzM3MmIyNWNlIiwiR0lUSFVCX1dPUktGTE9XX1JFRiI6ImxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0Ly5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sQHJlZnMvaGVhZHMvbWFpbiIsIkdJVEhVQl9XT1JLRkxPV19TSEEiOiIxNmJhYmZmYjkxNTM4MTFlMTkzYzAxOTkzOTM5MTM1NzM3MmIyNWNlIn19LCJtZXRhZGF0YSI6eyJidWlsZEludm9jYXRpb25JZCI6IjQxODc0NjQ1NzctMSIsImNvbXBsZXRlbmVzcyI6eyJwYXJhbWV0ZXJzIjpmYWxzZSwiZW52aXJvbm1lbnQiOmZhbHNlLCJtYXRlcmlhbHMiOmZhbHNlfSwicmVwcm9kdWNpYmxlIjpmYWxzZX0sIm1hdGVyaWFscyI6W3sidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9sYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdCIsImRpZ2VzdCI6eyJzaGExIjoiMTZiYWJmZmI5MTUzODExZTE5M2MwMTk5MzkzOTEzNTczNzJiMjVjZSJ9fV19fQ==",
+          "payloadType": "application/vnd.in-toto+json",
+          "signatures": [
+            {
+              "sig": "MEUCIQDJahTpSnlv6HzUj2y1/PBYLFy8hhJ+5eABY7uy8RPsGQIgJVuL3Gr9yb2TPUEMs6Iei5HPHbyGl6ixgd41yvy07RQ=",
+              "keyid": ""
+            }
+          ]
+        }
+      }
+    },
+    {
+      "predicateType": "https://github.com/npm/attestation/tree/main/specs/publish/v0.1",
+      "bundle": {
+        "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1",
+        "verificationMaterial": {
+          "publicKey": {
+            "hint": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"
+          },
+          "tlogEntries": [
+            {
+              "logIndex": "13420289",
+              "logId": {
+                "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="
+              },
+              "kindVersion": {
+                "kind": "intoto",
+                "version": "0.0.2"
+              },
+              "integratedTime": "1676489615",
+              "inclusionPromise": {
+                "signedEntryTimestamp": "MEUCICYgQbiFj7t0A9B/p4Hkq5H0gB41InPBFFnhEeuP4Fo0AiEA7fGqVACs5cFpoQGHX8HVDq/jKBWbS0gutPXpcOz6r6g="
+              },
+              "inclusionProof": null,
+              "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7ImtleWlkIjoiU0hBMjU2OmpsM2J3c3d1ODBQampva0NnaDBvMnc1YzJVNExoUUFFNTdnajljejFrekEiLCJwdWJsaWNLZXkiOiJMUzB0TFMxQ1JVZEpUaUJRVlVKTVNVTWdTMFZaTFMwdExTMEtUVVpyZDBWM1dVaExiMXBKZW1vd1EwRlJXVWxMYjFwSmVtb3dSRUZSWTBSUlowRkZNVTlzWWpONlRVRkdSbmhZUzBocFNXdFJUelZqU2pOWmFHdzFhVFpWVUhBclNXaDFkR1ZDU21KMVNHTkJOVlZ2WjB0dk1FVlhkR3hYZDFjMlMxTmhTMjlVVGtWWlREZEtiRU5SYVZadWEyaENhM1JWWjJjOVBRb3RMUzB0TFVWT1JDQlFWVUpNU1VNZ1MwVlpMUzB0TFMwPSIsInNpZyI6IlRVVlJRMGxETURGaFJqbFFZVWxtSzNOcVkzRlBiVzQwUVZaVU56bFBWMFJuVkZGVk5XVXZiVkp0TVcweVNIWjVRV2xCY0hCNk1FWkxWVzFEVjJwdVUyUnJORzB5VkdGTlpXMXFSRXRqUlcxTVdFSTRWVVpFTlZsYWRETTJaejA5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjkxNDU3YjdiYzg1NTgwY2Y2NTAxNDM5NDU5ZDYyOWI0YzBlOTUxNmFjNzc3NTllNGQwNzMwZjVlMTUxNjRkMDcifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1ZmFmZTQwMmJiYzBiMTNhMmFmMmIzMjhjYmNjNmFiZTlmZTA1MGRkNDUzNjNkNTE1YWIyYzk4MjA3NDMwNjVkIn19fX0="
+            }
+          ],
+          "timestampVerificationData": null
+        },
+        "dsseEnvelope": {
+          "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtLyU0MGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QDEuMC4wIiwiZGlnZXN0IjoiMjlkMTlmMjYyMzNmNDQ0MTMyODQxMmIzNGZkNzNlZDEwNGVjZmVmNjJmMTQwOTc4OTBjY2NmNzQ1NWI1MjFiNjVjNWFjZmY4NTE4NDlmYWE4NWM4NTM5NWFhMjJkNDAxNDM2ZjAxZjNhZmI2MWIxOWM3ODBlOTA2Yzg4YzdmMjEifV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL2dpdGh1Yi5jb20vbnBtL2F0dGVzdGF0aW9uL3RyZWUvbWFpbi9zcGVjcy9wdWJsaXNoL3YwLjEiLCJwcmVkaWNhdGUiOnsibmFtZSI6IkBsYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdCIsInZlcnNpb24iOiIxLjAuMCIsInJlZ2lzdHJ5IjoiaHR0cHM6Ly9yZWdpc3RyeS5ucG1qcy5vcmcifX0K",
+          "payloadType": "application/vnd.in-toto+json",
+          "signatures": [
+            {
+              "sig": "MEQCIC01aF9PaIf+sjcqOmn4AVT79OWDgTQU5e/mRm1m2HvyAiAppz0FKUmCWjnSdk4m2TaMemjDKcEmLXB8UFD5YZt36g==",
+              "keyid": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"
+            }
+          ]
+        }
+      }
+    }
+  ]
+}
diff --git a/verifiers/internal/gha/testdata/npm-att-publish-nodigest.intoto.sigstore b/verifiers/internal/gha/testdata/npm-att-publish-nodigest.intoto.sigstore
new file mode 100644
index 000000000..74e41521c
--- /dev/null
+++ b/verifiers/internal/gha/testdata/npm-att-publish-nodigest.intoto.sigstore
@@ -0,0 +1,94 @@
+{
+  "attestations": [
+    {
+      "predicateType": "https://slsa.dev/provenance/v0.2",
+      "bundle": {
+        "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1",
+        "verificationMaterial": {
+          "x509CertificateChain": {
+            "certificates": [
+              {
+                "rawBytes": "MIIDzTCCA1SgAwIBAgIUSUNeEjOTOlxw2mAmVuog6waz+NcwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwMjE1MTkzMzMyWhcNMjMwMjE1MTk0MzMyWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEVWrN2Ayc3U80RBnqrFssCXrFETeyMskQhLAXaOAbaPylLa6GiuhrZUEd+i2Q+kvtlOJN6WvJaoIirGUUw84scKOCAnMwggJvMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUgYNyCZHUpkzBfqlfSh2+dV/nqg8wHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wbwYDVR0RAQH/BGUwY4ZhaHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0Ly5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sQHJlZnMvaGVhZHMvbWFpbjA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMB8GCisGAQQBg78wAQIEEXdvcmtmbG93X2Rpc3BhdGNoMDYGCisGAQQBg78wAQMEKDE2YmFiZmZiOTE1MzgxMWUxOTNjMDE5OTM5MzkxMzU3MzcyYjI1Y2UwJgYKKwYBBAGDvzABBAQYUHVibGlzaCBQYWNrYWdlIHRvIG5wbWpzMC4GCisGAQQBg78wAQUEIGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0MB0GCisGAQQBg78wAQYED3JlZnMvaGVhZHMvbWFpbjCBiwYKKwYBBAHWeQIEAgR9BHsAeQB3AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABhlaRXNMAAAQDAEgwRgIhAOZYHC2AyB4Mm5uV6etiegcdoB5t/3Q6e8pah2BH60urAiEAv9rv6WNIyPfXrP1yzykQldw9iExSBh/brNNjTLzP+wYwCgYIKoZIzj0EAwMDZwAwZAIwT+nOUcGmT+K1gtU/ETiJewRTXtX5bjFh0AEDWzVFlLQKk+CMCr+CmhJgfobd83qwAjAz9Wp4/krIgy+qD7oeCwlUH74MNgWpy2QU5Ox3J61wP2/0O7bhH5fDaGtYUFKZzwA="
+              },
+              {
+                "rawBytes": "MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow="
+              },
+              {
+                "rawBytes": "MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ"
+              }
+            ]
+          },
+          "tlogEntries": [
+            {
+              "logIndex": "13420286",
+              "logId": {
+                "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="
+              },
+              "kindVersion": {
+                "kind": "intoto",
+                "version": "0.0.2"
+              },
+              "integratedTime": "1676489612",
+              "inclusionPromise": {
+                "signedEntryTimestamp": "MEUCIG/LjJ5tqTgKvbA0F+96CJHIk2X0S+9cBz1Z04BfU7dLAiEA7cpf1Agv0VyEu0wR41nEZ9AZ6GVaYR5rf4AAYIZr4hk="
+              },
+              "inclusionProof": null,
+              "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVVI2VkVORFFURlRaMEYzU1VKQlowbFZVMVZPWlVWcVQxUlBiSGgzTW0xQmJWWjFiMmMyZDJGNkswNWpkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDAxcVJURk5WR3Q2VFhwTmVWZG9ZMDVOYWsxM1RXcEZNVTFVYXpCTmVrMTVWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWV1YzSk9Na0Y1WXpOVk9EQlNRbTV4Y2taemMwTllja1pGVkdWNVRYTnJVV2hNUVZnS1lVOUJZbUZRZVd4TVlUWkhhWFZvY2xwVlJXUXJhVEpSSzJ0MmRHeFBTazQyVjNaS1lXOUphWEpIVlZWM09EUnpZMHRQUTBGdVRYZG5aMHAyVFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWbldVNTVDa05hU0ZWd2EzcENabkZzWmxOb01pdGtWaTl1Y1djNGQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQySjNXVVJXVWpCU1FWRklMMEpIVlhkWk5GcG9ZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRESjRhR1JZU214aWJsSjZZVmN4ZGdwaWFUbDNZMjA1TWxwWE5XaGliVTVzVEZjMWQySlRNVEJhV0U0d1RIazFibUZZVW05a1YwbDJaREk1ZVdFeVduTmlNMlI2VEROS2JHSkhWbWhqTWxWMUNtVlhNWE5SU0Vwc1dtNU5kbUZIVm1oYVNFMTJZbGRHY0dKcVFUVkNaMjl5UW1kRlJVRlpUeTlOUVVWQ1FrTjBiMlJJVW5kamVtOTJURE5TZG1FeVZuVUtURzFHYW1SSGJIWmliazExV2pKc01HRklWbWxrV0U1c1kyMU9kbUp1VW14aWJsRjFXVEk1ZEUxQ09FZERhWE5IUVZGUlFtYzNPSGRCVVVsRlJWaGtkZ3BqYlhSdFlrYzVNMWd5VW5Cak0wSm9aRWRPYjAxRVdVZERhWE5IUVZGUlFtYzNPSGRCVVUxRlMwUkZNbGx0Um1sYWJWcHBUMVJGTVUxNlozaE5WMVY0Q2s5VVRtcE5SRVUxVDFSTk5VMTZhM2hOZWxVelRYcGplVmxxU1RGWk1sVjNTbWRaUzB0M1dVSkNRVWRFZG5wQlFrSkJVVmxWU0ZacFlrZHNlbUZEUWxFS1dWZE9jbGxYWkd4SlNGSjJTVWMxZDJKWGNIcE5RelJIUTJselIwRlJVVUpuTnpoM1FWRlZSVWxIZUdoa1dFcHNZbTVTZW1GWE1YWmlhVGwzWTIwNU1ncGFWelZvWW0xT2JFeFhOWGRpVXpFd1dsaE9NRTFDTUVkRGFYTkhRVkZSUW1jM09IZEJVVmxGUkROS2JGcHVUWFpoUjFab1draE5kbUpYUm5CaWFrTkNDbWwzV1V0TGQxbENRa0ZJVjJWUlNVVkJaMUk1UWtoelFXVlJRak5CVGpBNVRVZHlSM2g0UlhsWmVHdGxTRXBzYms1M1MybFRiRFkwTTJwNWRDODBaVXNLWTI5QmRrdGxOazlCUVVGQ2FHeGhVbGhPVFVGQlFWRkVRVVZuZDFKblNXaEJUMXBaU0VNeVFYbENORTF0TlhWV05tVjBhV1ZuWTJSdlFqVjBMek5STmdwbE9IQmhhREpDU0RZd2RYSkJhVVZCZGpseWRqWlhUa2w1VUdaWWNsQXhlWHA1YTFGc1pIYzVhVVY0VTBKb0wySnlUazVxVkV4NlVDdDNXWGREWjFsSkNrdHZXa2w2YWpCRlFYZE5SRnAzUVhkYVFVbDNWQ3R1VDFWalIyMVVLMHN4WjNSVkwwVlVhVXBsZDFKVVdIUllOV0pxUm1nd1FVVkVWM3BXUm14TVVVc0theXREVFVOeUswTnRhRXBuWm05aVpEZ3pjWGRCYWtGNk9WZHdOQzlyY2tsbmVTdHhSRGR2WlVOM2JGVklOelJOVG1kWGNIa3lVVlUxVDNnelNqWXhkd3BRTWk4d1R6ZGlhRWcxWmtSaFIzUlpWVVpMV25wM1FUMEtMUzB0TFMxRlRrUWdRMFZTVkVsR1NVTkJWRVV0TFMwdExRbz0iLCJzaWciOiJUVVZWUTBsUlJFcGhhRlJ3VTI1c2RqWkllbFZxTW5reEwxQkNXVXhHZVRob2FFb3JOV1ZCUWxrM2RYazRVbEJ6UjFGSlowcFdkVXd6UjNJNWVXSXlWRkJWUlUxek5rbGxhVFZJVUVoaWVVZHNObWw0WjJRME1YbDJlVEEzVWxFOSJ9XX0sImhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIyYzVhZjNiZThjNzcxYzAwYzVhZGYwNDAxMzQ5YTg1NjM5NjA3Nzg4MzQwNjRhMmYyOTk5YzY4YmZiMWI0Njg4In0sInBheWxvYWRIYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiNjg5ZTE2NmNlM2I1Zjk5MTgxZDExYjcyYjg2OTJkODEwYjJlM2NkMTdmZWNiZjBiNzRmNDBmYTRmNmUzNjNkNSJ9fX19"
+            }
+          ],
+          "timestampVerificationData": null
+        },
+        "dsseEnvelope": {
+          "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtLyU0MGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QDEuMC4wIiwiZGlnZXN0Ijp7InNoYTUxMiI6IjI5ZDE5ZjI2MjMzZjQ0NDEzMjg0MTJiMzRmZDczZWQxMDRlY2ZlZjYyZjE0MDk3ODkwY2NjZjc0NTViNTIxYjY1YzVhY2ZmODUxODQ5ZmFhODVjODUzOTVhYTIyZDQwMTQzNmYwMWYzYWZiNjFiMTljNzgwZTkwNmM4OGM3ZjIwIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MC4yIiwicHJlZGljYXRlIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vY2xpL2doYUB2MSIsImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vbnBtL2NsaUA5LjUuMCJ9LCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6eyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJzaGExIjoiMTZiYWJmZmI5MTUzODExZTE5M2MwMTk5MzkzOTEzNTczNzJiMjVjZSJ9LCJlbnRyeVBvaW50IjoibGF1cmVudHNpbW9uL3Byb3ZlbmFuY2UtbnBtLXRlc3QvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9tYWluIn0sInBhcmFtZXRlcnMiOnt9LCJlbnZpcm9ubWVudCI6eyJHSVRIVUJfQUNUT1JfSUQiOiI2NDUwNTA5OSIsIkdJVEhVQl9FVkVOVF9OQU1FIjoid29ya2Zsb3dfZGlzcGF0Y2giLCJHSVRIVUJfUkVGIjoicmVmcy9oZWFkcy9tYWluIiwiR0lUSFVCX1JFRl9UWVBFIjoiYnJhbmNoIiwiR0lUSFVCX1JFUE9TSVRPUlkiOiJsYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdCIsIkdJVEhVQl9SRVBPU0lUT1JZX0lEIjoiNjAyMjIzOTQ1IiwiR0lUSFVCX1JFUE9TSVRPUllfT1dORVJfSUQiOiI2NDUwNTA5OSIsIkdJVEhVQl9SVU5fQVRURU1QVCI6IjEiLCJHSVRIVUJfUlVOX0lEIjoiNDE4NzQ2NDU3NyIsIkdJVEhVQl9SVU5fTlVNQkVSIjoiMiIsIkdJVEhVQl9TSEEiOiIxNmJhYmZmYjkxNTM4MTFlMTkzYzAxOTkzOTM5MTM1NzM3MmIyNWNlIiwiR0lUSFVCX1dPUktGTE9XX1JFRiI6ImxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0Ly5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sQHJlZnMvaGVhZHMvbWFpbiIsIkdJVEhVQl9XT1JLRkxPV19TSEEiOiIxNmJhYmZmYjkxNTM4MTFlMTkzYzAxOTkzOTM5MTM1NzM3MmIyNWNlIn19LCJtZXRhZGF0YSI6eyJidWlsZEludm9jYXRpb25JZCI6IjQxODc0NjQ1NzctMSIsImNvbXBsZXRlbmVzcyI6eyJwYXJhbWV0ZXJzIjpmYWxzZSwiZW52aXJvbm1lbnQiOmZhbHNlLCJtYXRlcmlhbHMiOmZhbHNlfSwicmVwcm9kdWNpYmxlIjpmYWxzZX0sIm1hdGVyaWFscyI6W3sidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9sYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdCIsImRpZ2VzdCI6eyJzaGExIjoiMTZiYWJmZmI5MTUzODExZTE5M2MwMTk5MzkzOTEzNTczNzJiMjVjZSJ9fV19fQ==",
+          "payloadType": "application/vnd.in-toto+json",
+          "signatures": [
+            {
+              "sig": "MEUCIQDJahTpSnlv6HzUj2y1/PBYLFy8hhJ+5eABY7uy8RPsGQIgJVuL3Gr9yb2TPUEMs6Iei5HPHbyGl6ixgd41yvy07RQ=",
+              "keyid": ""
+            }
+          ]
+        }
+      }
+    },
+    {
+      "predicateType": "https://github.com/npm/attestation/tree/main/specs/publish/v0.1",
+      "bundle": {
+        "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1",
+        "verificationMaterial": {
+          "publicKey": {
+            "hint": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"
+          },
+          "tlogEntries": [
+            {
+              "logIndex": "13420289",
+              "logId": {
+                "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="
+              },
+              "kindVersion": {
+                "kind": "intoto",
+                "version": "0.0.2"
+              },
+              "integratedTime": "1676489615",
+              "inclusionPromise": {
+                "signedEntryTimestamp": "MEUCICYgQbiFj7t0A9B/p4Hkq5H0gB41InPBFFnhEeuP4Fo0AiEA7fGqVACs5cFpoQGHX8HVDq/jKBWbS0gutPXpcOz6r6g="
+              },
+              "inclusionProof": null,
+              "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7ImtleWlkIjoiU0hBMjU2OmpsM2J3c3d1ODBQampva0NnaDBvMnc1YzJVNExoUUFFNTdnajljejFrekEiLCJwdWJsaWNLZXkiOiJMUzB0TFMxQ1JVZEpUaUJRVlVKTVNVTWdTMFZaTFMwdExTMEtUVVpyZDBWM1dVaExiMXBKZW1vd1EwRlJXVWxMYjFwSmVtb3dSRUZSWTBSUlowRkZNVTlzWWpONlRVRkdSbmhZUzBocFNXdFJUelZqU2pOWmFHdzFhVFpWVUhBclNXaDFkR1ZDU21KMVNHTkJOVlZ2WjB0dk1FVlhkR3hYZDFjMlMxTmhTMjlVVGtWWlREZEtiRU5SYVZadWEyaENhM1JWWjJjOVBRb3RMUzB0TFVWT1JDQlFWVUpNU1VNZ1MwVlpMUzB0TFMwPSIsInNpZyI6IlRVVlJRMGxETURGaFJqbFFZVWxtSzNOcVkzRlBiVzQwUVZaVU56bFBWMFJuVkZGVk5XVXZiVkp0TVcweVNIWjVRV2xCY0hCNk1FWkxWVzFEVjJwdVUyUnJORzB5VkdGTlpXMXFSRXRqUlcxTVdFSTRWVVpFTlZsYWRETTJaejA5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjkxNDU3YjdiYzg1NTgwY2Y2NTAxNDM5NDU5ZDYyOWI0YzBlOTUxNmFjNzc3NTllNGQwNzMwZjVlMTUxNjRkMDcifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1ZmFmZTQwMmJiYzBiMTNhMmFmMmIzMjhjYmNjNmFiZTlmZTA1MGRkNDUzNjNkNTE1YWIyYzk4MjA3NDMwNjVkIn19fX0="
+            }
+          ],
+          "timestampVerificationData": null
+        },
+        "dsseEnvelope": {
+          "payload": "ewogICJfdHlwZSI6ICJodHRwczovL2luLXRvdG8uaW8vU3RhdGVtZW50L3YwLjEiLAogICJzdWJqZWN0IjogWwogICAgewogICAgICAibmFtZSI6ICJwa2c6bnBtLyU0MGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QDEuMC4wIgogICAgfQogIF0sCiAgInByZWRpY2F0ZVR5cGUiOiAiaHR0cHM6Ly9naXRodWIuY29tL25wbS9hdHRlc3RhdGlvbi90cmVlL21haW4vc3BlY3MvcHVibGlzaC92MC4xIiwKICAicHJlZGljYXRlIjogewogICAgIm5hbWUiOiAiQGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0IiwKICAgICJ2ZXJzaW9uIjogIjEuMC4wIiwKICAgICJyZWdpc3RyeSI6ICJodHRwczovL3JlZ2lzdHJ5Lm5wbWpzLm9yZyIKICB9Cn0K",
+          "payloadType": "application/vnd.in-toto+json",
+          "signatures": [
+            {
+              "sig": "MEQCIC01aF9PaIf+sjcqOmn4AVT79OWDgTQU5e/mRm1m2HvyAiAppz0FKUmCWjnSdk4m2TaMemjDKcEmLXB8UFD5YZt36g==",
+              "keyid": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"
+            }
+          ]
+        }
+      }
+    }
+  ]
+}
diff --git a/verifiers/internal/gha/testdata/npm-att-publish-nosubjects.intoto.sigstore b/verifiers/internal/gha/testdata/npm-att-publish-nosubjects.intoto.sigstore
new file mode 100644
index 000000000..2542f8d03
--- /dev/null
+++ b/verifiers/internal/gha/testdata/npm-att-publish-nosubjects.intoto.sigstore
@@ -0,0 +1,94 @@
+{
+  "attestations": [
+    {
+      "predicateType": "https://slsa.dev/provenance/v0.2",
+      "bundle": {
+        "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1",
+        "verificationMaterial": {
+          "x509CertificateChain": {
+            "certificates": [
+              {
+                "rawBytes": "MIIDzTCCA1SgAwIBAgIUSUNeEjOTOlxw2mAmVuog6waz+NcwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwMjE1MTkzMzMyWhcNMjMwMjE1MTk0MzMyWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEVWrN2Ayc3U80RBnqrFssCXrFETeyMskQhLAXaOAbaPylLa6GiuhrZUEd+i2Q+kvtlOJN6WvJaoIirGUUw84scKOCAnMwggJvMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUgYNyCZHUpkzBfqlfSh2+dV/nqg8wHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wbwYDVR0RAQH/BGUwY4ZhaHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0Ly5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sQHJlZnMvaGVhZHMvbWFpbjA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMB8GCisGAQQBg78wAQIEEXdvcmtmbG93X2Rpc3BhdGNoMDYGCisGAQQBg78wAQMEKDE2YmFiZmZiOTE1MzgxMWUxOTNjMDE5OTM5MzkxMzU3MzcyYjI1Y2UwJgYKKwYBBAGDvzABBAQYUHVibGlzaCBQYWNrYWdlIHRvIG5wbWpzMC4GCisGAQQBg78wAQUEIGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0MB0GCisGAQQBg78wAQYED3JlZnMvaGVhZHMvbWFpbjCBiwYKKwYBBAHWeQIEAgR9BHsAeQB3AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABhlaRXNMAAAQDAEgwRgIhAOZYHC2AyB4Mm5uV6etiegcdoB5t/3Q6e8pah2BH60urAiEAv9rv6WNIyPfXrP1yzykQldw9iExSBh/brNNjTLzP+wYwCgYIKoZIzj0EAwMDZwAwZAIwT+nOUcGmT+K1gtU/ETiJewRTXtX5bjFh0AEDWzVFlLQKk+CMCr+CmhJgfobd83qwAjAz9Wp4/krIgy+qD7oeCwlUH74MNgWpy2QU5Ox3J61wP2/0O7bhH5fDaGtYUFKZzwA="
+              },
+              {
+                "rawBytes": "MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow="
+              },
+              {
+                "rawBytes": "MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ"
+              }
+            ]
+          },
+          "tlogEntries": [
+            {
+              "logIndex": "13420286",
+              "logId": {
+                "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="
+              },
+              "kindVersion": {
+                "kind": "intoto",
+                "version": "0.0.2"
+              },
+              "integratedTime": "1676489612",
+              "inclusionPromise": {
+                "signedEntryTimestamp": "MEUCIG/LjJ5tqTgKvbA0F+96CJHIk2X0S+9cBz1Z04BfU7dLAiEA7cpf1Agv0VyEu0wR41nEZ9AZ6GVaYR5rf4AAYIZr4hk="
+              },
+              "inclusionProof": null,
+              "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVVI2VkVORFFURlRaMEYzU1VKQlowbFZVMVZPWlVWcVQxUlBiSGgzTW0xQmJWWjFiMmMyZDJGNkswNWpkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDAxcVJURk5WR3Q2VFhwTmVWZG9ZMDVOYWsxM1RXcEZNVTFVYXpCTmVrMTVWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWV1YzSk9Na0Y1WXpOVk9EQlNRbTV4Y2taemMwTllja1pGVkdWNVRYTnJVV2hNUVZnS1lVOUJZbUZRZVd4TVlUWkhhWFZvY2xwVlJXUXJhVEpSSzJ0MmRHeFBTazQyVjNaS1lXOUphWEpIVlZWM09EUnpZMHRQUTBGdVRYZG5aMHAyVFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWbldVNTVDa05hU0ZWd2EzcENabkZzWmxOb01pdGtWaTl1Y1djNGQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQySjNXVVJXVWpCU1FWRklMMEpIVlhkWk5GcG9ZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRESjRhR1JZU214aWJsSjZZVmN4ZGdwaWFUbDNZMjA1TWxwWE5XaGliVTVzVEZjMWQySlRNVEJhV0U0d1RIazFibUZZVW05a1YwbDJaREk1ZVdFeVduTmlNMlI2VEROS2JHSkhWbWhqTWxWMUNtVlhNWE5SU0Vwc1dtNU5kbUZIVm1oYVNFMTJZbGRHY0dKcVFUVkNaMjl5UW1kRlJVRlpUeTlOUVVWQ1FrTjBiMlJJVW5kamVtOTJURE5TZG1FeVZuVUtURzFHYW1SSGJIWmliazExV2pKc01HRklWbWxrV0U1c1kyMU9kbUp1VW14aWJsRjFXVEk1ZEUxQ09FZERhWE5IUVZGUlFtYzNPSGRCVVVsRlJWaGtkZ3BqYlhSdFlrYzVNMWd5VW5Cak0wSm9aRWRPYjAxRVdVZERhWE5IUVZGUlFtYzNPSGRCVVUxRlMwUkZNbGx0Um1sYWJWcHBUMVJGTVUxNlozaE5WMVY0Q2s5VVRtcE5SRVUxVDFSTk5VMTZhM2hOZWxVelRYcGplVmxxU1RGWk1sVjNTbWRaUzB0M1dVSkNRVWRFZG5wQlFrSkJVVmxWU0ZacFlrZHNlbUZEUWxFS1dWZE9jbGxYWkd4SlNGSjJTVWMxZDJKWGNIcE5RelJIUTJselIwRlJVVUpuTnpoM1FWRlZSVWxIZUdoa1dFcHNZbTVTZW1GWE1YWmlhVGwzWTIwNU1ncGFWelZvWW0xT2JFeFhOWGRpVXpFd1dsaE9NRTFDTUVkRGFYTkhRVkZSUW1jM09IZEJVVmxGUkROS2JGcHVUWFpoUjFab1draE5kbUpYUm5CaWFrTkNDbWwzV1V0TGQxbENRa0ZJVjJWUlNVVkJaMUk1UWtoelFXVlJRak5CVGpBNVRVZHlSM2g0UlhsWmVHdGxTRXBzYms1M1MybFRiRFkwTTJwNWRDODBaVXNLWTI5QmRrdGxOazlCUVVGQ2FHeGhVbGhPVFVGQlFWRkVRVVZuZDFKblNXaEJUMXBaU0VNeVFYbENORTF0TlhWV05tVjBhV1ZuWTJSdlFqVjBMek5STmdwbE9IQmhhREpDU0RZd2RYSkJhVVZCZGpseWRqWlhUa2w1VUdaWWNsQXhlWHA1YTFGc1pIYzVhVVY0VTBKb0wySnlUazVxVkV4NlVDdDNXWGREWjFsSkNrdHZXa2w2YWpCRlFYZE5SRnAzUVhkYVFVbDNWQ3R1VDFWalIyMVVLMHN4WjNSVkwwVlVhVXBsZDFKVVdIUllOV0pxUm1nd1FVVkVWM3BXUm14TVVVc0theXREVFVOeUswTnRhRXBuWm05aVpEZ3pjWGRCYWtGNk9WZHdOQzlyY2tsbmVTdHhSRGR2WlVOM2JGVklOelJOVG1kWGNIa3lVVlUxVDNnelNqWXhkd3BRTWk4d1R6ZGlhRWcxWmtSaFIzUlpWVVpMV25wM1FUMEtMUzB0TFMxRlRrUWdRMFZTVkVsR1NVTkJWRVV0TFMwdExRbz0iLCJzaWciOiJUVVZWUTBsUlJFcGhhRlJ3VTI1c2RqWkllbFZxTW5reEwxQkNXVXhHZVRob2FFb3JOV1ZCUWxrM2RYazRVbEJ6UjFGSlowcFdkVXd6UjNJNWVXSXlWRkJWUlUxek5rbGxhVFZJVUVoaWVVZHNObWw0WjJRME1YbDJlVEEzVWxFOSJ9XX0sImhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIyYzVhZjNiZThjNzcxYzAwYzVhZGYwNDAxMzQ5YTg1NjM5NjA3Nzg4MzQwNjRhMmYyOTk5YzY4YmZiMWI0Njg4In0sInBheWxvYWRIYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiNjg5ZTE2NmNlM2I1Zjk5MTgxZDExYjcyYjg2OTJkODEwYjJlM2NkMTdmZWNiZjBiNzRmNDBmYTRmNmUzNjNkNSJ9fX19"
+            }
+          ],
+          "timestampVerificationData": null
+        },
+        "dsseEnvelope": {
+          "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtLyU0MGxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QDEuMC4wIiwiZGlnZXN0Ijp7InNoYTUxMiI6IjI5ZDE5ZjI2MjMzZjQ0NDEzMjg0MTJiMzRmZDczZWQxMDRlY2ZlZjYyZjE0MDk3ODkwY2NjZjc0NTViNTIxYjY1YzVhY2ZmODUxODQ5ZmFhODVjODUzOTVhYTIyZDQwMTQzNmYwMWYzYWZiNjFiMTljNzgwZTkwNmM4OGM3ZjIwIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MC4yIiwicHJlZGljYXRlIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vY2xpL2doYUB2MSIsImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vbnBtL2NsaUA5LjUuMCJ9LCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6eyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0QHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJzaGExIjoiMTZiYWJmZmI5MTUzODExZTE5M2MwMTk5MzkzOTEzNTczNzJiMjVjZSJ9LCJlbnRyeVBvaW50IjoibGF1cmVudHNpbW9uL3Byb3ZlbmFuY2UtbnBtLXRlc3QvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9tYWluIn0sInBhcmFtZXRlcnMiOnt9LCJlbnZpcm9ubWVudCI6eyJHSVRIVUJfQUNUT1JfSUQiOiI2NDUwNTA5OSIsIkdJVEhVQl9FVkVOVF9OQU1FIjoid29ya2Zsb3dfZGlzcGF0Y2giLCJHSVRIVUJfUkVGIjoicmVmcy9oZWFkcy9tYWluIiwiR0lUSFVCX1JFRl9UWVBFIjoiYnJhbmNoIiwiR0lUSFVCX1JFUE9TSVRPUlkiOiJsYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdCIsIkdJVEhVQl9SRVBPU0lUT1JZX0lEIjoiNjAyMjIzOTQ1IiwiR0lUSFVCX1JFUE9TSVRPUllfT1dORVJfSUQiOiI2NDUwNTA5OSIsIkdJVEhVQl9SVU5fQVRURU1QVCI6IjEiLCJHSVRIVUJfUlVOX0lEIjoiNDE4NzQ2NDU3NyIsIkdJVEhVQl9SVU5fTlVNQkVSIjoiMiIsIkdJVEhVQl9TSEEiOiIxNmJhYmZmYjkxNTM4MTFlMTkzYzAxOTkzOTM5MTM1NzM3MmIyNWNlIiwiR0lUSFVCX1dPUktGTE9XX1JFRiI6ImxhdXJlbnRzaW1vbi9wcm92ZW5hbmNlLW5wbS10ZXN0Ly5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sQHJlZnMvaGVhZHMvbWFpbiIsIkdJVEhVQl9XT1JLRkxPV19TSEEiOiIxNmJhYmZmYjkxNTM4MTFlMTkzYzAxOTkzOTM5MTM1NzM3MmIyNWNlIn19LCJtZXRhZGF0YSI6eyJidWlsZEludm9jYXRpb25JZCI6IjQxODc0NjQ1NzctMSIsImNvbXBsZXRlbmVzcyI6eyJwYXJhbWV0ZXJzIjpmYWxzZSwiZW52aXJvbm1lbnQiOmZhbHNlLCJtYXRlcmlhbHMiOmZhbHNlfSwicmVwcm9kdWNpYmxlIjpmYWxzZX0sIm1hdGVyaWFscyI6W3sidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9sYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdCIsImRpZ2VzdCI6eyJzaGExIjoiMTZiYWJmZmI5MTUzODExZTE5M2MwMTk5MzkzOTEzNTczNzJiMjVjZSJ9fV19fQ==",
+          "payloadType": "application/vnd.in-toto+json",
+          "signatures": [
+            {
+              "sig": "MEUCIQDJahTpSnlv6HzUj2y1/PBYLFy8hhJ+5eABY7uy8RPsGQIgJVuL3Gr9yb2TPUEMs6Iei5HPHbyGl6ixgd41yvy07RQ=",
+              "keyid": ""
+            }
+          ]
+        }
+      }
+    },
+    {
+      "predicateType": "https://github.com/npm/attestation/tree/main/specs/publish/v0.1",
+      "bundle": {
+        "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1",
+        "verificationMaterial": {
+          "publicKey": {
+            "hint": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"
+          },
+          "tlogEntries": [
+            {
+              "logIndex": "13420289",
+              "logId": {
+                "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="
+              },
+              "kindVersion": {
+                "kind": "intoto",
+                "version": "0.0.2"
+              },
+              "integratedTime": "1676489615",
+              "inclusionPromise": {
+                "signedEntryTimestamp": "MEUCICYgQbiFj7t0A9B/p4Hkq5H0gB41InPBFFnhEeuP4Fo0AiEA7fGqVACs5cFpoQGHX8HVDq/jKBWbS0gutPXpcOz6r6g="
+              },
+              "inclusionProof": null,
+              "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7ImtleWlkIjoiU0hBMjU2OmpsM2J3c3d1ODBQampva0NnaDBvMnc1YzJVNExoUUFFNTdnajljejFrekEiLCJwdWJsaWNLZXkiOiJMUzB0TFMxQ1JVZEpUaUJRVlVKTVNVTWdTMFZaTFMwdExTMEtUVVpyZDBWM1dVaExiMXBKZW1vd1EwRlJXVWxMYjFwSmVtb3dSRUZSWTBSUlowRkZNVTlzWWpONlRVRkdSbmhZUzBocFNXdFJUelZqU2pOWmFHdzFhVFpWVUhBclNXaDFkR1ZDU21KMVNHTkJOVlZ2WjB0dk1FVlhkR3hYZDFjMlMxTmhTMjlVVGtWWlREZEtiRU5SYVZadWEyaENhM1JWWjJjOVBRb3RMUzB0TFVWT1JDQlFWVUpNU1VNZ1MwVlpMUzB0TFMwPSIsInNpZyI6IlRVVlJRMGxETURGaFJqbFFZVWxtSzNOcVkzRlBiVzQwUVZaVU56bFBWMFJuVkZGVk5XVXZiVkp0TVcweVNIWjVRV2xCY0hCNk1FWkxWVzFEVjJwdVUyUnJORzB5VkdGTlpXMXFSRXRqUlcxTVdFSTRWVVpFTlZsYWRETTJaejA5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjkxNDU3YjdiYzg1NTgwY2Y2NTAxNDM5NDU5ZDYyOWI0YzBlOTUxNmFjNzc3NTllNGQwNzMwZjVlMTUxNjRkMDcifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1ZmFmZTQwMmJiYzBiMTNhMmFmMmIzMjhjYmNjNmFiZTlmZTA1MGRkNDUzNjNkNTE1YWIyYzk4MjA3NDMwNjVkIn19fX0="
+            }
+          ],
+          "timestampVerificationData": null
+        },
+        "dsseEnvelope": {
+          "payload": "ewogICJfdHlwZSI6ICJodHRwczovL2luLXRvdG8uaW8vU3RhdGVtZW50L3YwLjEiLAogICJwcmVkaWNhdGVUeXBlIjogImh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vYXR0ZXN0YXRpb24vdHJlZS9tYWluL3NwZWNzL3B1Ymxpc2gvdjAuMSIsCiAgInByZWRpY2F0ZSI6IHsKICAgICJuYW1lIjogIkBsYXVyZW50c2ltb24vcHJvdmVuYW5jZS1ucG0tdGVzdCIsCiAgICAidmVyc2lvbiI6ICIxLjAuMCIsCiAgICAicmVnaXN0cnkiOiAiaHR0cHM6Ly9yZWdpc3RyeS5ucG1qcy5vcmciCiAgfQp9Cg==",
+          "payloadType": "application/vnd.in-toto+json",
+          "signatures": [
+            {
+              "sig": "MEQCIC01aF9PaIf+sjcqOmn4AVT79OWDgTQU5e/mRm1m2HvyAiAppz0FKUmCWjnSdk4m2TaMemjDKcEmLXB8UFD5YZt36g==",
+              "keyid": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"
+            }
+          ]
+        }
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/verifiers/internal/gha/verifier.go b/verifiers/internal/gha/verifier.go
index 4068c5fd7..84f7e636a 100644
--- a/verifiers/internal/gha/verifier.go
+++ b/verifiers/internal/gha/verifier.go
@@ -131,7 +131,7 @@ func verifyNpmEnvAndCert(env *dsse.Envelope,
 
 	// Users must always provide the builder ID.
 	if builderOpts == nil || builderOpts.ExpectedID == nil {
-		return nil, fmt.Errorf("builder ID is empty")
+		return nil, fmt.Errorf("%w: no expected builder ID", serrors.ErrorInvalidBuilderID)
 	}
 
 	// WARNING: builderID may be empty if it's not a trusted reusable builder workflow.
@@ -325,12 +325,7 @@ func (v *GHAVerifier) VerifyNpmPackage(ctx context.Context,
 		return nil, nil, err
 	}
 
-	// Verify publish attesttation signature.
-	if err := npm.verifyPublishAttesttationSignature(); err != nil {
-		return nil, nil, err
-	}
-
-	// Verify builder information.
+	// Verify provenance builder information.
 	builder, err := npm.verifyBuilderID(
 		provenanceOpts, builderOpts,
 		defaultBYOBReusableWorkflows)
@@ -338,6 +333,16 @@ func (v *GHAVerifier) VerifyNpmPackage(ctx context.Context,
 		return nil, nil, err
 	}
 
+	// Verify publish attesttation signature.
+	if err := npm.verifyPublishAttestationSignature(); err != nil {
+		return nil, nil, err
+	}
+
+	// Verify publish subject digest.
+	if err := npm.verifySubjectDigest(provenanceOpts.ExpectedDigest); err != nil {
+		return nil, nil, err
+	}
+
 	// Verify attestation headers.
 	if err := npm.verifyIntotoHeaders(); err != nil {
 		return nil, nil, err
diff --git a/verifiers/utils/dsse.go b/verifiers/utils/dsse.go
index d839d6340..2e4aa9ea6 100644
--- a/verifiers/utils/dsse.go
+++ b/verifiers/utils/dsse.go
@@ -1,24 +1,71 @@
 package utils
 
 import (
+	"context"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/sha256"
+	"crypto/x509"
 	"encoding/base64"
+	"encoding/json"
+	"encoding/pem"
 	"fmt"
+	"math/big"
 
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	dsselib "github.com/secure-systems-lab/go-securesystemslib/dsse"
 	serrors "github.com/slsa-framework/slsa-verifier/v2/errors"
 )
 
+func EnvelopeFromBytes(payload []byte) (*dsselib.Envelope, error) {
+	var env dsselib.Envelope
+	err := json.Unmarshal(payload, &env)
+	if err != nil {
+		return nil, fmt.Errorf("%w: %w", serrors.ErrorInvalidDssePayload, err)
+	}
+
+	if env.PayloadType != intoto.PayloadType {
+		return nil, fmt.Errorf("%w: expected payload type %q, got %q",
+			serrors.ErrorInvalidDssePayload, intoto.PayloadType, env.PayloadType)
+	}
+	return &env, nil
+}
+
 func PayloadFromEnvelope(env *dsselib.Envelope) ([]byte, error) {
 	payload, err := base64.StdEncoding.DecodeString(env.Payload)
 	if err != nil {
 		return nil, fmt.Errorf("%w: %s", serrors.ErrorInvalidDssePayload, err.Error())
 	}
-	if payload == nil {
+	if len(payload) == 0 {
 		return nil, fmt.Errorf("%w: empty payload", serrors.ErrorInvalidFormat)
 	}
 	return payload, nil
 }
 
+func StatementFromBytes(payload []byte) (*intoto.Statement, error) {
+	var statement intoto.Statement
+	if err := json.Unmarshal(payload, &statement); err != nil {
+		return nil, fmt.Errorf("%w: %w", serrors.ErrorInvalidDssePayload, err)
+	}
+
+	if statement.Type != intoto.StatementInTotoV01 {
+		return nil, fmt.Errorf("%w: invalid statement type: %q", serrors.ErrorInvalidDssePayload, statement.Type)
+	}
+	return &statement, nil
+}
+
+func StatementFromEnvelope(env *dsselib.Envelope) (*intoto.Statement, error) {
+	payload, err := PayloadFromEnvelope(env)
+	if err != nil {
+		return nil, err
+	}
+	statement, err := StatementFromBytes(payload)
+	if err != nil {
+		return nil, err
+	}
+	return statement, nil
+}
+
 func DecodeSignature(s string) ([]byte, error) {
 	var errs []error
 	// First try the std decoding.
@@ -43,3 +90,110 @@ func DecodeSignature(s string) ([]byte, error) {
 
 	return nil, fmt.Errorf("%w: %v", serrors.ErrorInvalidEncoding, errs)
 }
+
+type SignatureEncoding int
+
+const (
+	// The DER signature is encoded using ASN.1
+	// (https://tools.ietf.org/html/rfc5480#appendix-A):
+	// ECDSA-Sig-Value :: = SEQUENCE { r INTEGER, s INTEGER }. In particular, the
+	// encoding is:
+	// 0x30 || totalLength || 0x02 || r's length || r || 0x02 || s's length || s.
+	SignatureEncodingDER SignatureEncoding = iota
+	// The IEEE_P1363 signature's format is r || s, where r and s are zero-padded
+	// and have the same size in bytes as the order of the curve. For example, for
+	// NIST P-256 curve, r and s are zero-padded to 32 bytes.
+	SignatureEncodingIEEEP1363
+)
+
+type publicKey struct {
+	keyID       string
+	pubKey      *crypto.PublicKey
+	sigEncoding SignatureEncoding // Default is SignatureEncodingDER.
+}
+
+func (p *publicKey) Verify(ctx context.Context, data, sig []byte) error {
+	digest := sha256.Sum256(data)
+	if p.pubKey == nil {
+		return fmt.Errorf("%w: key is empty", serrors.ErrorInternal)
+	}
+	switch v := (*p.pubKey).(type) {
+	default:
+		return fmt.Errorf("unknown key type: %T", v)
+	case *ecdsa.PublicKey:
+		switch p.sigEncoding {
+		case SignatureEncodingDER:
+			if !ecdsa.VerifyASN1(v, digest[:], sig) {
+				return fmt.Errorf("%w: cannot verify signature",
+					serrors.ErrorInvalidSignature)
+			}
+		case SignatureEncodingIEEEP1363:
+			r := new(big.Int)
+			r.SetBytes(sig[:32])
+			s := new(big.Int)
+			s.SetBytes(sig[32:])
+			if !ecdsa.Verify(v, digest[:], r, s) {
+				return fmt.Errorf("%w: cannot verify signature",
+					serrors.ErrorInvalidSignature)
+			}
+		default:
+			return fmt.Errorf("unsupported encoding: %v", p.sigEncoding)
+		}
+	}
+	return nil
+}
+
+// KeyID implements dsse.Verifier.KeyID.
+func (p *publicKey) KeyID() (string, error) {
+	return p.keyID, nil
+}
+
+// Public implements dsse.Verifier.Public.
+func (p *publicKey) Public() crypto.PublicKey {
+	return p.pubKey
+}
+
+type KeyFormat int
+
+const (
+	KeyFormatDER KeyFormat = iota
+	KeyFormatPEM
+)
+
+func DsseVerifierNew(content []byte, format KeyFormat, keyID string, sigEncoding *SignatureEncoding) (*dsselib.EnvelopeVerifier, error) {
+	if format == KeyFormatPEM {
+		block, rest := pem.Decode(content)
+		if rest != nil {
+			return nil, fmt.Errorf("%w: additional data found", serrors.ErrorInvalidPEM)
+		}
+		if block == nil {
+			return nil, fmt.Errorf("%w: unable to decode PEM format", serrors.ErrorInvalidPEM)
+		}
+		content = block.Bytes
+	}
+
+	key, err := x509.ParsePKIXPublicKey(content)
+	if err != nil {
+		return nil, fmt.Errorf("%w: %w", serrors.ErrorInvalidPublicKey, err)
+	}
+
+	pubKey, ok := key.(crypto.PublicKey)
+	if !ok {
+		return nil, fmt.Errorf("%w: not a public key", serrors.ErrorInvalidPublicKey)
+	}
+
+	dssePubKey := publicKey{
+		pubKey: &pubKey,
+		keyID:  keyID,
+	}
+	if sigEncoding != nil {
+		dssePubKey.sigEncoding = *sigEncoding
+	}
+
+	verifier, err := dsselib.NewEnvelopeVerifier(&dssePubKey)
+	if err != nil {
+		return nil, fmt.Errorf("creating verifier: %w", err)
+	}
+
+	return verifier, nil
+}