diff --git a/README.md b/README.md
index 15c4a0d0a..9cd51e29b 100644
--- a/README.md
+++ b/README.md
@@ -319,6 +319,8 @@ PASSED: Verified SLSA provenance
 
 Verification of npm packages is currently an experimental feature.
 
+More details about npm attestations are in [docs/npm.md](./docs/npm.md)
+
 #### The verify-npm-package command
 
 ```bash
diff --git a/cli/slsa-verifier/main_regression_test.go b/cli/slsa-verifier/main_regression_test.go
index 67ee7ac43..475d840cc 100644
--- a/cli/slsa-verifier/main_regression_test.go
+++ b/cli/slsa-verifier/main_regression_test.go
@@ -1519,6 +1519,14 @@ func Test_runVerifyNpmPackage(t *testing.T) {
 			pkgName:    pointerTo("@trishankatdatadog/supreme-goggles"),
 			builderID:  pointerTo("https://github.com/actions/runner/github-hosted"),
 		},
+		{
+			name:       "valid npm CLI builder v1",
+			artifact:   "gundam-visor-cli-v1-tag.tgz",
+			source:     "github.com/ramonpetgrave64/gundam-visor",
+			pkgVersion: pointerTo("1.0.1"),
+			pkgName:    pointerTo("gundam-visor"),
+			builderID:  pointerTo("https://github.com/actions/runner/github-hosted"),
+		},
 		{
 			name:       "valid npm CLI builder short runner name",
 			artifact:   "supreme-googles-cli-v02-tag.tgz",
@@ -1527,6 +1535,17 @@ func Test_runVerifyNpmPackage(t *testing.T) {
 			pkgName:    pointerTo("@trishankatdatadog/supreme-goggles"),
 			builderID:  pointerTo("https://github.com/actions/runner"),
 		},
+		{
+			// The builderID for v1 should never be the "shortname".
+			// https://github.com/npm/cli/blob/93883bb6459208a916584cad8c6c72a315cf32af/workspaces/libnpmpublish/lib/provenance.js#L58.
+			name:       "valid npm CLI builder v1 short runner name",
+			artifact:   "gundam-visor-cli-v1-tag.tgz",
+			source:     "github.com/ramonpetgrave64/gundam-visor",
+			pkgVersion: pointerTo("1.0.1"),
+			pkgName:    pointerTo("gundam-visor"),
+			builderID:  pointerTo("https://github.com/actions/runner"),
+			err:        serrors.ErrorInvalidBuilderID,
+		},
 		{
 			name:       "valid npm CLI builder no builder",
 			artifact:   "supreme-googles-cli-v02-tag.tgz",
@@ -1535,6 +1554,14 @@ func Test_runVerifyNpmPackage(t *testing.T) {
 			pkgName:    pointerTo("@trishankatdatadog/supreme-goggles"),
 			err:        serrors.ErrorInvalidBuilderID,
 		},
+		{
+			name:       "valid npm CLI builder v1 no builder",
+			artifact:   "gundam-visor-cli-v1-tag.tgz",
+			source:     "github.com/ramonpetgrave64/gundam-visor",
+			pkgVersion: pointerTo("1.0.5"),
+			pkgName:    pointerTo("gundam-visor"),
+			err:        serrors.ErrorInvalidBuilderID,
+		},
 		{
 			name:       "valid npm CLI builder mismatch builder",
 			artifact:   "supreme-googles-cli-v02-tag.tgz",
@@ -1544,6 +1571,15 @@ func Test_runVerifyNpmPackage(t *testing.T) {
 			builderID:  pointerTo("https://github.com/actions/runner2"),
 			err:        serrors.ErrorNotSupported,
 		},
+		{
+			name:       "valid npm CLI builder v1 mismatch builder",
+			artifact:   "gundam-visor-cli-v1-tag.tgz",
+			source:     "github.com/ramonpetgrave64/gundam-visor",
+			pkgVersion: pointerTo("1.0.1"),
+			pkgName:    pointerTo("gundam-visor"),
+			builderID:  pointerTo("https://github.com/actions/runner/github-hosted2"),
+			err:        serrors.ErrorNotSupported,
+		},
 		{
 			name:       "valid npm CLI builder no package name",
 			artifact:   "supreme-googles-cli-v02-tag.tgz",
@@ -1551,6 +1587,13 @@ func Test_runVerifyNpmPackage(t *testing.T) {
 			pkgVersion: pointerTo("1.0.5"),
 			builderID:  pointerTo("https://github.com/actions/runner/github-hosted"),
 		},
+		{
+			name:       "valid npm CLI builder v1 no package name",
+			artifact:   "gundam-visor-cli-v1-tag.tgz",
+			source:     "github.com/ramonpetgrave64/gundam-visor",
+			pkgVersion: pointerTo("1.0.1"),
+			builderID:  pointerTo("https://github.com/actions/runner/github-hosted"),
+		},
 		{
 			name:      "valid npm CLI builder no package version",
 			artifact:  "supreme-googles-cli-v02-tag.tgz",
@@ -1558,6 +1601,13 @@ func Test_runVerifyNpmPackage(t *testing.T) {
 			pkgName:   pointerTo("@trishankatdatadog/supreme-goggles"),
 			builderID: pointerTo("https://github.com/actions/runner/github-hosted"),
 		},
+		{
+			name:      "valid npm CLI builder v1 no package version",
+			artifact:  "gundam-visor-cli-v1-tag.tgz",
+			source:    "github.com/ramonpetgrave64/gundam-visor",
+			pkgName:   pointerTo("gundam-visor"),
+			builderID: pointerTo("https://github.com/actions/runner/github-hosted"),
+		},
 		{
 			name:       "valid npm CLI builder mismatch source",
 			artifact:   "supreme-googles-cli-v02-tag.tgz",
@@ -1567,6 +1617,15 @@ func Test_runVerifyNpmPackage(t *testing.T) {
 			builderID:  pointerTo("https://github.com/actions/runner/github-hosted"),
 			err:        serrors.ErrorMismatchSource,
 		},
+		{
+			name:       "valid npm CLI builder v1 mismatch source",
+			artifact:   "gundam-visor-cli-v1-tag.tgz",
+			source:     "github.com/ramonpetgrave64/gundam-visorS",
+			pkgVersion: pointerTo("1.0.1"),
+			pkgName:    pointerTo("gundam-visor"),
+			builderID:  pointerTo("https://github.com/actions/runner/github-hosted"),
+			err:        serrors.ErrorMismatchSource,
+		},
 		{
 			name:       "valid npm CLI builder mismatch package version",
 			artifact:   "supreme-googles-cli-v02-tag.tgz",
@@ -1575,6 +1634,15 @@ func Test_runVerifyNpmPackage(t *testing.T) {
 			builderID:  pointerTo("https://github.com/actions/runner/github-hosted"),
 			err:        serrors.ErrorMismatchPackageVersion,
 		},
+		{
+			name:       "valid npm CLI builder v1 mismatch package version",
+			artifact:   "gundam-visor-cli-v1-tag.tgz",
+			source:     "github.com/ramonpetgrave64/gundam-visor",
+			pkgVersion: pointerTo("1.0.2"),
+			pkgName:    pointerTo("gundam-visor"),
+			builderID:  pointerTo("https://github.com/actions/runner/github-hosted"),
+			err:        serrors.ErrorMismatchPackageVersion,
+		},
 		{
 			name:      "valid npm CLI builder mismatch package name",
 			artifact:  "supreme-googles-cli-v02-tag.tgz",
@@ -1583,6 +1651,15 @@ func Test_runVerifyNpmPackage(t *testing.T) {
 			builderID: pointerTo("https://github.com/actions/runner/github-hosted"),
 			err:       serrors.ErrorMismatchPackageName,
 		},
+		{
+			name:       "valid npm CLI builder v1 mismatch package name",
+			artifact:   "gundam-visor-cli-v1-tag.tgz",
+			source:     "github.com/ramonpetgrave64/gundam-visor",
+			pkgVersion: pointerTo("1.0.1"),
+			pkgName:    pointerTo("gundam-visorS"),
+			builderID:  pointerTo("https://github.com/actions/runner/github-hosted"),
+			err:        serrors.ErrorMismatchPackageName,
+		},
 		{
 			name:      "invalid signature provenance npm CLI",
 			artifact:  "supreme-googles-cli-v02-tag-invalidsigprov.tgz",
@@ -1592,13 +1669,31 @@ func Test_runVerifyNpmPackage(t *testing.T) {
 			err:       serrors.ErrorInvalidSignature,
 		},
 		{
-			name:      "invalid signature provenance npm CLI",
+			name:       "invalid signature provenance npm CLI v1",
+			artifact:   "gundam-visor-cli-v1-tag-invalidsigprov.tgz",
+			source:     "github.com/ramonpetgrave64/gundam-visor",
+			pkgVersion: pointerTo("1.0.1"),
+			pkgName:    pointerTo("gundam-visor"),
+			builderID:  pointerTo("https://github.com/actions/runner/github-hosted"),
+			err:        serrors.ErrorInvalidSignature,
+		},
+		{
+			name:      "invalid signature publish npm CLI",
 			artifact:  "supreme-googles-cli-v02-tag-invalidsigpub.tgz",
 			source:    "github.com/trishankatdatadog/supreme-goggles",
 			pkgName:   pointerTo("@trishankatdatadog/supreme-goggles"),
 			builderID: pointerTo("https://github.com/actions/runner/github-hosted"),
 			err:       serrors.ErrorInvalidSignature,
 		},
+		{
+			name:       "invalid signature publish npm CLI v1",
+			artifact:   "gundam-visor-cli-v1-tag-invalidsigpub.tgz",
+			source:     "github.com/ramonpetgrave64/gundam-visor",
+			pkgVersion: pointerTo("1.0.1"),
+			pkgName:    pointerTo("gundam-visor"),
+			builderID:  pointerTo("https://github.com/actions/runner/github-hosted"),
+			err:        serrors.ErrorInvalidSignature,
+		},
 		// npm CLI with main branch.
 		{
 			name:       "valid npm CLI builder",
@@ -1608,6 +1703,14 @@ func Test_runVerifyNpmPackage(t *testing.T) {
 			pkgName:    pointerTo("@laurentsimon/provenance-npm-test"),
 			builderID:  pointerTo("https://github.com/actions/runner/github-hosted"),
 		},
+		{
+			name:       "valid npm CLI builder v1",
+			artifact:   "provenance-npm-test-cli-v1-prega.tgz",
+			source:     "github.com/sigstore/sigstore-js",
+			pkgVersion: pointerTo("2.3.1"),
+			pkgName:    pointerTo("sigstore"),
+			builderID:  pointerTo("https://github.com/actions/runner/github-hosted"),
+		},
 		{
 			name:       "valid npm CLI builder short runner name",
 			artifact:   "provenance-npm-test-cli-v02-prega.tgz",
@@ -1616,6 +1719,17 @@ func Test_runVerifyNpmPackage(t *testing.T) {
 			pkgName:    pointerTo("@laurentsimon/provenance-npm-test"),
 			builderID:  pointerTo("https://github.com/actions/runner"),
 		},
+		{
+			// The builderID for v1 should never be the "shortname".
+			// https://github.com/npm/cli/blob/93883bb6459208a916584cad8c6c72a315cf32af/workspaces/libnpmpublish/lib/provenance.js#L58.
+			name:       "valid npm CLI builder v1 short runner name",
+			artifact:   "provenance-npm-test-cli-v1-prega.tgz",
+			source:     "github.com/sigstore/sigstore-js",
+			pkgVersion: pointerTo("2.3.1"),
+			pkgName:    pointerTo("sigstore"),
+			builderID:  pointerTo("https://github.com/actions/runner"),
+			err:        serrors.ErrorInvalidBuilderID,
+		},
 		{
 			name:       "valid npm CLI builder no builder",
 			artifact:   "provenance-npm-test-cli-v02-prega.tgz",
@@ -1624,6 +1738,14 @@ func Test_runVerifyNpmPackage(t *testing.T) {
 			pkgName:    pointerTo("@laurentsimon/provenance-npm-test"),
 			err:        serrors.ErrorInvalidBuilderID,
 		},
+		{
+			name:       "valid npm CLI builder v1 no builder",
+			artifact:   "provenance-npm-test-cli-v1-prega.tgz",
+			source:     "github.com/sigstore/sigstore-js",
+			pkgVersion: pointerTo("2.3.1"),
+			pkgName:    pointerTo("sigstore"),
+			err:        serrors.ErrorInvalidBuilderID,
+		},
 		{
 			name:       "valid npm CLI builder mismatch builder",
 			artifact:   "provenance-npm-test-cli-v02-prega.tgz",
@@ -1633,6 +1755,15 @@ func Test_runVerifyNpmPackage(t *testing.T) {
 			builderID:  pointerTo("https://github.com/actions/runner2"),
 			err:        serrors.ErrorNotSupported,
 		},
+		{
+			name:       "valid npm CLI builder v1 mismatch builder",
+			artifact:   "provenance-npm-test-cli-v1-prega.tgz",
+			source:     "github.com/sigstore/sigstore-js",
+			pkgVersion: pointerTo("2.3.1"),
+			pkgName:    pointerTo("sigstore"),
+			builderID:  pointerTo("https://github.com/actions/runner/github-hosted2"),
+			err:        serrors.ErrorNotSupported,
+		},
 		{
 			name:       "valid npm CLI builder no package name",
 			artifact:   "provenance-npm-test-cli-v02-prega.tgz",
@@ -1640,6 +1771,13 @@ func Test_runVerifyNpmPackage(t *testing.T) {
 			source:     "github.com/laurentsimon/provenance-npm-test",
 			builderID:  pointerTo("https://github.com/actions/runner/github-hosted"),
 		},
+		{
+			name:       "valid npm CLI builder v1 no package name",
+			artifact:   "provenance-npm-test-cli-v1-prega.tgz",
+			pkgVersion: pointerTo("2.3.1"),
+			source:     "github.com/sigstore/sigstore-js",
+			builderID:  pointerTo("https://github.com/actions/runner/github-hosted"),
+		},
 		{
 			name:      "valid npm CLI builder no package version",
 			artifact:  "provenance-npm-test-cli-v02-prega.tgz",
@@ -1647,6 +1785,13 @@ func Test_runVerifyNpmPackage(t *testing.T) {
 			pkgName:   pointerTo("@laurentsimon/provenance-npm-test"),
 			builderID: pointerTo("https://github.com/actions/runner/github-hosted"),
 		},
+		{
+			name:      "valid npm CLI builder v1 no package version",
+			artifact:  "provenance-npm-test-cli-v1-prega.tgz",
+			source:    "github.com/sigstore/sigstore-js",
+			pkgName:   pointerTo("sigstore"),
+			builderID: pointerTo("https://github.com/actions/runner/github-hosted"),
+		},
 		{
 			name:      "valid npm CLI builder mismatch source",
 			artifact:  "provenance-npm-test-cli-v02-prega.tgz",
@@ -1654,6 +1799,14 @@ func Test_runVerifyNpmPackage(t *testing.T) {
 			builderID: pointerTo("https://github.com/actions/runner/github-hosted"),
 			err:       serrors.ErrorMismatchSource,
 		},
+		{
+			name:      "valid npm CLI builder v1 mismatch source",
+			artifact:  "provenance-npm-test-cli-v1-prega.tgz",
+			source:    "github.com/sigstore/sigstore-js2",
+			pkgName:   pointerTo("sigstore"),
+			builderID: pointerTo("https://github.com/actions/runner/github-hosted"),
+			err:       serrors.ErrorMismatchSource,
+		},
 		{
 			name:       "valid npm CLI builder mismatch package version",
 			artifact:   "provenance-npm-test-cli-v02-prega.tgz",
@@ -1662,6 +1815,14 @@ func Test_runVerifyNpmPackage(t *testing.T) {
 			builderID:  pointerTo("https://github.com/actions/runner/github-hosted"),
 			err:        serrors.ErrorMismatchPackageVersion,
 		},
+		{
+			name:       "valid npm CLI builder v1 mismatch package version",
+			artifact:   "provenance-npm-test-cli-v1-prega.tgz",
+			source:     "github.com/sigstore/sigstore-js",
+			pkgVersion: pointerTo("2.3.2"),
+			builderID:  pointerTo("https://github.com/actions/runner/github-hosted"),
+			err:        serrors.ErrorMismatchPackageVersion,
+		},
 		{
 			name:      "valid npm CLI builder mismatch package name",
 			artifact:  "provenance-npm-test-cli-v02-prega.tgz",
@@ -1670,6 +1831,14 @@ func Test_runVerifyNpmPackage(t *testing.T) {
 			builderID: pointerTo("https://github.com/actions/runner/github-hosted"),
 			err:       serrors.ErrorMismatchPackageName,
 		},
+		{
+			name:      "valid npm CLI builder v1 mismatch package name",
+			artifact:  "provenance-npm-test-cli-v1-prega.tgz",
+			source:    "github.com/sigstore/sigstore-js",
+			pkgName:   pointerTo("sigstore2"),
+			builderID: pointerTo("https://github.com/actions/runner/github-hosted"),
+			err:       serrors.ErrorMismatchPackageName,
+		},
 		{
 			name:      "invalid signature provenance npm CLI",
 			artifact:  "provenance-npm-test-cli-v02-prega-invalidsigprov.tgz",
@@ -1678,6 +1847,14 @@ func Test_runVerifyNpmPackage(t *testing.T) {
 			builderID: pointerTo("https://github.com/actions/runner/github-hosted"),
 			err:       serrors.ErrorInvalidSignature,
 		},
+		{
+			name:      "invalid signature provenance npm CLI v1",
+			artifact:  "provenance-npm-test-cli-v1-prega-invalidsigprov.tgz",
+			source:    "github.com/sigstore/sigstore-js",
+			pkgName:   pointerTo("sigstore"),
+			builderID: pointerTo("https://github.com/actions/runner/github-hosted"),
+			err:       serrors.ErrorInvalidSignature,
+		},
 		{
 			name:      "invalid signature publish npm CLI",
 			artifact:  "provenance-npm-test-cli-v02-prega-invalidsigpub.tgz",
@@ -1686,6 +1863,14 @@ func Test_runVerifyNpmPackage(t *testing.T) {
 			builderID: pointerTo("https://github.com/actions/runner/github-hosted"),
 			err:       serrors.ErrorInvalidSignature,
 		},
+		{
+			name:      "invalid signature publish npm CLI v1",
+			artifact:  "provenance-npm-test-cli-v1-prega-invalidsigpub.tgz",
+			source:    "github.com/sigstore/sigstore-js",
+			pkgName:   pointerTo("sigstore"),
+			builderID: pointerTo("https://github.com/actions/runner/github-hosted"),
+			err:       serrors.ErrorInvalidSignature,
+		},
 		// OSSF builder.
 		{
 			name:       "valid npm OSSF builder",
diff --git a/cli/slsa-verifier/testdata/npm/gha/gundam-visor-cli-v1-tag-invalidsigprov.tgz b/cli/slsa-verifier/testdata/npm/gha/gundam-visor-cli-v1-tag-invalidsigprov.tgz
new file mode 100644
index 000000000..5879a48cc
Binary files /dev/null and b/cli/slsa-verifier/testdata/npm/gha/gundam-visor-cli-v1-tag-invalidsigprov.tgz differ
diff --git a/cli/slsa-verifier/testdata/npm/gha/gundam-visor-cli-v1-tag-invalidsigprov.tgz.json b/cli/slsa-verifier/testdata/npm/gha/gundam-visor-cli-v1-tag-invalidsigprov.tgz.json
new file mode 100644
index 000000000..5097db501
--- /dev/null
+++ b/cli/slsa-verifier/testdata/npm/gha/gundam-visor-cli-v1-tag-invalidsigprov.tgz.json
@@ -0,0 +1 @@
+{"attestations":[{"predicateType":"https://github.com/npm/attestation/tree/main/specs/publish/v0.1","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.2","verificationMaterial":{"publicKey":{"hint":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"},"tlogEntries":[{"logIndex":"99434465","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1717453081","inclusionPromise":{"signedEntryTimestamp":"MEYCIQDOARAGyVHccisvQm5E60IccfY9M2u5a+0YRCiawh75cAIhAMxJbSqi4J9ngL4/dG+2b0UW+9dHtpY9DgV79LgYj8NY"},"inclusionProof":{"logIndex":"95271034","rootHash":"0COmZPs5R/MmjgbpNSlBuNMC7DLFOK4YqRWL8IvvWVg=","treeSize":"95271036","hashes":["h57Dn4I0XAl/b8bE8l/MF9lGHPrG2roJabnnU0mYfeI=","33mTL3BkADC8Vi+wRLX8b42hUX2nqXHI3BOjzYzBH44=","R4HYAPV3bDnGRcJ86KDUqny6fDqU9Qlbv5CjktO7D3E=","XJhxQu3fMX4CsqKvtdiF5Yff1dZTjkUS3IoduvaunC0=","Xk1XiLw9Jb9ZxC4iNLUN0RMolPAQ5uy+xVlU4T5ePh0=","V4pG0KBpGywjX7eYBkt9xOfzBGmgDAUumQrMFGttu5o=","bdiW+QbcKwgoiHTYy1AGRipRPs8I6mjJZNBkmLuw43Y=","Rh9QDMnMoFoxIEqVbyya9Wkz99NGv2xYTN32feHLE3A=","/bWhZ36DcEsXeRI6E5pG6DshJI3cEsWzJy1UdMqPeaA=","49anUgnAYwwLfQAZcBb6C6u7tNhwYdKtnLNg+0ZQK2c=","EbT5mQYci44fcTz1vjOpBOVJE7TPJY+rLIsZxXgqBOk=","40yHIq9mqoqfhVgnEQAlLLRLeehet/WJr/saCTYG91k=","7I4hi3dOO4k//2YwZ5WLzohtTmuh8nP71JQQaZTGd00=","OE/VFuAFgf7OOQO93xqJMVNRLOibj/3LQ5OMQP5ZWCo=","cX3Agx+hP66t1ZLbX/yHbfjU46/3m/VAmWyG/fhxAVc=","sjohk/3DQIfXTgf/5XpwtdF7yNbrf8YykOMHr1CyBYQ=","98enzMaC+x5oCMvIZQA5z8vu2apDMCFvE/935NfuPw8="],"checkpoint":{"envelope":"rekor.sigstore.dev - 2605736670972794746\n95271036\n0COmZPs5R/MmjgbpNSlBuNMC7DLFOK4YqRWL8IvvWVg=\n\n— rekor.sigstore.dev wNI9ajBFAiBeM+LPeS5kNpplQkq7P1qAWVhCySznP10aOQzAoetdogIhALIONG8mAfKHxo08BjMsO527I5c1BV4Z1x27d6vBLmbb\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7ImtleWlkIjoiU0hBMjU2OmpsM2J3c3d1ODBQampva0NnaDBvMnc1YzJVNExoUUFFNTdnajljejFrekEiLCJwdWJsaWNLZXkiOiJMUzB0TFMxQ1JVZEpUaUJRVlVKTVNVTWdTMFZaTFMwdExTMEtUVVpyZDBWM1dVaExiMXBKZW1vd1EwRlJXVWxMYjFwSmVtb3dSRUZSWTBSUlowRkZNVTlzWWpONlRVRkdSbmhZUzBocFNXdFJUelZqU2pOWmFHdzFhVFpWVUhBclNXaDFkR1ZDU21KMVNHTkJOVlZ2WjB0dk1FVlhkR3hYZDFjMlMxTmhTMjlVVGtWWlREZEtiRU5SYVZadWEyaENhM1JWWjJjOVBRb3RMUzB0TFVWT1JDQlFWVUpNU1VNZ1MwVlpMUzB0TFMwPSIsInNpZyI6IlRVVlZRMGxHTlRaS1lsRlJWbEE1TkdKclVIbHRZME0xY3pGTmRUZHJjblZCUTJsblMxbG1TMVZUV0M5a09XOVFRV2xGUVcwM1VFSTFkazR6ZFdoQ2IzaEljMkV3WW0xeVFraGxVVEY1YjNCeWFXMW1SMDFQYVU0NGRrVkZNMWs5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6ImY3ZGFlNTQzNzg4ODI1YzhmYTM4Yzk5NWExZjI2OTUxMDMwM2M4N2I4ZTQyZDViMmU2YjEyMDM2ZGYwYmQyNDMifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJjMzU2MzdmMDk3YmU1NGU4YjVmNzI5MTQ4M2Y5NjcyMmZiNWU0YjgyYjk3N2M5ZjVmN2NmMTVlOGViMmU3NTYyIn19fX0="}],"timestampVerificationData":{"rfc3161Timestamps":[]}},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtL2d1bmRhbS12aXNvckAxLjAuMSIsImRpZ2VzdCI6eyJzaGE1MTIiOiI4ZDlkNzk3MmY2NzY1MTZjNzUwMTRhYTA3NGUxMWFlNjA0ZDk4ZjBiNjRlYzY3MjVhNjFlMjgzOGZmM2RhYjE2MjExOGZhNzE0MzNmYjMxZTE1NTBkMzBiZDBkZWM5ZDA4NmNlMDMyYjk0NDU3YjU4MzkwMGM1MDdhY2YzOWM0MCJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL2dpdGh1Yi5jb20vbnBtL2F0dGVzdGF0aW9uL3RyZWUvbWFpbi9zcGVjcy9wdWJsaXNoL3YwLjEiLCJwcmVkaWNhdGUiOnsibmFtZSI6Imd1bmRhbS12aXNvciIsInZlcnNpb24iOiIxLjAuMSIsInJlZ2lzdHJ5IjoiaHR0cHM6Ly9yZWdpc3RyeS5ucG1qcy5vcmcifX0=","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEUCIF56JbQQVP94bkPymcC5s1Mu7kruACigKYfKUSX/d9oPAiEAm7PB5vN3uhBoxHsa0bmrBHeQ1yoprimfGMOiN8vEE3Y=","keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"}]}}},{"predicateType":"https://slsa.dev/provenance/v1","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.2","verificationMaterial":{"x509CertificateChain":{"certificates":[{"rawBytes":"MIIHFDCCBpqgAwIBAgIUe/xsdeBrx9PMQYoY7cRlkLxuZf4wCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQwNjAzMjIxNzU5WhcNMjQwNjAzMjIyNzU5WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf/iKtAQ86ZsbgoXrkQNvu6OLmXcuMXYgpHU/XJQO5afLETZuxykSsmwIziETy8hvqnoBnevG3OKmc8gOb+083KOCBbkwggW1MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUUE/EwyC2j20U+0ltVTFPAqztrnMwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wcAYDVR0RAQH/BGYwZIZiaHR0cHM6Ly9naXRodWIuY29tL3JhbW9ucGV0Z3JhdmU2NC9ndW5kYW0tdmlzb3IvLmdpdGh1Yi93b3JrZmxvd3MvbnBtLXB1Ymxpc2gueW1sQHJlZnMvdGFncy92MS4wLjEwOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTAVBgorBgEEAYO/MAECBAdyZWxlYXNlMDYGCisGAQQBg78wAQMEKDU5OTUwMDgyMTM0NGIwNzA5MDJhN2E1NjY2MDY0YmZkYWJhNzE1ZGYwJgYKKwYBBAGDvzABBAQYUHVibGlzaCBQYWNrYWdlIHRvIG5wbWpzMCoGCisGAQQBg78wAQUEHHJhbW9ucGV0Z3JhdmU2NC9ndW5kYW0tdmlzb3IwHgYKKwYBBAGDvzABBgQQcmVmcy90YWdzL3YxLjAuMTA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wcgYKKwYBBAGDvzABCQRkDGJodHRwczovL2dpdGh1Yi5jb20vcmFtb25wZXRncmF2ZTY0L2d1bmRhbS12aXNvci8uZ2l0aHViL3dvcmtmbG93cy9ucG0tcHVibGlzaC55bWxAcmVmcy90YWdzL3YxLjAuMTA4BgorBgEEAYO/MAEKBCoMKDU5OTUwMDgyMTM0NGIwNzA5MDJhN2E1NjY2MDY0YmZkYWJhNzE1ZGYwHQYKKwYBBAGDvzABCwQPDA1naXRodWItaG9zdGVkMD8GCisGAQQBg78wAQwEMQwvaHR0cHM6Ly9naXRodWIuY29tL3JhbW9ucGV0Z3JhdmU2NC9ndW5kYW0tdmlzb3IwOAYKKwYBBAGDvzABDQQqDCg1OTk1MDA4MjEzNDRiMDcwOTAyYTdhNTY2NjA2NGJmZGFiYTcxNWRmMCAGCisGAQQBg78wAQ4EEgwQcmVmcy90YWdzL3YxLjAuMTAZBgorBgEEAYO/MAEPBAsMCTgxMDAwMjM3MzAyBgorBgEEAYO/MAEQBCQMImh0dHBzOi8vZ2l0aHViLmNvbS9yYW1vbnBldGdyYXZlNjQwGAYKKwYBBAGDvzABEQQKDAgzMjM5ODA5MTByBgorBgEEAYO/MAESBGQMYmh0dHBzOi8vZ2l0aHViLmNvbS9yYW1vbnBldGdyYXZlNjQvZ3VuZGFtLXZpc29yLy5naXRodWIvd29ya2Zsb3dzL25wbS1wdWJsaXNoLnltbEByZWZzL3RhZ3MvdjEuMC4xMDgGCisGAQQBg78wARMEKgwoNTk5NTAwODIxMzQ0YjA3MDkwMmE3YTU2NjYwNjRiZmRhYmE3MTVkZjAXBgorBgEEAYO/MAEUBAkMB3JlbGVhc2UwYgYKKwYBBAGDvzABFQRUDFJodHRwczovL2dpdGh1Yi5jb20vcmFtb25wZXRncmF2ZTY0L2d1bmRhbS12aXNvci9hY3Rpb25zL3J1bnMvOTM1ODAwNDExMi9hdHRlbXB0cy8xMBYGCisGAQQBg78wARYECAwGcHVibGljMIGKBgorBgEEAdZ5AgQCBHwEegB4AHYA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGP4C5DIQAABAMARzBFAiEA06IAP6PidvG6JVOU/ZuAclcBmMGblXx/h4oILvv0RVYCICb5qhePD0X9uusYa3Yf41/hx6kuxs2ORJpFLKUtcEU/MAoGCCqGSM49BAMDA2gAMGUCMQC3nFK5hx4cuz+oeNLFDJFBJfGHqr1zwMQFNuiOb06LXEVnec1OJdibNkYwuUY6ozkCMAVgVb1fkdjdGO9cxqxIK5ZsV9lhbAGeyTJvojiFdladJQ8M7KY8x1+EC5VexGkpww=="}]},"tlogEntries":[{"logIndex":"99434462","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1717453079","inclusionPromise":{"signedEntryTimestamp":"MEUCIQCC4erdG64HDkzkn/Qif+dqIS9JnN19psxSAYud80rp4QIgHwpYYeBMC5tYuXptKu1g0KCmo5O69H4aP4HUn94JF2o="},"inclusionProof":{"logIndex":"95271031","rootHash":"bdk7mJiV/TsunynJolyl0Z++ssvYJ1fNbK3Yq6HuhXc=","treeSize":"95271032","hashes":["38feiWPHuMfOscD058JpKPKRykVBqEyaSJ5pLgDZHXg=","DpqKqb4W3zcJ7TyBf4zr1qaxIaEjPqsSmCKJrjYhs+E=","3rICe8i0xHnaD68TkMlDGR9YfJwXErJptkFWlVNXJFo=","XJhxQu3fMX4CsqKvtdiF5Yff1dZTjkUS3IoduvaunC0=","Xk1XiLw9Jb9ZxC4iNLUN0RMolPAQ5uy+xVlU4T5ePh0=","V4pG0KBpGywjX7eYBkt9xOfzBGmgDAUumQrMFGttu5o=","bdiW+QbcKwgoiHTYy1AGRipRPs8I6mjJZNBkmLuw43Y=","Rh9QDMnMoFoxIEqVbyya9Wkz99NGv2xYTN32feHLE3A=","/bWhZ36DcEsXeRI6E5pG6DshJI3cEsWzJy1UdMqPeaA=","49anUgnAYwwLfQAZcBb6C6u7tNhwYdKtnLNg+0ZQK2c=","EbT5mQYci44fcTz1vjOpBOVJE7TPJY+rLIsZxXgqBOk=","40yHIq9mqoqfhVgnEQAlLLRLeehet/WJr/saCTYG91k=","7I4hi3dOO4k//2YwZ5WLzohtTmuh8nP71JQQaZTGd00=","OE/VFuAFgf7OOQO93xqJMVNRLOibj/3LQ5OMQP5ZWCo=","cX3Agx+hP66t1ZLbX/yHbfjU46/3m/VAmWyG/fhxAVc=","sjohk/3DQIfXTgf/5XpwtdF7yNbrf8YykOMHr1CyBYQ=","98enzMaC+x5oCMvIZQA5z8vu2apDMCFvE/935NfuPw8="],"checkpoint":{"envelope":"rekor.sigstore.dev - 2605736670972794746\n95271032\nbdk7mJiV/TsunynJolyl0Z++ssvYJ1fNbK3Yq6HuhXc=\n\n— rekor.sigstore.dev wNI9ajBFAiBvDaKP+wZMQRabNHG7FwhiNaZuOYCaICVAw+edsSpBYAIhAOPO4Kl7Rr/XrQvPHnFkoxlZB2iiNJ1987jw5d+FAjFR\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVWhHUkVORFFuQnhaMEYzU1VKQlowbFZaUzk0YzJSbFFuSjRPVkJOVVZsdldUZGpVbXhyVEhoMVdtWTBkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BSZDA1cVFYcE5ha2w0VG5wVk5WZG9ZMDVOYWxGM1RtcEJlazFxU1hsT2VsVTFWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWbUwybExkRUZST0RaYWMySm5iMWh5YTFGT2RuVTJUMHh0V0dOMVRWaFpaM0JJVlM4S1dFcFJUelZoWmt4RlZGcDFlSGxyVTNOdGQwbDZhVVZVZVRob2RuRnViMEp1WlhaSE0wOUxiV000WjA5aUt6QTRNMHRQUTBKaWEzZG5aMWN4VFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWVlJTOUZDbmQ1UXpKcU1qQlZLekJzZEZaVVJsQkJjWHAwY201TmQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQyTkJXVVJXVWpCU1FWRklMMEpIV1hkYVNWcHBZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRETkthR0pYT1hWalIxWXdXak5LYUFwa2JWVXlUa001Ym1SWE5XdFpWekIwWkcxc2VtSXpTWFpNYldSd1pFZG9NVmxwT1ROaU0wcHlXbTE0ZG1RelRYWmlia0owVEZoQ01WbHRlSEJqTW1kMUNtVlhNWE5SU0Vwc1dtNU5kbVJIUm01amVUa3lUVk0wZDB4cVJYZFBVVmxMUzNkWlFrSkJSMFIyZWtGQ1FWRlJjbUZJVWpCalNFMDJUSGs1TUdJeWRHd0tZbWsxYUZrelVuQmlNalY2VEcxa2NHUkhhREZaYmxaNldsaEthbUl5TlRCYVZ6VXdURzFPZG1KVVFWWkNaMjl5UW1kRlJVRlpUeTlOUVVWRFFrRmtlUXBhVjNoc1dWaE9iRTFFV1VkRGFYTkhRVkZSUW1jM09IZEJVVTFGUzBSVk5VOVVWWGROUkdkNVRWUk5NRTVIU1hkT2VrRTFUVVJLYUU0eVJURk9hbGt5Q2sxRVdUQlpiVnByV1ZkS2FFNTZSVEZhUjFsM1NtZFpTMHQzV1VKQ1FVZEVkbnBCUWtKQlVWbFZTRlpwWWtkc2VtRkRRbEZaVjA1eVdWZGtiRWxJVW5ZS1NVYzFkMkpYY0hwTlEyOUhRMmx6UjBGUlVVSm5OemgzUVZGVlJVaElTbWhpVnpsMVkwZFdNRm96U21oa2JWVXlUa001Ym1SWE5XdFpWekIwWkcxc2VncGlNMGwzU0dkWlMwdDNXVUpDUVVkRWRucEJRa0puVVZGamJWWnRZM2s1TUZsWFpIcE1NMWw0VEdwQmRVMVVRVGRDWjI5eVFtZEZSVUZaVHk5TlFVVkpDa0pETUUxTE1tZ3daRWhDZWs5cE9IWmtSemx5V2xjMGRWbFhUakJoVnpsMVkzazFibUZZVW05a1Ywb3hZekpXZVZreU9YVmtSMVoxWkVNMWFtSXlNSGNLWTJkWlMwdDNXVUpDUVVkRWRucEJRa05SVW10RVIwcHZaRWhTZDJONmIzWk1NbVJ3WkVkb01WbHBOV3BpTWpCMlkyMUdkR0l5TlhkYVdGSnVZMjFHTWdwYVZGa3dUREprTVdKdFVtaGlVekV5WVZoT2RtTnBPSFZhTW13d1lVaFdhVXd6WkhaamJYUnRZa2M1TTJONU9YVmpSekIwWTBoV2FXSkhiSHBoUXpVMUNtSlhlRUZqYlZadFkzazVNRmxYWkhwTU0xbDRUR3BCZFUxVVFUUkNaMjl5UW1kRlJVRlpUeTlOUVVWTFFrTnZUVXRFVlRWUFZGVjNUVVJuZVUxVVRUQUtUa2RKZDA1NlFUVk5SRXBvVGpKRk1VNXFXVEpOUkZrd1dXMWFhMWxYU21oT2VrVXhXa2RaZDBoUldVdExkMWxDUWtGSFJIWjZRVUpEZDFGUVJFRXhiZ3BoV0ZKdlpGZEpkR0ZIT1hwa1IxWnJUVVE0UjBOcGMwZEJVVkZDWnpjNGQwRlJkMFZOVVhkMllVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwQ2t3elNtaGlWemwxWTBkV01Gb3pTbWhrYlZVeVRrTTVibVJYTld0WlZ6QjBaRzFzZW1JelNYZFBRVmxMUzNkWlFrSkJSMFIyZWtGQ1JGRlJjVVJEWnpFS1QxUnJNVTFFUVRSTmFrVjZUa1JTYVUxRVkzZFBWRUY1V1ZSa2FFNVVXVEpPYWtFeVRrZEtiVnBIUm1sWlZHTjRUbGRTYlUxRFFVZERhWE5IUVZGUlFncG5OemgzUVZFMFJVVm5kMUZqYlZadFkzazVNRmxYWkhwTU0xbDRUR3BCZFUxVVFWcENaMjl5UW1kRlJVRlpUeTlOUVVWUVFrRnpUVU5VWjNoTlJFRjNDazFxVFROTmVrRjVRbWR2Y2tKblJVVkJXVTh2VFVGRlVVSkRVVTFKYldnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemw1V1ZjeGRtSnVRbXdLWkVka2VWbFlXbXhPYWxGM1IwRlpTMHQzV1VKQ1FVZEVkbnBCUWtWUlVVdEVRV2Q2VFdwTk5VOUVRVFZOVkVKNVFtZHZja0puUlVWQldVOHZUVUZGVXdwQ1IxRk5XVzFvTUdSSVFucFBhVGgyV2pKc01HRklWbWxNYlU1MllsTTVlVmxYTVhaaWJrSnNaRWRrZVZsWVdteE9hbEYyV2pOV2RWcEhSblJNV0Zwd0NtTXlPWGxNZVRWdVlWaFNiMlJYU1haa01qbDVZVEphYzJJelpIcE1NalYzWWxNeGQyUlhTbk5oV0U1dlRHNXNkR0pGUW5sYVYxcDZURE5TYUZvelRYWUtaR3BGZFUxRE5IaE5SR2RIUTJselIwRlJVVUpuTnpoM1FWSk5SVXRuZDI5T1ZHczFUbFJCZDA5RVNYaE5lbEV3V1dwQk0wMUVhM2ROYlVVeldWUlZNZ3BPYWxsM1RtcFNhVnB0VW1oWmJVVXpUVlJXYTFwcVFWaENaMjl5UW1kRlJVRlpUeTlOUVVWVlFrRnJUVUl6U214aVIxWm9ZekpWZDFsbldVdExkMWxDQ2tKQlIwUjJla0ZDUmxGU1ZVUkdTbTlrU0ZKM1kzcHZka3d5WkhCa1IyZ3hXV2sxYW1JeU1IWmpiVVowWWpJMWQxcFlVbTVqYlVZeVdsUlpNRXd5WkRFS1ltMVNhR0pUTVRKaFdFNTJZMms1YUZrelVuQmlNalY2VEROS01XSnVUWFpQVkUweFQwUkJkMDVFUlhoTmFUbG9aRWhTYkdKWVFqQmplVGg0VFVKWlJ3cERhWE5IUVZGUlFtYzNPSGRCVWxsRlEwRjNSMk5JVm1saVIyeHFUVWxIUzBKbmIzSkNaMFZGUVdSYU5VRm5VVU5DU0hkRlpXZENORUZJV1VFelZEQjNDbUZ6WWtoRlZFcHFSMUkwWTIxWFl6TkJjVXBMV0hKcVpWQkxNeTlvTkhCNVowTTRjRGR2TkVGQlFVZFFORU0xUkVsUlFVRkNRVTFCVW5wQ1JrRnBSVUVLTURaSlFWQTJVR2xrZGtjMlNsWlBWUzlhZFVGamJHTkNiVTFIWW14WWVDOW9ORzlKVEhaMk1GSldXVU5KUTJJMWNXaGxVRVF3V0RsMWRYTlpZVE5aWmdvME1TOW9lRFpyZFhoek1rOVNTbkJHVEV0VmRHTkZWUzlOUVc5SFEwTnhSMU5OTkRsQ1FVMUVRVEpuUVUxSFZVTk5VVU16YmtaTE5XaDROR04xZWl0dkNtVk9URVpFU2taQ1NtWkhTSEZ5TVhwM1RWRkdUblZwVDJJd05reFlSVlp1WldNeFQwcGthV0pPYTFsM2RWVlpObTk2YTBOTlFWWm5WbUl4Wm10a2FtUUtSMDg1WTNoeGVFbExOVnB6Vmpsc2FHSkJSMlY1VkVwMmIycHBSbVJzWVdSS1VUaE5OMHRaT0hneEswVkROVlpsZUVkcmNIZDNQVDBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUT09Iiwic2lnIjoiVFVWVlEwbFJSRlZQVjB4Q2FWSXJSekpDZUdJcmJGVllZeko0ZUhGdVFscGxjWGRrVmpCbldXczRibUZ5T1RCbmFIZEpaMkZzY1c1YVUwdHllazFIV1VWWk1EVkhOWGROVFZCMFdsWlhValZhTlc1NE1YaHRlWHB5VTBkTlJrazkifV19LCJoYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiMmIzYzRmZjcyZWY5Y2M1MWIzZWFjYjFiMTRkYzAxMmNjZmI0MGY4ZmI2NzY2M2VmZDJjNTI0Nzg3MTc3OTU1OSJ9LCJwYXlsb2FkSGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6ImNjNjZjMTM4NjNmZDcxMDNhMTc2ZjE2Y2Y0MjA2NWZiMjQ4OWRmZjMxNDY2N2IxNDEwYmFhMGM2NjM1ODQ5YTIifX19fQ=="}],"timestampVerificationData":{"rfc3161Timestamps":[]}},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoicGtnOm5wbS9ndW5kYW0tdmlzb3JAMS4wLjEiLCJkaWdlc3QiOnsic2hhNTEyIjoiOGQ5ZDc5NzJmNjc2NTE2Yzc1MDE0YWEwNzRlMTFhZTYwNGQ5OGYwYjY0ZWM2NzI1YTYxZTI4MzhmZjNkYWIxNjIxMThmYTcxNDMzZmIzMWUxNTUwZDMwYmQwZGVjOWQwODZjZTAzMmI5NDQ1N2I1ODM5MDBjNTA3YWNmMzljNDAifX1dLCJwcmVkaWNhdGVUeXBlIjoiaHR0cHM6Ly9zbHNhLmRldi9wcm92ZW5hbmNlL3YxIiwicHJlZGljYXRlIjp7ImJ1aWxkRGVmaW5pdGlvbiI6eyJidWlsZFR5cGUiOiJodHRwczovL3Nsc2EtZnJhbWV3b3JrLmdpdGh1Yi5pby9naXRodWItYWN0aW9ucy1idWlsZHR5cGVzL3dvcmtmbG93L3YxIiwiZXh0ZXJuYWxQYXJhbWV0ZXJzIjp7IndvcmtmbG93Ijp7InJlZiI6InJlZnMvdGFncy92MS4wLjEiLCJyZXBvc2l0b3J5IjoiaHR0cHM6Ly9naXRodWIuY29tL3JhbW9ucGV0Z3JhdmU2NC9ndW5kYW0tdmlzb3IiLCJwYXRoIjoiLmdpdGh1Yi93b3JrZmxvd3MvbnBtLXB1Ymxpc2gueW1sIn19LCJpbnRlcm5hbFBhcmFtZXRlcnMiOnsiZ2l0aHViIjp7ImV2ZW50X25hbWUiOiJyZWxlYXNlIiwicmVwb3NpdG9yeV9pZCI6IjgxMDAwMjM3MyIsInJlcG9zaXRvcnlfb3duZXJfaWQiOiIzMjM5ODA5MSJ9fSwicmVzb2x2ZWREZXBlbmRlbmNpZXMiOlt7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vcmFtb25wZXRncmF2ZTY0L2d1bmRhbS12aXNvckByZWZzL3RhZ3MvdjEuMC4xIiwiZGlnZXN0Ijp7ImdpdENvbW1pdCI6IjU5OTUwMDgyMTM0NGIwNzA5MDJhN2E1NjY2MDY0YmZkYWJhNzE1ZGYifX1dfSwicnVuRGV0YWlscyI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9naXRodWIuY29tL2FjdGlvbnMvcnVubmVyL2dpdGh1Yi1ob3N0ZWQifSwibWV0YWRhdGEiOnsiaW52b2NhdGlvbklkIjoiaHR0cHM6Ly9naXRodWIuY29tL3JhbW9ucGV0Z3JhdmU2NC9ndW5kYW0tdmlzb3IvYWN0aW9ucy9ydW5zLzkzNTgwMDQxMTIvYXR0ZW1wdHMvMSJ9fX19Cg==","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEUCIQDUOWLBiR+G2Bxb+lUXc2xxqnBZeqwdV0gYk8nar90ghwIgalqnZSKrzMGYEY05G5wMMPtZVWR5Z5nx1xmyzrSGMFI=","keyid":""}]}}}]}
\ No newline at end of file
diff --git a/cli/slsa-verifier/testdata/npm/gha/gundam-visor-cli-v1-tag-invalidsigpub.tgz b/cli/slsa-verifier/testdata/npm/gha/gundam-visor-cli-v1-tag-invalidsigpub.tgz
new file mode 100644
index 000000000..5879a48cc
Binary files /dev/null and b/cli/slsa-verifier/testdata/npm/gha/gundam-visor-cli-v1-tag-invalidsigpub.tgz differ
diff --git a/cli/slsa-verifier/testdata/npm/gha/gundam-visor-cli-v1-tag-invalidsigpub.tgz.json b/cli/slsa-verifier/testdata/npm/gha/gundam-visor-cli-v1-tag-invalidsigpub.tgz.json
new file mode 100644
index 000000000..0c92bcc53
--- /dev/null
+++ b/cli/slsa-verifier/testdata/npm/gha/gundam-visor-cli-v1-tag-invalidsigpub.tgz.json
@@ -0,0 +1 @@
+{"attestations":[{"predicateType":"https://github.com/npm/attestation/tree/main/specs/publish/v0.1","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.2","verificationMaterial":{"publicKey":{"hint":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"},"tlogEntries":[{"logIndex":"99434465","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1717453081","inclusionPromise":{"signedEntryTimestamp":"MEYCIQDOARAGyVHccisvQm5E60IccfY9M2u5a+0YRCiawh75cAIhAMxJbSqi4J9ngL4/dG+2b0UW+9dHtpY9DgV79LgYj8NY"},"inclusionProof":{"logIndex":"95271034","rootHash":"0COmZPs5R/MmjgbpNSlBuNMC7DLFOK4YqRWL8IvvWVg=","treeSize":"95271036","hashes":["h57Dn4I0XAl/b8bE8l/MF9lGHPrG2roJabnnU0mYfeI=","33mTL3BkADC8Vi+wRLX8b42hUX2nqXHI3BOjzYzBH44=","R4HYAPV3bDnGRcJ86KDUqny6fDqU9Qlbv5CjktO7D3E=","XJhxQu3fMX4CsqKvtdiF5Yff1dZTjkUS3IoduvaunC0=","Xk1XiLw9Jb9ZxC4iNLUN0RMolPAQ5uy+xVlU4T5ePh0=","V4pG0KBpGywjX7eYBkt9xOfzBGmgDAUumQrMFGttu5o=","bdiW+QbcKwgoiHTYy1AGRipRPs8I6mjJZNBkmLuw43Y=","Rh9QDMnMoFoxIEqVbyya9Wkz99NGv2xYTN32feHLE3A=","/bWhZ36DcEsXeRI6E5pG6DshJI3cEsWzJy1UdMqPeaA=","49anUgnAYwwLfQAZcBb6C6u7tNhwYdKtnLNg+0ZQK2c=","EbT5mQYci44fcTz1vjOpBOVJE7TPJY+rLIsZxXgqBOk=","40yHIq9mqoqfhVgnEQAlLLRLeehet/WJr/saCTYG91k=","7I4hi3dOO4k//2YwZ5WLzohtTmuh8nP71JQQaZTGd00=","OE/VFuAFgf7OOQO93xqJMVNRLOibj/3LQ5OMQP5ZWCo=","cX3Agx+hP66t1ZLbX/yHbfjU46/3m/VAmWyG/fhxAVc=","sjohk/3DQIfXTgf/5XpwtdF7yNbrf8YykOMHr1CyBYQ=","98enzMaC+x5oCMvIZQA5z8vu2apDMCFvE/935NfuPw8="],"checkpoint":{"envelope":"rekor.sigstore.dev - 2605736670972794746\n95271036\n0COmZPs5R/MmjgbpNSlBuNMC7DLFOK4YqRWL8IvvWVg=\n\n— rekor.sigstore.dev wNI9ajBFAiBeM+LPeS5kNpplQkq7P1qAWVhCySznP10aOQzAoetdogIhALIONG8mAfKHxo08BjMsO527I5c1BV4Z1x27d6vBLmbb\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7ImtleWlkIjoiU0hBMjU2OmpsM2J3c3d1ODBQampva0NnaDBvMnc1YzJVNExoUUFFNTdnajljejFrekEiLCJwdWJsaWNLZXkiOiJMUzB0TFMxQ1JVZEpUaUJRVlVKTVNVTWdTMFZaTFMwdExTMEtUVVpyZDBWM1dVaExiMXBKZW1vd1EwRlJXVWxMYjFwSmVtb3dSRUZSWTBSUlowRkZNVTlzWWpONlRVRkdSbmhZUzBocFNXdFJUelZqU2pOWmFHdzFhVFpWVUhBclNXaDFkR1ZDU21KMVNHTkJOVlZ2WjB0dk1FVlhkR3hYZDFjMlMxTmhTMjlVVGtWWlREZEtiRU5SYVZadWEyaENhM1JWWjJjOVBRb3RMUzB0TFVWT1JDQlFWVUpNU1VNZ1MwVlpMUzB0TFMwPSIsInNpZyI6IlRVVlZRMGxHTlRaS1lsRlJWbEE1TkdKclVIbHRZME0xY3pGTmRUZHJjblZCUTJsblMxbG1TMVZUV0M5a09XOVFRV2xGUVcwM1VFSTFkazR6ZFdoQ2IzaEljMkV3WW0xeVFraGxVVEY1YjNCeWFXMW1SMDFQYVU0NGRrVkZNMWs5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6ImY3ZGFlNTQzNzg4ODI1YzhmYTM4Yzk5NWExZjI2OTUxMDMwM2M4N2I4ZTQyZDViMmU2YjEyMDM2ZGYwYmQyNDMifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJjMzU2MzdmMDk3YmU1NGU4YjVmNzI5MTQ4M2Y5NjcyMmZiNWU0YjgyYjk3N2M5ZjVmN2NmMTVlOGViMmU3NTYyIn19fX0="}],"timestampVerificationData":{"rfc3161Timestamps":[]}},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtL2d1bmRhbS12aXNvckAxLjAuMSIsImRpZ2VzdCI6eyJzaGE1MTIiOiI4ZDlkNzk3MmY2NzY1MTZjNzUwMTRhYTA3NGUxMWFlNjA0ZDk4ZjBiNjRlYzY3MjVhNjFlMjgzOGZmM2RhYjE2MjExOGZhNzE0MzNmYjMxZTE1NTBkMzBiZDBkZWM5ZDA4NmNlMDMyYjk0NDU3YjU4MzkwMGM1MDdhY2YzOWM0MCJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL2dpdGh1Yi5jb20vbnBtL2F0dGVzdGF0aW9uL3RyZWUvbWFpbi9zcGVjcy9wdWJsaXNoL3YwLjEiLCJwcmVkaWNhdGUiOnsibmFtZSI6Imd1bmRhbS12aXNvciIsInZlcnNpb24iOiIxLjAuMSIsInJlZ2lzdHJ5IjoiaHR0cHM6Ly9yZWdpc3RyeS5ucG1qcy5vcmcifX0K","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEUCIF56JbQQVP94bkPymcC5s1Mu7kruACigKYfKUSX/d9oPAiEAm7PB5vN3uhBoxHsa0bmrBHeQ1yoprimfGMOiN8vEE3Y=","keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"}]}}},{"predicateType":"https://slsa.dev/provenance/v1","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.2","verificationMaterial":{"x509CertificateChain":{"certificates":[{"rawBytes":"MIIHFDCCBpqgAwIBAgIUe/xsdeBrx9PMQYoY7cRlkLxuZf4wCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQwNjAzMjIxNzU5WhcNMjQwNjAzMjIyNzU5WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf/iKtAQ86ZsbgoXrkQNvu6OLmXcuMXYgpHU/XJQO5afLETZuxykSsmwIziETy8hvqnoBnevG3OKmc8gOb+083KOCBbkwggW1MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUUE/EwyC2j20U+0ltVTFPAqztrnMwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wcAYDVR0RAQH/BGYwZIZiaHR0cHM6Ly9naXRodWIuY29tL3JhbW9ucGV0Z3JhdmU2NC9ndW5kYW0tdmlzb3IvLmdpdGh1Yi93b3JrZmxvd3MvbnBtLXB1Ymxpc2gueW1sQHJlZnMvdGFncy92MS4wLjEwOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTAVBgorBgEEAYO/MAECBAdyZWxlYXNlMDYGCisGAQQBg78wAQMEKDU5OTUwMDgyMTM0NGIwNzA5MDJhN2E1NjY2MDY0YmZkYWJhNzE1ZGYwJgYKKwYBBAGDvzABBAQYUHVibGlzaCBQYWNrYWdlIHRvIG5wbWpzMCoGCisGAQQBg78wAQUEHHJhbW9ucGV0Z3JhdmU2NC9ndW5kYW0tdmlzb3IwHgYKKwYBBAGDvzABBgQQcmVmcy90YWdzL3YxLjAuMTA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wcgYKKwYBBAGDvzABCQRkDGJodHRwczovL2dpdGh1Yi5jb20vcmFtb25wZXRncmF2ZTY0L2d1bmRhbS12aXNvci8uZ2l0aHViL3dvcmtmbG93cy9ucG0tcHVibGlzaC55bWxAcmVmcy90YWdzL3YxLjAuMTA4BgorBgEEAYO/MAEKBCoMKDU5OTUwMDgyMTM0NGIwNzA5MDJhN2E1NjY2MDY0YmZkYWJhNzE1ZGYwHQYKKwYBBAGDvzABCwQPDA1naXRodWItaG9zdGVkMD8GCisGAQQBg78wAQwEMQwvaHR0cHM6Ly9naXRodWIuY29tL3JhbW9ucGV0Z3JhdmU2NC9ndW5kYW0tdmlzb3IwOAYKKwYBBAGDvzABDQQqDCg1OTk1MDA4MjEzNDRiMDcwOTAyYTdhNTY2NjA2NGJmZGFiYTcxNWRmMCAGCisGAQQBg78wAQ4EEgwQcmVmcy90YWdzL3YxLjAuMTAZBgorBgEEAYO/MAEPBAsMCTgxMDAwMjM3MzAyBgorBgEEAYO/MAEQBCQMImh0dHBzOi8vZ2l0aHViLmNvbS9yYW1vbnBldGdyYXZlNjQwGAYKKwYBBAGDvzABEQQKDAgzMjM5ODA5MTByBgorBgEEAYO/MAESBGQMYmh0dHBzOi8vZ2l0aHViLmNvbS9yYW1vbnBldGdyYXZlNjQvZ3VuZGFtLXZpc29yLy5naXRodWIvd29ya2Zsb3dzL25wbS1wdWJsaXNoLnltbEByZWZzL3RhZ3MvdjEuMC4xMDgGCisGAQQBg78wARMEKgwoNTk5NTAwODIxMzQ0YjA3MDkwMmE3YTU2NjYwNjRiZmRhYmE3MTVkZjAXBgorBgEEAYO/MAEUBAkMB3JlbGVhc2UwYgYKKwYBBAGDvzABFQRUDFJodHRwczovL2dpdGh1Yi5jb20vcmFtb25wZXRncmF2ZTY0L2d1bmRhbS12aXNvci9hY3Rpb25zL3J1bnMvOTM1ODAwNDExMi9hdHRlbXB0cy8xMBYGCisGAQQBg78wARYECAwGcHVibGljMIGKBgorBgEEAdZ5AgQCBHwEegB4AHYA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGP4C5DIQAABAMARzBFAiEA06IAP6PidvG6JVOU/ZuAclcBmMGblXx/h4oILvv0RVYCICb5qhePD0X9uusYa3Yf41/hx6kuxs2ORJpFLKUtcEU/MAoGCCqGSM49BAMDA2gAMGUCMQC3nFK5hx4cuz+oeNLFDJFBJfGHqr1zwMQFNuiOb06LXEVnec1OJdibNkYwuUY6ozkCMAVgVb1fkdjdGO9cxqxIK5ZsV9lhbAGeyTJvojiFdladJQ8M7KY8x1+EC5VexGkpww=="}]},"tlogEntries":[{"logIndex":"99434462","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1717453079","inclusionPromise":{"signedEntryTimestamp":"MEUCIQCC4erdG64HDkzkn/Qif+dqIS9JnN19psxSAYud80rp4QIgHwpYYeBMC5tYuXptKu1g0KCmo5O69H4aP4HUn94JF2o="},"inclusionProof":{"logIndex":"95271031","rootHash":"bdk7mJiV/TsunynJolyl0Z++ssvYJ1fNbK3Yq6HuhXc=","treeSize":"95271032","hashes":["38feiWPHuMfOscD058JpKPKRykVBqEyaSJ5pLgDZHXg=","DpqKqb4W3zcJ7TyBf4zr1qaxIaEjPqsSmCKJrjYhs+E=","3rICe8i0xHnaD68TkMlDGR9YfJwXErJptkFWlVNXJFo=","XJhxQu3fMX4CsqKvtdiF5Yff1dZTjkUS3IoduvaunC0=","Xk1XiLw9Jb9ZxC4iNLUN0RMolPAQ5uy+xVlU4T5ePh0=","V4pG0KBpGywjX7eYBkt9xOfzBGmgDAUumQrMFGttu5o=","bdiW+QbcKwgoiHTYy1AGRipRPs8I6mjJZNBkmLuw43Y=","Rh9QDMnMoFoxIEqVbyya9Wkz99NGv2xYTN32feHLE3A=","/bWhZ36DcEsXeRI6E5pG6DshJI3cEsWzJy1UdMqPeaA=","49anUgnAYwwLfQAZcBb6C6u7tNhwYdKtnLNg+0ZQK2c=","EbT5mQYci44fcTz1vjOpBOVJE7TPJY+rLIsZxXgqBOk=","40yHIq9mqoqfhVgnEQAlLLRLeehet/WJr/saCTYG91k=","7I4hi3dOO4k//2YwZ5WLzohtTmuh8nP71JQQaZTGd00=","OE/VFuAFgf7OOQO93xqJMVNRLOibj/3LQ5OMQP5ZWCo=","cX3Agx+hP66t1ZLbX/yHbfjU46/3m/VAmWyG/fhxAVc=","sjohk/3DQIfXTgf/5XpwtdF7yNbrf8YykOMHr1CyBYQ=","98enzMaC+x5oCMvIZQA5z8vu2apDMCFvE/935NfuPw8="],"checkpoint":{"envelope":"rekor.sigstore.dev - 2605736670972794746\n95271032\nbdk7mJiV/TsunynJolyl0Z++ssvYJ1fNbK3Yq6HuhXc=\n\n— rekor.sigstore.dev wNI9ajBFAiBvDaKP+wZMQRabNHG7FwhiNaZuOYCaICVAw+edsSpBYAIhAOPO4Kl7Rr/XrQvPHnFkoxlZB2iiNJ1987jw5d+FAjFR\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVWhHUkVORFFuQnhaMEYzU1VKQlowbFZaUzk0YzJSbFFuSjRPVkJOVVZsdldUZGpVbXhyVEhoMVdtWTBkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BSZDA1cVFYcE5ha2w0VG5wVk5WZG9ZMDVOYWxGM1RtcEJlazFxU1hsT2VsVTFWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWbUwybExkRUZST0RaYWMySm5iMWh5YTFGT2RuVTJUMHh0V0dOMVRWaFpaM0JJVlM4S1dFcFJUelZoWmt4RlZGcDFlSGxyVTNOdGQwbDZhVVZVZVRob2RuRnViMEp1WlhaSE0wOUxiV000WjA5aUt6QTRNMHRQUTBKaWEzZG5aMWN4VFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWVlJTOUZDbmQ1UXpKcU1qQlZLekJzZEZaVVJsQkJjWHAwY201TmQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQyTkJXVVJXVWpCU1FWRklMMEpIV1hkYVNWcHBZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRETkthR0pYT1hWalIxWXdXak5LYUFwa2JWVXlUa001Ym1SWE5XdFpWekIwWkcxc2VtSXpTWFpNYldSd1pFZG9NVmxwT1ROaU0wcHlXbTE0ZG1RelRYWmlia0owVEZoQ01WbHRlSEJqTW1kMUNtVlhNWE5SU0Vwc1dtNU5kbVJIUm01amVUa3lUVk0wZDB4cVJYZFBVVmxMUzNkWlFrSkJSMFIyZWtGQ1FWRlJjbUZJVWpCalNFMDJUSGs1TUdJeWRHd0tZbWsxYUZrelVuQmlNalY2VEcxa2NHUkhhREZaYmxaNldsaEthbUl5TlRCYVZ6VXdURzFPZG1KVVFWWkNaMjl5UW1kRlJVRlpUeTlOUVVWRFFrRmtlUXBhVjNoc1dWaE9iRTFFV1VkRGFYTkhRVkZSUW1jM09IZEJVVTFGUzBSVk5VOVVWWGROUkdkNVRWUk5NRTVIU1hkT2VrRTFUVVJLYUU0eVJURk9hbGt5Q2sxRVdUQlpiVnByV1ZkS2FFNTZSVEZhUjFsM1NtZFpTMHQzV1VKQ1FVZEVkbnBCUWtKQlVWbFZTRlpwWWtkc2VtRkRRbEZaVjA1eVdWZGtiRWxJVW5ZS1NVYzFkMkpYY0hwTlEyOUhRMmx6UjBGUlVVSm5OemgzUVZGVlJVaElTbWhpVnpsMVkwZFdNRm96U21oa2JWVXlUa001Ym1SWE5XdFpWekIwWkcxc2VncGlNMGwzU0dkWlMwdDNXVUpDUVVkRWRucEJRa0puVVZGamJWWnRZM2s1TUZsWFpIcE1NMWw0VEdwQmRVMVVRVGRDWjI5eVFtZEZSVUZaVHk5TlFVVkpDa0pETUUxTE1tZ3daRWhDZWs5cE9IWmtSemx5V2xjMGRWbFhUakJoVnpsMVkzazFibUZZVW05a1Ywb3hZekpXZVZreU9YVmtSMVoxWkVNMWFtSXlNSGNLWTJkWlMwdDNXVUpDUVVkRWRucEJRa05SVW10RVIwcHZaRWhTZDJONmIzWk1NbVJ3WkVkb01WbHBOV3BpTWpCMlkyMUdkR0l5TlhkYVdGSnVZMjFHTWdwYVZGa3dUREprTVdKdFVtaGlVekV5WVZoT2RtTnBPSFZhTW13d1lVaFdhVXd6WkhaamJYUnRZa2M1TTJONU9YVmpSekIwWTBoV2FXSkhiSHBoUXpVMUNtSlhlRUZqYlZadFkzazVNRmxYWkhwTU0xbDRUR3BCZFUxVVFUUkNaMjl5UW1kRlJVRlpUeTlOUVVWTFFrTnZUVXRFVlRWUFZGVjNUVVJuZVUxVVRUQUtUa2RKZDA1NlFUVk5SRXBvVGpKRk1VNXFXVEpOUkZrd1dXMWFhMWxYU21oT2VrVXhXa2RaZDBoUldVdExkMWxDUWtGSFJIWjZRVUpEZDFGUVJFRXhiZ3BoV0ZKdlpGZEpkR0ZIT1hwa1IxWnJUVVE0UjBOcGMwZEJVVkZDWnpjNGQwRlJkMFZOVVhkMllVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwQ2t3elNtaGlWemwxWTBkV01Gb3pTbWhrYlZVeVRrTTVibVJYTld0WlZ6QjBaRzFzZW1JelNYZFBRVmxMUzNkWlFrSkJSMFIyZWtGQ1JGRlJjVVJEWnpFS1QxUnJNVTFFUVRSTmFrVjZUa1JTYVUxRVkzZFBWRUY1V1ZSa2FFNVVXVEpPYWtFeVRrZEtiVnBIUm1sWlZHTjRUbGRTYlUxRFFVZERhWE5IUVZGUlFncG5OemgzUVZFMFJVVm5kMUZqYlZadFkzazVNRmxYWkhwTU0xbDRUR3BCZFUxVVFWcENaMjl5UW1kRlJVRlpUeTlOUVVWUVFrRnpUVU5VWjNoTlJFRjNDazFxVFROTmVrRjVRbWR2Y2tKblJVVkJXVTh2VFVGRlVVSkRVVTFKYldnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemw1V1ZjeGRtSnVRbXdLWkVka2VWbFlXbXhPYWxGM1IwRlpTMHQzV1VKQ1FVZEVkbnBCUWtWUlVVdEVRV2Q2VFdwTk5VOUVRVFZOVkVKNVFtZHZja0puUlVWQldVOHZUVUZGVXdwQ1IxRk5XVzFvTUdSSVFucFBhVGgyV2pKc01HRklWbWxNYlU1MllsTTVlVmxYTVhaaWJrSnNaRWRrZVZsWVdteE9hbEYyV2pOV2RWcEhSblJNV0Zwd0NtTXlPWGxNZVRWdVlWaFNiMlJYU1haa01qbDVZVEphYzJJelpIcE1NalYzWWxNeGQyUlhTbk5oV0U1dlRHNXNkR0pGUW5sYVYxcDZURE5TYUZvelRYWUtaR3BGZFUxRE5IaE5SR2RIUTJselIwRlJVVUpuTnpoM1FWSk5SVXRuZDI5T1ZHczFUbFJCZDA5RVNYaE5lbEV3V1dwQk0wMUVhM2ROYlVVeldWUlZNZ3BPYWxsM1RtcFNhVnB0VW1oWmJVVXpUVlJXYTFwcVFWaENaMjl5UW1kRlJVRlpUeTlOUVVWVlFrRnJUVUl6U214aVIxWm9ZekpWZDFsbldVdExkMWxDQ2tKQlIwUjJla0ZDUmxGU1ZVUkdTbTlrU0ZKM1kzcHZka3d5WkhCa1IyZ3hXV2sxYW1JeU1IWmpiVVowWWpJMWQxcFlVbTVqYlVZeVdsUlpNRXd5WkRFS1ltMVNhR0pUTVRKaFdFNTJZMms1YUZrelVuQmlNalY2VEROS01XSnVUWFpQVkUweFQwUkJkMDVFUlhoTmFUbG9aRWhTYkdKWVFqQmplVGg0VFVKWlJ3cERhWE5IUVZGUlFtYzNPSGRCVWxsRlEwRjNSMk5JVm1saVIyeHFUVWxIUzBKbmIzSkNaMFZGUVdSYU5VRm5VVU5DU0hkRlpXZENORUZJV1VFelZEQjNDbUZ6WWtoRlZFcHFSMUkwWTIxWFl6TkJjVXBMV0hKcVpWQkxNeTlvTkhCNVowTTRjRGR2TkVGQlFVZFFORU0xUkVsUlFVRkNRVTFCVW5wQ1JrRnBSVUVLTURaSlFWQTJVR2xrZGtjMlNsWlBWUzlhZFVGamJHTkNiVTFIWW14WWVDOW9ORzlKVEhaMk1GSldXVU5KUTJJMWNXaGxVRVF3V0RsMWRYTlpZVE5aWmdvME1TOW9lRFpyZFhoek1rOVNTbkJHVEV0VmRHTkZWUzlOUVc5SFEwTnhSMU5OTkRsQ1FVMUVRVEpuUVUxSFZVTk5VVU16YmtaTE5XaDROR04xZWl0dkNtVk9URVpFU2taQ1NtWkhTSEZ5TVhwM1RWRkdUblZwVDJJd05reFlSVlp1WldNeFQwcGthV0pPYTFsM2RWVlpObTk2YTBOTlFWWm5WbUl4Wm10a2FtUUtSMDg1WTNoeGVFbExOVnB6Vmpsc2FHSkJSMlY1VkVwMmIycHBSbVJzWVdSS1VUaE5OMHRaT0hneEswVkROVlpsZUVkcmNIZDNQVDBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUT09Iiwic2lnIjoiVFVWVlEwbFJSRlZQVjB4Q2FWSXJSekpDZUdJcmJGVllZeko0ZUhGdVFscGxjWGRrVmpCbldXczRibUZ5T1RCbmFIZEpaMkZzY1c1YVUwdHllazFIV1VWWk1EVkhOWGROVFZCMFdsWlhValZhTlc1NE1YaHRlWHB5VTBkTlJrazkifV19LCJoYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiMmIzYzRmZjcyZWY5Y2M1MWIzZWFjYjFiMTRkYzAxMmNjZmI0MGY4ZmI2NzY2M2VmZDJjNTI0Nzg3MTc3OTU1OSJ9LCJwYXlsb2FkSGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6ImNjNjZjMTM4NjNmZDcxMDNhMTc2ZjE2Y2Y0MjA2NWZiMjQ4OWRmZjMxNDY2N2IxNDEwYmFhMGM2NjM1ODQ5YTIifX19fQ=="}],"timestampVerificationData":{"rfc3161Timestamps":[]}},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoicGtnOm5wbS9ndW5kYW0tdmlzb3JAMS4wLjEiLCJkaWdlc3QiOnsic2hhNTEyIjoiOGQ5ZDc5NzJmNjc2NTE2Yzc1MDE0YWEwNzRlMTFhZTYwNGQ5OGYwYjY0ZWM2NzI1YTYxZTI4MzhmZjNkYWIxNjIxMThmYTcxNDMzZmIzMWUxNTUwZDMwYmQwZGVjOWQwODZjZTAzMmI5NDQ1N2I1ODM5MDBjNTA3YWNmMzljNDAifX1dLCJwcmVkaWNhdGVUeXBlIjoiaHR0cHM6Ly9zbHNhLmRldi9wcm92ZW5hbmNlL3YxIiwicHJlZGljYXRlIjp7ImJ1aWxkRGVmaW5pdGlvbiI6eyJidWlsZFR5cGUiOiJodHRwczovL3Nsc2EtZnJhbWV3b3JrLmdpdGh1Yi5pby9naXRodWItYWN0aW9ucy1idWlsZHR5cGVzL3dvcmtmbG93L3YxIiwiZXh0ZXJuYWxQYXJhbWV0ZXJzIjp7IndvcmtmbG93Ijp7InJlZiI6InJlZnMvdGFncy92MS4wLjEiLCJyZXBvc2l0b3J5IjoiaHR0cHM6Ly9naXRodWIuY29tL3JhbW9ucGV0Z3JhdmU2NC9ndW5kYW0tdmlzb3IiLCJwYXRoIjoiLmdpdGh1Yi93b3JrZmxvd3MvbnBtLXB1Ymxpc2gueW1sIn19LCJpbnRlcm5hbFBhcmFtZXRlcnMiOnsiZ2l0aHViIjp7ImV2ZW50X25hbWUiOiJyZWxlYXNlIiwicmVwb3NpdG9yeV9pZCI6IjgxMDAwMjM3MyIsInJlcG9zaXRvcnlfb3duZXJfaWQiOiIzMjM5ODA5MSJ9fSwicmVzb2x2ZWREZXBlbmRlbmNpZXMiOlt7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vcmFtb25wZXRncmF2ZTY0L2d1bmRhbS12aXNvckByZWZzL3RhZ3MvdjEuMC4xIiwiZGlnZXN0Ijp7ImdpdENvbW1pdCI6IjU5OTUwMDgyMTM0NGIwNzA5MDJhN2E1NjY2MDY0YmZkYWJhNzE1ZGYifX1dfSwicnVuRGV0YWlscyI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9naXRodWIuY29tL2FjdGlvbnMvcnVubmVyL2dpdGh1Yi1ob3N0ZWQifSwibWV0YWRhdGEiOnsiaW52b2NhdGlvbklkIjoiaHR0cHM6Ly9naXRodWIuY29tL3JhbW9ucGV0Z3JhdmU2NC9ndW5kYW0tdmlzb3IvYWN0aW9ucy9ydW5zLzkzNTgwMDQxMTIvYXR0ZW1wdHMvMSJ9fX19","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEUCIQDUOWLBiR+G2Bxb+lUXc2xxqnBZeqwdV0gYk8nar90ghwIgalqnZSKrzMGYEY05G5wMMPtZVWR5Z5nx1xmyzrSGMFI=","keyid":""}]}}}]}
\ No newline at end of file
diff --git a/cli/slsa-verifier/testdata/npm/gha/gundam-visor-cli-v1-tag.tgz b/cli/slsa-verifier/testdata/npm/gha/gundam-visor-cli-v1-tag.tgz
new file mode 100644
index 000000000..5879a48cc
Binary files /dev/null and b/cli/slsa-verifier/testdata/npm/gha/gundam-visor-cli-v1-tag.tgz differ
diff --git a/cli/slsa-verifier/testdata/npm/gha/gundam-visor-cli-v1-tag.tgz.json b/cli/slsa-verifier/testdata/npm/gha/gundam-visor-cli-v1-tag.tgz.json
new file mode 100644
index 000000000..9e1aefe70
--- /dev/null
+++ b/cli/slsa-verifier/testdata/npm/gha/gundam-visor-cli-v1-tag.tgz.json
@@ -0,0 +1 @@
+{"attestations":[{"predicateType":"https://github.com/npm/attestation/tree/main/specs/publish/v0.1","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.2","verificationMaterial":{"publicKey":{"hint":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"},"tlogEntries":[{"logIndex":"99434465","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1717453081","inclusionPromise":{"signedEntryTimestamp":"MEYCIQDOARAGyVHccisvQm5E60IccfY9M2u5a+0YRCiawh75cAIhAMxJbSqi4J9ngL4/dG+2b0UW+9dHtpY9DgV79LgYj8NY"},"inclusionProof":{"logIndex":"95271034","rootHash":"0COmZPs5R/MmjgbpNSlBuNMC7DLFOK4YqRWL8IvvWVg=","treeSize":"95271036","hashes":["h57Dn4I0XAl/b8bE8l/MF9lGHPrG2roJabnnU0mYfeI=","33mTL3BkADC8Vi+wRLX8b42hUX2nqXHI3BOjzYzBH44=","R4HYAPV3bDnGRcJ86KDUqny6fDqU9Qlbv5CjktO7D3E=","XJhxQu3fMX4CsqKvtdiF5Yff1dZTjkUS3IoduvaunC0=","Xk1XiLw9Jb9ZxC4iNLUN0RMolPAQ5uy+xVlU4T5ePh0=","V4pG0KBpGywjX7eYBkt9xOfzBGmgDAUumQrMFGttu5o=","bdiW+QbcKwgoiHTYy1AGRipRPs8I6mjJZNBkmLuw43Y=","Rh9QDMnMoFoxIEqVbyya9Wkz99NGv2xYTN32feHLE3A=","/bWhZ36DcEsXeRI6E5pG6DshJI3cEsWzJy1UdMqPeaA=","49anUgnAYwwLfQAZcBb6C6u7tNhwYdKtnLNg+0ZQK2c=","EbT5mQYci44fcTz1vjOpBOVJE7TPJY+rLIsZxXgqBOk=","40yHIq9mqoqfhVgnEQAlLLRLeehet/WJr/saCTYG91k=","7I4hi3dOO4k//2YwZ5WLzohtTmuh8nP71JQQaZTGd00=","OE/VFuAFgf7OOQO93xqJMVNRLOibj/3LQ5OMQP5ZWCo=","cX3Agx+hP66t1ZLbX/yHbfjU46/3m/VAmWyG/fhxAVc=","sjohk/3DQIfXTgf/5XpwtdF7yNbrf8YykOMHr1CyBYQ=","98enzMaC+x5oCMvIZQA5z8vu2apDMCFvE/935NfuPw8="],"checkpoint":{"envelope":"rekor.sigstore.dev - 2605736670972794746\n95271036\n0COmZPs5R/MmjgbpNSlBuNMC7DLFOK4YqRWL8IvvWVg=\n\n— rekor.sigstore.dev wNI9ajBFAiBeM+LPeS5kNpplQkq7P1qAWVhCySznP10aOQzAoetdogIhALIONG8mAfKHxo08BjMsO527I5c1BV4Z1x27d6vBLmbb\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7ImtleWlkIjoiU0hBMjU2OmpsM2J3c3d1ODBQampva0NnaDBvMnc1YzJVNExoUUFFNTdnajljejFrekEiLCJwdWJsaWNLZXkiOiJMUzB0TFMxQ1JVZEpUaUJRVlVKTVNVTWdTMFZaTFMwdExTMEtUVVpyZDBWM1dVaExiMXBKZW1vd1EwRlJXVWxMYjFwSmVtb3dSRUZSWTBSUlowRkZNVTlzWWpONlRVRkdSbmhZUzBocFNXdFJUelZqU2pOWmFHdzFhVFpWVUhBclNXaDFkR1ZDU21KMVNHTkJOVlZ2WjB0dk1FVlhkR3hYZDFjMlMxTmhTMjlVVGtWWlREZEtiRU5SYVZadWEyaENhM1JWWjJjOVBRb3RMUzB0TFVWT1JDQlFWVUpNU1VNZ1MwVlpMUzB0TFMwPSIsInNpZyI6IlRVVlZRMGxHTlRaS1lsRlJWbEE1TkdKclVIbHRZME0xY3pGTmRUZHJjblZCUTJsblMxbG1TMVZUV0M5a09XOVFRV2xGUVcwM1VFSTFkazR6ZFdoQ2IzaEljMkV3WW0xeVFraGxVVEY1YjNCeWFXMW1SMDFQYVU0NGRrVkZNMWs5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6ImY3ZGFlNTQzNzg4ODI1YzhmYTM4Yzk5NWExZjI2OTUxMDMwM2M4N2I4ZTQyZDViMmU2YjEyMDM2ZGYwYmQyNDMifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJjMzU2MzdmMDk3YmU1NGU4YjVmNzI5MTQ4M2Y5NjcyMmZiNWU0YjgyYjk3N2M5ZjVmN2NmMTVlOGViMmU3NTYyIn19fX0="}],"timestampVerificationData":{"rfc3161Timestamps":[]}},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtL2d1bmRhbS12aXNvckAxLjAuMSIsImRpZ2VzdCI6eyJzaGE1MTIiOiI4ZDlkNzk3MmY2NzY1MTZjNzUwMTRhYTA3NGUxMWFlNjA0ZDk4ZjBiNjRlYzY3MjVhNjFlMjgzOGZmM2RhYjE2MjExOGZhNzE0MzNmYjMxZTE1NTBkMzBiZDBkZWM5ZDA4NmNlMDMyYjk0NDU3YjU4MzkwMGM1MDdhY2YzOWM0MCJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL2dpdGh1Yi5jb20vbnBtL2F0dGVzdGF0aW9uL3RyZWUvbWFpbi9zcGVjcy9wdWJsaXNoL3YwLjEiLCJwcmVkaWNhdGUiOnsibmFtZSI6Imd1bmRhbS12aXNvciIsInZlcnNpb24iOiIxLjAuMSIsInJlZ2lzdHJ5IjoiaHR0cHM6Ly9yZWdpc3RyeS5ucG1qcy5vcmcifX0=","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEUCIF56JbQQVP94bkPymcC5s1Mu7kruACigKYfKUSX/d9oPAiEAm7PB5vN3uhBoxHsa0bmrBHeQ1yoprimfGMOiN8vEE3Y=","keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"}]}}},{"predicateType":"https://slsa.dev/provenance/v1","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.2","verificationMaterial":{"x509CertificateChain":{"certificates":[{"rawBytes":"MIIHFDCCBpqgAwIBAgIUe/xsdeBrx9PMQYoY7cRlkLxuZf4wCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQwNjAzMjIxNzU5WhcNMjQwNjAzMjIyNzU5WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf/iKtAQ86ZsbgoXrkQNvu6OLmXcuMXYgpHU/XJQO5afLETZuxykSsmwIziETy8hvqnoBnevG3OKmc8gOb+083KOCBbkwggW1MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUUE/EwyC2j20U+0ltVTFPAqztrnMwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wcAYDVR0RAQH/BGYwZIZiaHR0cHM6Ly9naXRodWIuY29tL3JhbW9ucGV0Z3JhdmU2NC9ndW5kYW0tdmlzb3IvLmdpdGh1Yi93b3JrZmxvd3MvbnBtLXB1Ymxpc2gueW1sQHJlZnMvdGFncy92MS4wLjEwOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTAVBgorBgEEAYO/MAECBAdyZWxlYXNlMDYGCisGAQQBg78wAQMEKDU5OTUwMDgyMTM0NGIwNzA5MDJhN2E1NjY2MDY0YmZkYWJhNzE1ZGYwJgYKKwYBBAGDvzABBAQYUHVibGlzaCBQYWNrYWdlIHRvIG5wbWpzMCoGCisGAQQBg78wAQUEHHJhbW9ucGV0Z3JhdmU2NC9ndW5kYW0tdmlzb3IwHgYKKwYBBAGDvzABBgQQcmVmcy90YWdzL3YxLjAuMTA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wcgYKKwYBBAGDvzABCQRkDGJodHRwczovL2dpdGh1Yi5jb20vcmFtb25wZXRncmF2ZTY0L2d1bmRhbS12aXNvci8uZ2l0aHViL3dvcmtmbG93cy9ucG0tcHVibGlzaC55bWxAcmVmcy90YWdzL3YxLjAuMTA4BgorBgEEAYO/MAEKBCoMKDU5OTUwMDgyMTM0NGIwNzA5MDJhN2E1NjY2MDY0YmZkYWJhNzE1ZGYwHQYKKwYBBAGDvzABCwQPDA1naXRodWItaG9zdGVkMD8GCisGAQQBg78wAQwEMQwvaHR0cHM6Ly9naXRodWIuY29tL3JhbW9ucGV0Z3JhdmU2NC9ndW5kYW0tdmlzb3IwOAYKKwYBBAGDvzABDQQqDCg1OTk1MDA4MjEzNDRiMDcwOTAyYTdhNTY2NjA2NGJmZGFiYTcxNWRmMCAGCisGAQQBg78wAQ4EEgwQcmVmcy90YWdzL3YxLjAuMTAZBgorBgEEAYO/MAEPBAsMCTgxMDAwMjM3MzAyBgorBgEEAYO/MAEQBCQMImh0dHBzOi8vZ2l0aHViLmNvbS9yYW1vbnBldGdyYXZlNjQwGAYKKwYBBAGDvzABEQQKDAgzMjM5ODA5MTByBgorBgEEAYO/MAESBGQMYmh0dHBzOi8vZ2l0aHViLmNvbS9yYW1vbnBldGdyYXZlNjQvZ3VuZGFtLXZpc29yLy5naXRodWIvd29ya2Zsb3dzL25wbS1wdWJsaXNoLnltbEByZWZzL3RhZ3MvdjEuMC4xMDgGCisGAQQBg78wARMEKgwoNTk5NTAwODIxMzQ0YjA3MDkwMmE3YTU2NjYwNjRiZmRhYmE3MTVkZjAXBgorBgEEAYO/MAEUBAkMB3JlbGVhc2UwYgYKKwYBBAGDvzABFQRUDFJodHRwczovL2dpdGh1Yi5jb20vcmFtb25wZXRncmF2ZTY0L2d1bmRhbS12aXNvci9hY3Rpb25zL3J1bnMvOTM1ODAwNDExMi9hdHRlbXB0cy8xMBYGCisGAQQBg78wARYECAwGcHVibGljMIGKBgorBgEEAdZ5AgQCBHwEegB4AHYA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGP4C5DIQAABAMARzBFAiEA06IAP6PidvG6JVOU/ZuAclcBmMGblXx/h4oILvv0RVYCICb5qhePD0X9uusYa3Yf41/hx6kuxs2ORJpFLKUtcEU/MAoGCCqGSM49BAMDA2gAMGUCMQC3nFK5hx4cuz+oeNLFDJFBJfGHqr1zwMQFNuiOb06LXEVnec1OJdibNkYwuUY6ozkCMAVgVb1fkdjdGO9cxqxIK5ZsV9lhbAGeyTJvojiFdladJQ8M7KY8x1+EC5VexGkpww=="}]},"tlogEntries":[{"logIndex":"99434462","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1717453079","inclusionPromise":{"signedEntryTimestamp":"MEUCIQCC4erdG64HDkzkn/Qif+dqIS9JnN19psxSAYud80rp4QIgHwpYYeBMC5tYuXptKu1g0KCmo5O69H4aP4HUn94JF2o="},"inclusionProof":{"logIndex":"95271031","rootHash":"bdk7mJiV/TsunynJolyl0Z++ssvYJ1fNbK3Yq6HuhXc=","treeSize":"95271032","hashes":["38feiWPHuMfOscD058JpKPKRykVBqEyaSJ5pLgDZHXg=","DpqKqb4W3zcJ7TyBf4zr1qaxIaEjPqsSmCKJrjYhs+E=","3rICe8i0xHnaD68TkMlDGR9YfJwXErJptkFWlVNXJFo=","XJhxQu3fMX4CsqKvtdiF5Yff1dZTjkUS3IoduvaunC0=","Xk1XiLw9Jb9ZxC4iNLUN0RMolPAQ5uy+xVlU4T5ePh0=","V4pG0KBpGywjX7eYBkt9xOfzBGmgDAUumQrMFGttu5o=","bdiW+QbcKwgoiHTYy1AGRipRPs8I6mjJZNBkmLuw43Y=","Rh9QDMnMoFoxIEqVbyya9Wkz99NGv2xYTN32feHLE3A=","/bWhZ36DcEsXeRI6E5pG6DshJI3cEsWzJy1UdMqPeaA=","49anUgnAYwwLfQAZcBb6C6u7tNhwYdKtnLNg+0ZQK2c=","EbT5mQYci44fcTz1vjOpBOVJE7TPJY+rLIsZxXgqBOk=","40yHIq9mqoqfhVgnEQAlLLRLeehet/WJr/saCTYG91k=","7I4hi3dOO4k//2YwZ5WLzohtTmuh8nP71JQQaZTGd00=","OE/VFuAFgf7OOQO93xqJMVNRLOibj/3LQ5OMQP5ZWCo=","cX3Agx+hP66t1ZLbX/yHbfjU46/3m/VAmWyG/fhxAVc=","sjohk/3DQIfXTgf/5XpwtdF7yNbrf8YykOMHr1CyBYQ=","98enzMaC+x5oCMvIZQA5z8vu2apDMCFvE/935NfuPw8="],"checkpoint":{"envelope":"rekor.sigstore.dev - 2605736670972794746\n95271032\nbdk7mJiV/TsunynJolyl0Z++ssvYJ1fNbK3Yq6HuhXc=\n\n— rekor.sigstore.dev wNI9ajBFAiBvDaKP+wZMQRabNHG7FwhiNaZuOYCaICVAw+edsSpBYAIhAOPO4Kl7Rr/XrQvPHnFkoxlZB2iiNJ1987jw5d+FAjFR\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVWhHUkVORFFuQnhaMEYzU1VKQlowbFZaUzk0YzJSbFFuSjRPVkJOVVZsdldUZGpVbXhyVEhoMVdtWTBkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BSZDA1cVFYcE5ha2w0VG5wVk5WZG9ZMDVOYWxGM1RtcEJlazFxU1hsT2VsVTFWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWbUwybExkRUZST0RaYWMySm5iMWh5YTFGT2RuVTJUMHh0V0dOMVRWaFpaM0JJVlM4S1dFcFJUelZoWmt4RlZGcDFlSGxyVTNOdGQwbDZhVVZVZVRob2RuRnViMEp1WlhaSE0wOUxiV000WjA5aUt6QTRNMHRQUTBKaWEzZG5aMWN4VFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWVlJTOUZDbmQ1UXpKcU1qQlZLekJzZEZaVVJsQkJjWHAwY201TmQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQyTkJXVVJXVWpCU1FWRklMMEpIV1hkYVNWcHBZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRETkthR0pYT1hWalIxWXdXak5LYUFwa2JWVXlUa001Ym1SWE5XdFpWekIwWkcxc2VtSXpTWFpNYldSd1pFZG9NVmxwT1ROaU0wcHlXbTE0ZG1RelRYWmlia0owVEZoQ01WbHRlSEJqTW1kMUNtVlhNWE5SU0Vwc1dtNU5kbVJIUm01amVUa3lUVk0wZDB4cVJYZFBVVmxMUzNkWlFrSkJSMFIyZWtGQ1FWRlJjbUZJVWpCalNFMDJUSGs1TUdJeWRHd0tZbWsxYUZrelVuQmlNalY2VEcxa2NHUkhhREZaYmxaNldsaEthbUl5TlRCYVZ6VXdURzFPZG1KVVFWWkNaMjl5UW1kRlJVRlpUeTlOUVVWRFFrRmtlUXBhVjNoc1dWaE9iRTFFV1VkRGFYTkhRVkZSUW1jM09IZEJVVTFGUzBSVk5VOVVWWGROUkdkNVRWUk5NRTVIU1hkT2VrRTFUVVJLYUU0eVJURk9hbGt5Q2sxRVdUQlpiVnByV1ZkS2FFNTZSVEZhUjFsM1NtZFpTMHQzV1VKQ1FVZEVkbnBCUWtKQlVWbFZTRlpwWWtkc2VtRkRRbEZaVjA1eVdWZGtiRWxJVW5ZS1NVYzFkMkpYY0hwTlEyOUhRMmx6UjBGUlVVSm5OemgzUVZGVlJVaElTbWhpVnpsMVkwZFdNRm96U21oa2JWVXlUa001Ym1SWE5XdFpWekIwWkcxc2VncGlNMGwzU0dkWlMwdDNXVUpDUVVkRWRucEJRa0puVVZGamJWWnRZM2s1TUZsWFpIcE1NMWw0VEdwQmRVMVVRVGRDWjI5eVFtZEZSVUZaVHk5TlFVVkpDa0pETUUxTE1tZ3daRWhDZWs5cE9IWmtSemx5V2xjMGRWbFhUakJoVnpsMVkzazFibUZZVW05a1Ywb3hZekpXZVZreU9YVmtSMVoxWkVNMWFtSXlNSGNLWTJkWlMwdDNXVUpDUVVkRWRucEJRa05SVW10RVIwcHZaRWhTZDJONmIzWk1NbVJ3WkVkb01WbHBOV3BpTWpCMlkyMUdkR0l5TlhkYVdGSnVZMjFHTWdwYVZGa3dUREprTVdKdFVtaGlVekV5WVZoT2RtTnBPSFZhTW13d1lVaFdhVXd6WkhaamJYUnRZa2M1TTJONU9YVmpSekIwWTBoV2FXSkhiSHBoUXpVMUNtSlhlRUZqYlZadFkzazVNRmxYWkhwTU0xbDRUR3BCZFUxVVFUUkNaMjl5UW1kRlJVRlpUeTlOUVVWTFFrTnZUVXRFVlRWUFZGVjNUVVJuZVUxVVRUQUtUa2RKZDA1NlFUVk5SRXBvVGpKRk1VNXFXVEpOUkZrd1dXMWFhMWxYU21oT2VrVXhXa2RaZDBoUldVdExkMWxDUWtGSFJIWjZRVUpEZDFGUVJFRXhiZ3BoV0ZKdlpGZEpkR0ZIT1hwa1IxWnJUVVE0UjBOcGMwZEJVVkZDWnpjNGQwRlJkMFZOVVhkMllVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwQ2t3elNtaGlWemwxWTBkV01Gb3pTbWhrYlZVeVRrTTVibVJYTld0WlZ6QjBaRzFzZW1JelNYZFBRVmxMUzNkWlFrSkJSMFIyZWtGQ1JGRlJjVVJEWnpFS1QxUnJNVTFFUVRSTmFrVjZUa1JTYVUxRVkzZFBWRUY1V1ZSa2FFNVVXVEpPYWtFeVRrZEtiVnBIUm1sWlZHTjRUbGRTYlUxRFFVZERhWE5IUVZGUlFncG5OemgzUVZFMFJVVm5kMUZqYlZadFkzazVNRmxYWkhwTU0xbDRUR3BCZFUxVVFWcENaMjl5UW1kRlJVRlpUeTlOUVVWUVFrRnpUVU5VWjNoTlJFRjNDazFxVFROTmVrRjVRbWR2Y2tKblJVVkJXVTh2VFVGRlVVSkRVVTFKYldnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemw1V1ZjeGRtSnVRbXdLWkVka2VWbFlXbXhPYWxGM1IwRlpTMHQzV1VKQ1FVZEVkbnBCUWtWUlVVdEVRV2Q2VFdwTk5VOUVRVFZOVkVKNVFtZHZja0puUlVWQldVOHZUVUZGVXdwQ1IxRk5XVzFvTUdSSVFucFBhVGgyV2pKc01HRklWbWxNYlU1MllsTTVlVmxYTVhaaWJrSnNaRWRrZVZsWVdteE9hbEYyV2pOV2RWcEhSblJNV0Zwd0NtTXlPWGxNZVRWdVlWaFNiMlJYU1haa01qbDVZVEphYzJJelpIcE1NalYzWWxNeGQyUlhTbk5oV0U1dlRHNXNkR0pGUW5sYVYxcDZURE5TYUZvelRYWUtaR3BGZFUxRE5IaE5SR2RIUTJselIwRlJVVUpuTnpoM1FWSk5SVXRuZDI5T1ZHczFUbFJCZDA5RVNYaE5lbEV3V1dwQk0wMUVhM2ROYlVVeldWUlZNZ3BPYWxsM1RtcFNhVnB0VW1oWmJVVXpUVlJXYTFwcVFWaENaMjl5UW1kRlJVRlpUeTlOUVVWVlFrRnJUVUl6U214aVIxWm9ZekpWZDFsbldVdExkMWxDQ2tKQlIwUjJla0ZDUmxGU1ZVUkdTbTlrU0ZKM1kzcHZka3d5WkhCa1IyZ3hXV2sxYW1JeU1IWmpiVVowWWpJMWQxcFlVbTVqYlVZeVdsUlpNRXd5WkRFS1ltMVNhR0pUTVRKaFdFNTJZMms1YUZrelVuQmlNalY2VEROS01XSnVUWFpQVkUweFQwUkJkMDVFUlhoTmFUbG9aRWhTYkdKWVFqQmplVGg0VFVKWlJ3cERhWE5IUVZGUlFtYzNPSGRCVWxsRlEwRjNSMk5JVm1saVIyeHFUVWxIUzBKbmIzSkNaMFZGUVdSYU5VRm5VVU5DU0hkRlpXZENORUZJV1VFelZEQjNDbUZ6WWtoRlZFcHFSMUkwWTIxWFl6TkJjVXBMV0hKcVpWQkxNeTlvTkhCNVowTTRjRGR2TkVGQlFVZFFORU0xUkVsUlFVRkNRVTFCVW5wQ1JrRnBSVUVLTURaSlFWQTJVR2xrZGtjMlNsWlBWUzlhZFVGamJHTkNiVTFIWW14WWVDOW9ORzlKVEhaMk1GSldXVU5KUTJJMWNXaGxVRVF3V0RsMWRYTlpZVE5aWmdvME1TOW9lRFpyZFhoek1rOVNTbkJHVEV0VmRHTkZWUzlOUVc5SFEwTnhSMU5OTkRsQ1FVMUVRVEpuUVUxSFZVTk5VVU16YmtaTE5XaDROR04xZWl0dkNtVk9URVpFU2taQ1NtWkhTSEZ5TVhwM1RWRkdUblZwVDJJd05reFlSVlp1WldNeFQwcGthV0pPYTFsM2RWVlpObTk2YTBOTlFWWm5WbUl4Wm10a2FtUUtSMDg1WTNoeGVFbExOVnB6Vmpsc2FHSkJSMlY1VkVwMmIycHBSbVJzWVdSS1VUaE5OMHRaT0hneEswVkROVlpsZUVkcmNIZDNQVDBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUT09Iiwic2lnIjoiVFVWVlEwbFJSRlZQVjB4Q2FWSXJSekpDZUdJcmJGVllZeko0ZUhGdVFscGxjWGRrVmpCbldXczRibUZ5T1RCbmFIZEpaMkZzY1c1YVUwdHllazFIV1VWWk1EVkhOWGROVFZCMFdsWlhValZhTlc1NE1YaHRlWHB5VTBkTlJrazkifV19LCJoYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiMmIzYzRmZjcyZWY5Y2M1MWIzZWFjYjFiMTRkYzAxMmNjZmI0MGY4ZmI2NzY2M2VmZDJjNTI0Nzg3MTc3OTU1OSJ9LCJwYXlsb2FkSGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6ImNjNjZjMTM4NjNmZDcxMDNhMTc2ZjE2Y2Y0MjA2NWZiMjQ4OWRmZjMxNDY2N2IxNDEwYmFhMGM2NjM1ODQ5YTIifX19fQ=="}],"timestampVerificationData":{"rfc3161Timestamps":[]}},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoicGtnOm5wbS9ndW5kYW0tdmlzb3JAMS4wLjEiLCJkaWdlc3QiOnsic2hhNTEyIjoiOGQ5ZDc5NzJmNjc2NTE2Yzc1MDE0YWEwNzRlMTFhZTYwNGQ5OGYwYjY0ZWM2NzI1YTYxZTI4MzhmZjNkYWIxNjIxMThmYTcxNDMzZmIzMWUxNTUwZDMwYmQwZGVjOWQwODZjZTAzMmI5NDQ1N2I1ODM5MDBjNTA3YWNmMzljNDAifX1dLCJwcmVkaWNhdGVUeXBlIjoiaHR0cHM6Ly9zbHNhLmRldi9wcm92ZW5hbmNlL3YxIiwicHJlZGljYXRlIjp7ImJ1aWxkRGVmaW5pdGlvbiI6eyJidWlsZFR5cGUiOiJodHRwczovL3Nsc2EtZnJhbWV3b3JrLmdpdGh1Yi5pby9naXRodWItYWN0aW9ucy1idWlsZHR5cGVzL3dvcmtmbG93L3YxIiwiZXh0ZXJuYWxQYXJhbWV0ZXJzIjp7IndvcmtmbG93Ijp7InJlZiI6InJlZnMvdGFncy92MS4wLjEiLCJyZXBvc2l0b3J5IjoiaHR0cHM6Ly9naXRodWIuY29tL3JhbW9ucGV0Z3JhdmU2NC9ndW5kYW0tdmlzb3IiLCJwYXRoIjoiLmdpdGh1Yi93b3JrZmxvd3MvbnBtLXB1Ymxpc2gueW1sIn19LCJpbnRlcm5hbFBhcmFtZXRlcnMiOnsiZ2l0aHViIjp7ImV2ZW50X25hbWUiOiJyZWxlYXNlIiwicmVwb3NpdG9yeV9pZCI6IjgxMDAwMjM3MyIsInJlcG9zaXRvcnlfb3duZXJfaWQiOiIzMjM5ODA5MSJ9fSwicmVzb2x2ZWREZXBlbmRlbmNpZXMiOlt7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vcmFtb25wZXRncmF2ZTY0L2d1bmRhbS12aXNvckByZWZzL3RhZ3MvdjEuMC4xIiwiZGlnZXN0Ijp7ImdpdENvbW1pdCI6IjU5OTUwMDgyMTM0NGIwNzA5MDJhN2E1NjY2MDY0YmZkYWJhNzE1ZGYifX1dfSwicnVuRGV0YWlscyI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9naXRodWIuY29tL2FjdGlvbnMvcnVubmVyL2dpdGh1Yi1ob3N0ZWQifSwibWV0YWRhdGEiOnsiaW52b2NhdGlvbklkIjoiaHR0cHM6Ly9naXRodWIuY29tL3JhbW9ucGV0Z3JhdmU2NC9ndW5kYW0tdmlzb3IvYWN0aW9ucy9ydW5zLzkzNTgwMDQxMTIvYXR0ZW1wdHMvMSJ9fX19","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEUCIQDUOWLBiR+G2Bxb+lUXc2xxqnBZeqwdV0gYk8nar90ghwIgalqnZSKrzMGYEY05G5wMMPtZVWR5Z5nx1xmyzrSGMFI=","keyid":""}]}}}]}
\ No newline at end of file
diff --git a/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v1-prega-invalidsigprov.tgz b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v1-prega-invalidsigprov.tgz
new file mode 100644
index 000000000..7ba678b2f
Binary files /dev/null and b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v1-prega-invalidsigprov.tgz differ
diff --git a/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v1-prega-invalidsigprov.tgz.json b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v1-prega-invalidsigprov.tgz.json
new file mode 100644
index 000000000..5e85a7660
--- /dev/null
+++ b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v1-prega-invalidsigprov.tgz.json
@@ -0,0 +1 @@
+{"attestations":[{"predicateType":"https://github.com/npm/attestation/tree/main/specs/publish/v0.1","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.2","verificationMaterial":{"publicKey":{"hint":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"},"tlogEntries":[{"logIndex":"94408157","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1715879526","inclusionPromise":{"signedEntryTimestamp":"MEYCIQDkjdI8FSIueIjj2gR8wCWfoI8ZE2MkowvePTj7qIWuwwIhAIb9sqganwJsjY+YqQpnoU6/zXnjSA3VQg+bWFUcS0Kl"},"inclusionProof":{"logIndex":"90244726","rootHash":"b45zjIwrqMHFQdj7eah4JmY18uZ8NuHTn5IzKFNQZfY=","treeSize":"90244728","hashes":["CBwx0crk7DmjBDAbMu09vJS9JSk6WVsUZuSu+At5qXI=","a0BFEFO7LYyqePtySj7JqyFKFGXZzT7C9xbTYaELcVo=","vSJ2uxKfUKcwQ7BFmd+oFoUe0DA1Foi//ifdbZ3ZudY=","ogORDTX4fquF71Dpr4nHFcJdN/5X3Gx+dwlUFs7Ia5c=","Kbilom1zVb4oHUwvtKCL9UnBc0moHb6J8Pc72uQr7/o=","9sanCtp3c8yFZrbZk7REJZwNSYCNbhr7KVYSAJ2xpYM=","OKRI+AcHglVnOX/7ruRu/my6q4rXy7UvP+1ZaPyCBjE=","eV18+1YG77etZMZt/Is5pyU55tBdkU38nFSI8xZ4UHQ=","wtw+ScYxnHik5h+Z3CT9BHO0z3InVNliNrZ+ESZ77s4=","I6ByblwycX/FVOmItiqNfJszyhjOOlojcKfpBtTwikg=","Y8HGC24e6i45rvtDIHoGyhfneeeGabrTnPMPRgKmP2Q=","sjohk/3DQIfXTgf/5XpwtdF7yNbrf8YykOMHr1CyBYQ=","98enzMaC+x5oCMvIZQA5z8vu2apDMCFvE/935NfuPw8="],"checkpoint":{"envelope":"rekor.sigstore.dev - 2605736670972794746\n90244728\nb45zjIwrqMHFQdj7eah4JmY18uZ8NuHTn5IzKFNQZfY=\n\n— rekor.sigstore.dev wNI9ajBFAiEAj2qidu/429JnvXnJZc0jLZ84MLHXOihfYSVrKR35X8oCIBYSbEMYNenZQwkLrnPSJf0THE2c3iX+RIIm5+z4zOvz\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7ImtleWlkIjoiU0hBMjU2OmpsM2J3c3d1ODBQampva0NnaDBvMnc1YzJVNExoUUFFNTdnajljejFrekEiLCJwdWJsaWNLZXkiOiJMUzB0TFMxQ1JVZEpUaUJRVlVKTVNVTWdTMFZaTFMwdExTMEtUVVpyZDBWM1dVaExiMXBKZW1vd1EwRlJXVWxMYjFwSmVtb3dSRUZSWTBSUlowRkZNVTlzWWpONlRVRkdSbmhZUzBocFNXdFJUelZqU2pOWmFHdzFhVFpWVUhBclNXaDFkR1ZDU21KMVNHTkJOVlZ2WjB0dk1FVlhkR3hYZDFjMlMxTmhTMjlVVGtWWlREZEtiRU5SYVZadWEyaENhM1JWWjJjOVBRb3RMUzB0TFVWT1JDQlFWVUpNU1VNZ1MwVlpMUzB0TFMwPSIsInNpZyI6IlRVVlpRMGxSUTJoc2MzUnFjbVpHT0RGS2NrTlJUbVp2TlRka1pETTBVbnBUVmtkTlFqTTNXSEIwUzNScGVVazRVM2RKYUVGUWRVRnVjRGxYVEZWbVF6ZFdVR05UZDJkV01WbDFUa1pwTkV4aGRXeDRWVTFTV0dsT2JXeENWRWtyIn1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6ImJkZjU2NzdkMmU5NzA3YjZjZjlmMjI5ZTNlZTQ5YzU3YTA2YTc2Njg5OTE3MTZiZWVjZDgzMTQ4MWM2ODkzNzkifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI3M2VmYTM4MzY3MmQ5MTM5ZjI4OGNhYjUwNDFmNTRmMjViMTAxOTNmMjE3NWM1YTY5OTJlYjFjNWEyOTE2ZWJlIn19fX0="}],"timestampVerificationData":{"rfc3161Timestamps":[]}},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtL3NpZ3N0b3JlQDIuMy4xIiwiZGlnZXN0Ijp7InNoYTUxMiI6ImYwNmZiZjVjMzUzY2MwZGIwOTM5MDRiOWNhYzBkNTNiNDEyZDgzZGZmNmI4MGU2MDQ3ZDk3ODY3MDhhMzhlNWMzMTA1Y2FkNGU5MTNkZmMyMmRiZThjOTk5YjNmZTAyOWQ0Nzk2OWZlNzU0MDY4NDNiODE2M2RiNmZkMjJmNjgxIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vYXR0ZXN0YXRpb24vdHJlZS9tYWluL3NwZWNzL3B1Ymxpc2gvdjAuMSIsInByZWRpY2F0ZSI6eyJuYW1lIjoic2lnc3RvcmUiLCJ2ZXJzaW9uIjoiMi4zLjEiLCJyZWdpc3RyeSI6Imh0dHBzOi8vcmVnaXN0cnkubnBtanMub3JnIn19","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEYCIQChlstjrfF81JrCQNfo57dd34RzSVGMB37XptKtiyI8SwIhAPuAnp9WLUfC7VPcSwgV1YuNFi4LaulxUMRXiNmlBTI+","keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"}]}}},{"predicateType":"https://slsa.dev/provenance/v1","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.2","verificationMaterial":{"x509CertificateChain":{"certificates":[{"rawBytes":"MIIGtjCCBjugAwIBAgIUPzOfg5rUz4af/sOkmfhlrXz2JZswCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQwNTE2MTcxMjAyWhcNMjQwNTE2MTcyMjAyWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqlOwSeIrmmph4loSbX5k2m2GUQcKoYzK9g8HN+UTd+6ulYQZsolBdVEKsnyQKfxj7+usOE35b+d6ZyCXFLm6pqOCBVowggVWMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU4dH5K8dC3pQFp1KtQtvMHun4GxcwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wYwYDVR0RAQH/BFkwV4ZVaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sQHJlZnMvaGVhZHMvbWFpbjA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMBIGCisGAQQBg78wAQIEBHB1c2gwNgYKKwYBBAGDvzABAwQoNDZlNzA1NmZmOTkxMmViZmVlNTI5OGQ5NDAyNDg5NWE5ZmVhNzZjMDAVBgorBgEEAYO/MAEEBAdSZWxlYXNlMCIGCisGAQQBg78wAQUEFHNpZ3N0b3JlL3NpZ3N0b3JlLWpzMB0GCisGAQQBg78wAQYED3JlZnMvaGVhZHMvbWFpbjA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wZQYKKwYBBAGDvzABCQRXDFVodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wAQoEKgwoNDZlNzA1NmZmOTkxMmViZmVlNTI5OGQ5NDAyNDg5NWE5ZmVhNzZjMDAdBgorBgEEAYO/MAELBA8MDWdpdGh1Yi1ob3N0ZWQwNwYKKwYBBAGDvzABDAQpDCdodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMwOAYKKwYBBAGDvzABDQQqDCg0NmU3MDU2ZmY5OTEyZWJmZWU1Mjk4ZDk0MDI0ODk1YTlmZWE3NmMwMB8GCisGAQQBg78wAQ4EEQwPcmVmcy9oZWFkcy9tYWluMBkGCisGAQQBg78wAQ8ECwwJNDk1NTc0NTU1MCsGCisGAQQBg78wARAEHQwbaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlMBgGCisGAQQBg78wAREECgwINzEwOTYzNTMwZQYKKwYBBAGDvzABEgRXDFVodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wARMEKgwoNDZlNzA1NmZmOTkxMmViZmVlNTI5OGQ5NDAyNDg5NWE5ZmVhNzZjMDAUBgorBgEEAYO/MAEUBAYMBHB1c2gwWgYKKwYBBAGDvzABFQRMDEpodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvYWN0aW9ucy9ydW5zLzkxMTY0MDU3NjYvYXR0ZW1wdHMvMTAWBgorBgEEAYO/MAEWBAgMBnB1YmxpYzCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABj4JjsasAAAQDAEcwRQIgJOQ1L/lJ71IYLOc6Tvx1bAVD1Ci19PTiVR7TnMwM+LcCIQDWgyQvaQmI+OkdnkhcEEuKxjxVyt6okjKyS5E9lhF0/TAKBggqhkjOPQQDAwNpADBmAjEAiGrKHc7L+5n6ohjmx4akdGB/1HyyKjlv3iHJ6srd3Cp6UmymsVNhXzq7cX9A1ERAAjEArzuG2S40RpUvYlb2fKK+PnyV6l/FDmpQy3KPawUdhvRIQy0iWX8Kl4Qz0wrGr9KP"}]},"tlogEntries":[{"logIndex":"94408136","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1715879523","inclusionPromise":{"signedEntryTimestamp":"MEQCIB24PdvUXcJ3P91lq3iEElpWSGEj7WQqX4E7SkOpxVaUAiBp6nOZ7kuE4RvY8U6H9WPXpsk9hUW1OphZaRIIU8bhQw=="},"inclusionProof":{"logIndex":"90244705","rootHash":"COSIc1jqxpbuuTChPdiTqtZBBve7GAVJqTYjqAaM940=","treeSize":"90244708","hashes":["IeNtiZieCO7efuaWmerFBzmfa5eQl9sE6SS+aTWG4w8=","FHYD8qvdyunMzYGhwDrZGNE0X3Y4486euLfJWyNr090=","Kbilom1zVb4oHUwvtKCL9UnBc0moHb6J8Pc72uQr7/o=","9sanCtp3c8yFZrbZk7REJZwNSYCNbhr7KVYSAJ2xpYM=","OKRI+AcHglVnOX/7ruRu/my6q4rXy7UvP+1ZaPyCBjE=","eV18+1YG77etZMZt/Is5pyU55tBdkU38nFSI8xZ4UHQ=","wtw+ScYxnHik5h+Z3CT9BHO0z3InVNliNrZ+ESZ77s4=","I6ByblwycX/FVOmItiqNfJszyhjOOlojcKfpBtTwikg=","Y8HGC24e6i45rvtDIHoGyhfneeeGabrTnPMPRgKmP2Q=","sjohk/3DQIfXTgf/5XpwtdF7yNbrf8YykOMHr1CyBYQ=","98enzMaC+x5oCMvIZQA5z8vu2apDMCFvE/935NfuPw8="],"checkpoint":{"envelope":"rekor.sigstore.dev - 2605736670972794746\n90244708\nCOSIc1jqxpbuuTChPdiTqtZBBve7GAVJqTYjqAaM940=\n\n— rekor.sigstore.dev wNI9ajBEAiAkKWVCpp/N5yF/GlQkAyKQxUsjc3Vpu04YyALJvrBsvAIgcZfXJsJdwLdgUAWwnekWg8YXS4gfz/DM1wVhhcouJBE=\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVWQwYWtORFFtcDFaMEYzU1VKQlowbFZVSHBQWm1jMWNsVjZOR0ZtTDNOUGEyMW1hR3h5V0hveVNscHpkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BSZDA1VVJUSk5WR040VFdwQmVWZG9ZMDVOYWxGM1RsUkZNazFVWTNsTmFrRjVWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWeGJFOTNVMlZKY20xdGNHZzBiRzlUWWxnMWF6SnRNa2RWVVdOTGIxbDZTemxuT0VnS1RpdFZWR1FyTm5Wc1dWRmFjMjlzUW1SV1JVdHpibmxSUzJaNGFqY3JkWE5QUlRNMVlpdGtObHA1UTFoR1RHMDJjSEZQUTBKV2IzZG5aMVpYVFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZVMFpFZzFDa3M0WkVNemNGRkdjREZMZEZGMGRrMUlkVzQwUjNoamQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQxbDNXVVJXVWpCU1FWRklMMEpHYTNkV05GcFdZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRETk9jRm96VGpCaU0wcHNURE5PY0FwYU0wNHdZak5LYkV4WGNIcE1lVFZ1WVZoU2IyUlhTWFprTWpsNVlUSmFjMkl6WkhwTU0wcHNZa2RXYUdNeVZYVmxWekZ6VVVoS2JGcHVUWFpoUjFab0NscElUWFppVjBad1ltcEJOVUpuYjNKQ1owVkZRVmxQTDAxQlJVSkNRM1J2WkVoU2QyTjZiM1pNTTFKMllUSldkVXh0Um1wa1IyeDJZbTVOZFZveWJEQUtZVWhXYVdSWVRteGpiVTUyWW01U2JHSnVVWFZaTWpsMFRVSkpSME5wYzBkQlVWRkNaemM0ZDBGUlNVVkNTRUl4WXpKbmQwNW5XVXRMZDFsQ1FrRkhSQXAyZWtGQ1FYZFJiMDVFV214T2VrRXhUbTFhYlU5VWEzaE5iVlpwV20xV2JFNVVTVFZQUjFFMVRrUkJlVTVFWnpWT1YwVTFXbTFXYUU1NldtcE5SRUZXQ2tKbmIzSkNaMFZGUVZsUEwwMUJSVVZDUVdSVFdsZDRiRmxZVG14TlEwbEhRMmx6UjBGUlVVSm5OemgzUVZGVlJVWklUbkJhTTA0d1lqTktiRXd6VG5BS1dqTk9NR0l6U214TVYzQjZUVUl3UjBOcGMwZEJVVkZDWnpjNGQwRlJXVVZFTTBwc1dtNU5kbUZIVm1oYVNFMTJZbGRHY0dKcVFUZENaMjl5UW1kRlJRcEJXVTh2VFVGRlNVSkRNRTFMTW1nd1pFaENlazlwT0haa1J6bHlXbGMwZFZsWFRqQmhWemwxWTNrMWJtRllVbTlrVjBveFl6SldlVmt5T1hWa1IxWjFDbVJETldwaU1qQjNXbEZaUzB0M1dVSkNRVWRFZG5wQlFrTlJVbGhFUmxadlpFaFNkMk42YjNaTU1tUndaRWRvTVZscE5XcGlNakIyWXpKc2JtTXpVbllLWTIxVmRtTXliRzVqTTFKMlkyMVZkR0Z1VFhaTWJXUndaRWRvTVZscE9UTmlNMHB5V20xNGRtUXpUWFpqYlZaeldsZEdlbHBUTlRWaVYzaEJZMjFXYlFwamVUbHZXbGRHYTJONU9YUlpWMngxVFVSblIwTnBjMGRCVVZGQ1p6YzRkMEZSYjBWTFozZHZUa1JhYkU1NlFURk9iVnB0VDFScmVFMXRWbWxhYlZac0NrNVVTVFZQUjFFMVRrUkJlVTVFWnpWT1YwVTFXbTFXYUU1NldtcE5SRUZrUW1kdmNrSm5SVVZCV1U4dlRVRkZURUpCT0UxRVYyUndaRWRvTVZscE1XOEtZak5PTUZwWFVYZE9kMWxMUzNkWlFrSkJSMFIyZWtGQ1JFRlJjRVJEWkc5a1NGSjNZM3B2ZGt3eVpIQmtSMmd4V1drMWFtSXlNSFpqTW14dVl6TlNkZ3BqYlZWMll6SnNibU16VW5aamJWVjBZVzVOZDA5QldVdExkMWxDUWtGSFJIWjZRVUpFVVZGeFJFTm5NRTV0VlROTlJGVXlXbTFaTlU5VVJYbGFWMHB0Q2xwWFZURk5hbXMwV2tSck1FMUVTVEJQUkdzeFdWUnNiVnBYUlROT2JVMTNUVUk0UjBOcGMwZEJVVkZDWnpjNGQwRlJORVZGVVhkUVkyMVdiV041T1c4S1dsZEdhMk41T1hSWlYyeDFUVUpyUjBOcGMwZEJVVkZDWnpjNGQwRlJPRVZEZDNkS1RrUnJNVTVVWXpCT1ZGVXhUVU56UjBOcGMwZEJVVkZDWnpjNGR3cEJVa0ZGU0ZGM1ltRklVakJqU0UwMlRIazVibUZZVW05a1YwbDFXVEk1ZEV3elRuQmFNMDR3WWpOS2JFMUNaMGREYVhOSFFWRlJRbWMzT0hkQlVrVkZDa05uZDBsT2VrVjNUMVJaZWs1VVRYZGFVVmxMUzNkWlFrSkJSMFIyZWtGQ1JXZFNXRVJHVm05a1NGSjNZM3B2ZGt3eVpIQmtSMmd4V1drMWFtSXlNSFlLWXpKc2JtTXpVblpqYlZWMll6SnNibU16VW5aamJWVjBZVzVOZGt4dFpIQmtSMmd4V1drNU0ySXpTbkphYlhoMlpETk5kbU50Vm5OYVYwWjZXbE0xTlFwaVYzaEJZMjFXYldONU9XOWFWMFpyWTNrNWRGbFhiSFZOUkdkSFEybHpSMEZSVVVKbk56aDNRVkpOUlV0bmQyOU9SRnBzVG5wQk1VNXRXbTFQVkd0NENrMXRWbWxhYlZac1RsUkpOVTlIVVRWT1JFRjVUa1JuTlU1WFJUVmFiVlpvVG5wYWFrMUVRVlZDWjI5eVFtZEZSVUZaVHk5TlFVVlZRa0ZaVFVKSVFqRUtZekpuZDFkbldVdExkMWxDUWtGSFJIWjZRVUpHVVZKTlJFVndiMlJJVW5kamVtOTJUREprY0dSSGFERlphVFZxWWpJd2RtTXliRzVqTTFKMlkyMVZkZ3BqTW14dVl6TlNkbU50VlhSaGJrMTJXVmRPTUdGWE9YVmplVGw1WkZjMWVreDZhM2hOVkZrd1RVUlZNMDVxV1haWldGSXdXbGN4ZDJSSVRYWk5WRUZYQ2tKbmIzSkNaMFZGUVZsUEwwMUJSVmRDUVdkTlFtNUNNVmx0ZUhCWmVrTkNhV2RaUzB0M1dVSkNRVWhYWlZGSlJVRm5VamhDU0c5QlpVRkNNa0ZPTURrS1RVZHlSM2g0UlhsWmVHdGxTRXBzYms1M1MybFRiRFkwTTJwNWRDODBaVXRqYjBGMlMyVTJUMEZCUVVKcU5FcHFjMkZ6UVVGQlVVUkJSV04zVWxGSlp3cEtUMUV4VEM5c1NqY3hTVmxNVDJNMlZIWjRNV0pCVmtReFEya3hPVkJVYVZaU04xUnVUWGROSzB4alEwbFJSRmRuZVZGMllWRnRTU3RQYTJSdWEyaGpDa1ZGZFV0NGFuaFdlWFEyYjJ0cVMzbFROVVU1YkdoR01DOVVRVXRDWjJkeGFHdHFUMUJSVVVSQmQwNXdRVVJDYlVGcVJVRnBSM0pMU0dNM1RDczFiallLYjJocWJYZzBZV3RrUjBJdk1VaDVlVXRxYkhZemFVaEtObk55WkRORGNEWlZiWGx0YzFaT2FGaDZjVGRqV0RsQk1VVlNRVUZxUlVGeWVuVkhNbE0wTUFwU2NGVjJXV3hpTW1aTFN5dFFibmxXTm13dlJrUnRjRkY1TTB0UVlYZFZaR2gyVWtsUmVUQnBWMWc0UzJ3MFVYb3dkM0pIY2psTFVBb3RMUzB0TFVWT1JDQkRSVkpVU1VaSlEwRlVSUzB0TFMwdCIsInNpZyI6IlRVVlpRMGxSUTJGTFQzSkRWVGM1ZFVwSFNDczRiV3B4VVdabFdISk1jRFpWZUdwU2FqQndRamhXYVdGQ0swRmhVSGRKYUVGTFZuWkhlVGxNVTFsNE5saHdkVzEyYzNacFJIWXpPVkY1Y2psVWJURnJTVkF2VUd0SVowUTJXa1ozIn1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjdiMDNhM2U0ZDhlNzg1NmJkMTgyZmVhMWZhMjVlZTkyNzhhOTNhM2QwZTVhNWFjZDAzY2ExZjA3ZWViZDJkNGQifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJkOTk1MjRjZjUwZjdhYjNmM2Y5NDY5ZjNjMzJmNzg0N2ZkOTI1NmUzYTZiZTgwYzEwYzk0MGQ2ZmYzNjkxZjg3In19fX0="}],"timestampVerificationData":{"rfc3161Timestamps":[]}},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoicGtnOm5wbS9zaWdzdG9yZUAyLjMuMSIsImRpZ2VzdCI6eyJzaGE1MTIiOiJmMDZmYmY1YzM1M2NjMGRiMDkzOTA0YjljYWMwZDUzYjQxMmQ4M2RmZjZiODBlNjA0N2Q5Nzg2NzA4YTM4ZTVjMzEwNWNhZDRlOTEzZGZjMjJkYmU4Yzk5OWIzZmUwMjlkNDc5NjlmZTc1NDA2ODQzYjgxNjNkYjZmZDIyZjY4MSJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjEiLCJwcmVkaWNhdGUiOnsiYnVpbGREZWZpbml0aW9uIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vc2xzYS1mcmFtZXdvcmsuZ2l0aHViLmlvL2dpdGh1Yi1hY3Rpb25zLWJ1aWxkdHlwZXMvd29ya2Zsb3cvdjEiLCJleHRlcm5hbFBhcmFtZXRlcnMiOnsid29ya2Zsb3ciOnsicmVmIjoicmVmcy9oZWFkcy9tYWluIiwicmVwb3NpdG9yeSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qcyIsInBhdGgiOiIuZ2l0aHViL3dvcmtmbG93cy9yZWxlYXNlLnltbCJ9fSwiaW50ZXJuYWxQYXJhbWV0ZXJzIjp7ImdpdGh1YiI6eyJldmVudF9uYW1lIjoicHVzaCIsInJlcG9zaXRvcnlfaWQiOiI0OTU1NzQ1NTUiLCJyZXBvc2l0b3J5X293bmVyX2lkIjoiNzEwOTYzNTMifX0sInJlc29sdmVkRGVwZW5kZW5jaWVzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzQHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJnaXRDb21taXQiOiI0NmU3MDU2ZmY5OTEyZWJmZWU1Mjk4ZDk0MDI0ODk1YTlmZWE3NmMwIn19XX0sInJ1bkRldGFpbHMiOnsiYnVpbGRlciI6eyJpZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL3J1bm5lci9naXRodWItaG9zdGVkIn0sIm1ldGFkYXRhIjp7Imludm9jYXRpb25JZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qcy9hY3Rpb25zL3J1bnMvOTExNjQwNTc2Ni9hdHRlbXB0cy8xIn19fX0K","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEYCIQCaKOrCU79uJGH+8mjqQfeXrLp6UxjRj0pB8ViaB+AaPwIhAKVvGy9LSYx6XpumvsviDv39Qyr9Tm1kIP/PkHgD6ZFw","keyid":""}]}}}]}
\ No newline at end of file
diff --git a/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v1-prega-invalidsigpub.tgz b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v1-prega-invalidsigpub.tgz
new file mode 100644
index 000000000..7ba678b2f
Binary files /dev/null and b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v1-prega-invalidsigpub.tgz differ
diff --git a/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v1-prega-invalidsigpub.tgz.json b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v1-prega-invalidsigpub.tgz.json
new file mode 100644
index 000000000..a6980c2f7
--- /dev/null
+++ b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v1-prega-invalidsigpub.tgz.json
@@ -0,0 +1 @@
+{"attestations":[{"predicateType":"https://github.com/npm/attestation/tree/main/specs/publish/v0.1","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.2","verificationMaterial":{"publicKey":{"hint":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"},"tlogEntries":[{"logIndex":"94408157","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1715879526","inclusionPromise":{"signedEntryTimestamp":"MEYCIQDkjdI8FSIueIjj2gR8wCWfoI8ZE2MkowvePTj7qIWuwwIhAIb9sqganwJsjY+YqQpnoU6/zXnjSA3VQg+bWFUcS0Kl"},"inclusionProof":{"logIndex":"90244726","rootHash":"b45zjIwrqMHFQdj7eah4JmY18uZ8NuHTn5IzKFNQZfY=","treeSize":"90244728","hashes":["CBwx0crk7DmjBDAbMu09vJS9JSk6WVsUZuSu+At5qXI=","a0BFEFO7LYyqePtySj7JqyFKFGXZzT7C9xbTYaELcVo=","vSJ2uxKfUKcwQ7BFmd+oFoUe0DA1Foi//ifdbZ3ZudY=","ogORDTX4fquF71Dpr4nHFcJdN/5X3Gx+dwlUFs7Ia5c=","Kbilom1zVb4oHUwvtKCL9UnBc0moHb6J8Pc72uQr7/o=","9sanCtp3c8yFZrbZk7REJZwNSYCNbhr7KVYSAJ2xpYM=","OKRI+AcHglVnOX/7ruRu/my6q4rXy7UvP+1ZaPyCBjE=","eV18+1YG77etZMZt/Is5pyU55tBdkU38nFSI8xZ4UHQ=","wtw+ScYxnHik5h+Z3CT9BHO0z3InVNliNrZ+ESZ77s4=","I6ByblwycX/FVOmItiqNfJszyhjOOlojcKfpBtTwikg=","Y8HGC24e6i45rvtDIHoGyhfneeeGabrTnPMPRgKmP2Q=","sjohk/3DQIfXTgf/5XpwtdF7yNbrf8YykOMHr1CyBYQ=","98enzMaC+x5oCMvIZQA5z8vu2apDMCFvE/935NfuPw8="],"checkpoint":{"envelope":"rekor.sigstore.dev - 2605736670972794746\n90244728\nb45zjIwrqMHFQdj7eah4JmY18uZ8NuHTn5IzKFNQZfY=\n\n— rekor.sigstore.dev wNI9ajBFAiEAj2qidu/429JnvXnJZc0jLZ84MLHXOihfYSVrKR35X8oCIBYSbEMYNenZQwkLrnPSJf0THE2c3iX+RIIm5+z4zOvz\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7ImtleWlkIjoiU0hBMjU2OmpsM2J3c3d1ODBQampva0NnaDBvMnc1YzJVNExoUUFFNTdnajljejFrekEiLCJwdWJsaWNLZXkiOiJMUzB0TFMxQ1JVZEpUaUJRVlVKTVNVTWdTMFZaTFMwdExTMEtUVVpyZDBWM1dVaExiMXBKZW1vd1EwRlJXVWxMYjFwSmVtb3dSRUZSWTBSUlowRkZNVTlzWWpONlRVRkdSbmhZUzBocFNXdFJUelZqU2pOWmFHdzFhVFpWVUhBclNXaDFkR1ZDU21KMVNHTkJOVlZ2WjB0dk1FVlhkR3hYZDFjMlMxTmhTMjlVVGtWWlREZEtiRU5SYVZadWEyaENhM1JWWjJjOVBRb3RMUzB0TFVWT1JDQlFWVUpNU1VNZ1MwVlpMUzB0TFMwPSIsInNpZyI6IlRVVlpRMGxSUTJoc2MzUnFjbVpHT0RGS2NrTlJUbVp2TlRka1pETTBVbnBUVmtkTlFqTTNXSEIwUzNScGVVazRVM2RKYUVGUWRVRnVjRGxYVEZWbVF6ZFdVR05UZDJkV01WbDFUa1pwTkV4aGRXeDRWVTFTV0dsT2JXeENWRWtyIn1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6ImJkZjU2NzdkMmU5NzA3YjZjZjlmMjI5ZTNlZTQ5YzU3YTA2YTc2Njg5OTE3MTZiZWVjZDgzMTQ4MWM2ODkzNzkifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI3M2VmYTM4MzY3MmQ5MTM5ZjI4OGNhYjUwNDFmNTRmMjViMTAxOTNmMjE3NWM1YTY5OTJlYjFjNWEyOTE2ZWJlIn19fX0="}],"timestampVerificationData":{"rfc3161Timestamps":[]}},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtL3NpZ3N0b3JlQDIuMy4xIiwiZGlnZXN0Ijp7InNoYTUxMiI6ImYwNmZiZjVjMzUzY2MwZGIwOTM5MDRiOWNhYzBkNTNiNDEyZDgzZGZmNmI4MGU2MDQ3ZDk3ODY3MDhhMzhlNWMzMTA1Y2FkNGU5MTNkZmMyMmRiZThjOTk5YjNmZTAyOWQ0Nzk2OWZlNzU0MDY4NDNiODE2M2RiNmZkMjJmNjgxIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vYXR0ZXN0YXRpb24vdHJlZS9tYWluL3NwZWNzL3B1Ymxpc2gvdjAuMSIsInByZWRpY2F0ZSI6eyJuYW1lIjoic2lnc3RvcmUiLCJ2ZXJzaW9uIjoiMi4zLjEiLCJyZWdpc3RyeSI6Imh0dHBzOi8vcmVnaXN0cnkubnBtanMub3JnIn19Cg==","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEYCIQChlstjrfF81JrCQNfo57dd34RzSVGMB37XptKtiyI8SwIhAPuAnp9WLUfC7VPcSwgV1YuNFi4LaulxUMRXiNmlBTI+","keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"}]}}},{"predicateType":"https://slsa.dev/provenance/v1","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.2","verificationMaterial":{"x509CertificateChain":{"certificates":[{"rawBytes":"MIIGtjCCBjugAwIBAgIUPzOfg5rUz4af/sOkmfhlrXz2JZswCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQwNTE2MTcxMjAyWhcNMjQwNTE2MTcyMjAyWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqlOwSeIrmmph4loSbX5k2m2GUQcKoYzK9g8HN+UTd+6ulYQZsolBdVEKsnyQKfxj7+usOE35b+d6ZyCXFLm6pqOCBVowggVWMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU4dH5K8dC3pQFp1KtQtvMHun4GxcwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wYwYDVR0RAQH/BFkwV4ZVaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sQHJlZnMvaGVhZHMvbWFpbjA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMBIGCisGAQQBg78wAQIEBHB1c2gwNgYKKwYBBAGDvzABAwQoNDZlNzA1NmZmOTkxMmViZmVlNTI5OGQ5NDAyNDg5NWE5ZmVhNzZjMDAVBgorBgEEAYO/MAEEBAdSZWxlYXNlMCIGCisGAQQBg78wAQUEFHNpZ3N0b3JlL3NpZ3N0b3JlLWpzMB0GCisGAQQBg78wAQYED3JlZnMvaGVhZHMvbWFpbjA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wZQYKKwYBBAGDvzABCQRXDFVodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wAQoEKgwoNDZlNzA1NmZmOTkxMmViZmVlNTI5OGQ5NDAyNDg5NWE5ZmVhNzZjMDAdBgorBgEEAYO/MAELBA8MDWdpdGh1Yi1ob3N0ZWQwNwYKKwYBBAGDvzABDAQpDCdodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMwOAYKKwYBBAGDvzABDQQqDCg0NmU3MDU2ZmY5OTEyZWJmZWU1Mjk4ZDk0MDI0ODk1YTlmZWE3NmMwMB8GCisGAQQBg78wAQ4EEQwPcmVmcy9oZWFkcy9tYWluMBkGCisGAQQBg78wAQ8ECwwJNDk1NTc0NTU1MCsGCisGAQQBg78wARAEHQwbaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlMBgGCisGAQQBg78wAREECgwINzEwOTYzNTMwZQYKKwYBBAGDvzABEgRXDFVodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wARMEKgwoNDZlNzA1NmZmOTkxMmViZmVlNTI5OGQ5NDAyNDg5NWE5ZmVhNzZjMDAUBgorBgEEAYO/MAEUBAYMBHB1c2gwWgYKKwYBBAGDvzABFQRMDEpodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvYWN0aW9ucy9ydW5zLzkxMTY0MDU3NjYvYXR0ZW1wdHMvMTAWBgorBgEEAYO/MAEWBAgMBnB1YmxpYzCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABj4JjsasAAAQDAEcwRQIgJOQ1L/lJ71IYLOc6Tvx1bAVD1Ci19PTiVR7TnMwM+LcCIQDWgyQvaQmI+OkdnkhcEEuKxjxVyt6okjKyS5E9lhF0/TAKBggqhkjOPQQDAwNpADBmAjEAiGrKHc7L+5n6ohjmx4akdGB/1HyyKjlv3iHJ6srd3Cp6UmymsVNhXzq7cX9A1ERAAjEArzuG2S40RpUvYlb2fKK+PnyV6l/FDmpQy3KPawUdhvRIQy0iWX8Kl4Qz0wrGr9KP"}]},"tlogEntries":[{"logIndex":"94408136","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1715879523","inclusionPromise":{"signedEntryTimestamp":"MEQCIB24PdvUXcJ3P91lq3iEElpWSGEj7WQqX4E7SkOpxVaUAiBp6nOZ7kuE4RvY8U6H9WPXpsk9hUW1OphZaRIIU8bhQw=="},"inclusionProof":{"logIndex":"90244705","rootHash":"COSIc1jqxpbuuTChPdiTqtZBBve7GAVJqTYjqAaM940=","treeSize":"90244708","hashes":["IeNtiZieCO7efuaWmerFBzmfa5eQl9sE6SS+aTWG4w8=","FHYD8qvdyunMzYGhwDrZGNE0X3Y4486euLfJWyNr090=","Kbilom1zVb4oHUwvtKCL9UnBc0moHb6J8Pc72uQr7/o=","9sanCtp3c8yFZrbZk7REJZwNSYCNbhr7KVYSAJ2xpYM=","OKRI+AcHglVnOX/7ruRu/my6q4rXy7UvP+1ZaPyCBjE=","eV18+1YG77etZMZt/Is5pyU55tBdkU38nFSI8xZ4UHQ=","wtw+ScYxnHik5h+Z3CT9BHO0z3InVNliNrZ+ESZ77s4=","I6ByblwycX/FVOmItiqNfJszyhjOOlojcKfpBtTwikg=","Y8HGC24e6i45rvtDIHoGyhfneeeGabrTnPMPRgKmP2Q=","sjohk/3DQIfXTgf/5XpwtdF7yNbrf8YykOMHr1CyBYQ=","98enzMaC+x5oCMvIZQA5z8vu2apDMCFvE/935NfuPw8="],"checkpoint":{"envelope":"rekor.sigstore.dev - 2605736670972794746\n90244708\nCOSIc1jqxpbuuTChPdiTqtZBBve7GAVJqTYjqAaM940=\n\n— rekor.sigstore.dev wNI9ajBEAiAkKWVCpp/N5yF/GlQkAyKQxUsjc3Vpu04YyALJvrBsvAIgcZfXJsJdwLdgUAWwnekWg8YXS4gfz/DM1wVhhcouJBE=\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVWQwYWtORFFtcDFaMEYzU1VKQlowbFZVSHBQWm1jMWNsVjZOR0ZtTDNOUGEyMW1hR3h5V0hveVNscHpkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BSZDA1VVJUSk5WR040VFdwQmVWZG9ZMDVOYWxGM1RsUkZNazFVWTNsTmFrRjVWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWeGJFOTNVMlZKY20xdGNHZzBiRzlUWWxnMWF6SnRNa2RWVVdOTGIxbDZTemxuT0VnS1RpdFZWR1FyTm5Wc1dWRmFjMjlzUW1SV1JVdHpibmxSUzJaNGFqY3JkWE5QUlRNMVlpdGtObHA1UTFoR1RHMDJjSEZQUTBKV2IzZG5aMVpYVFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZVMFpFZzFDa3M0WkVNemNGRkdjREZMZEZGMGRrMUlkVzQwUjNoamQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQxbDNXVVJXVWpCU1FWRklMMEpHYTNkV05GcFdZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRETk9jRm96VGpCaU0wcHNURE5PY0FwYU0wNHdZak5LYkV4WGNIcE1lVFZ1WVZoU2IyUlhTWFprTWpsNVlUSmFjMkl6WkhwTU0wcHNZa2RXYUdNeVZYVmxWekZ6VVVoS2JGcHVUWFpoUjFab0NscElUWFppVjBad1ltcEJOVUpuYjNKQ1owVkZRVmxQTDAxQlJVSkNRM1J2WkVoU2QyTjZiM1pNTTFKMllUSldkVXh0Um1wa1IyeDJZbTVOZFZveWJEQUtZVWhXYVdSWVRteGpiVTUyWW01U2JHSnVVWFZaTWpsMFRVSkpSME5wYzBkQlVWRkNaemM0ZDBGUlNVVkNTRUl4WXpKbmQwNW5XVXRMZDFsQ1FrRkhSQXAyZWtGQ1FYZFJiMDVFV214T2VrRXhUbTFhYlU5VWEzaE5iVlpwV20xV2JFNVVTVFZQUjFFMVRrUkJlVTVFWnpWT1YwVTFXbTFXYUU1NldtcE5SRUZXQ2tKbmIzSkNaMFZGUVZsUEwwMUJSVVZDUVdSVFdsZDRiRmxZVG14TlEwbEhRMmx6UjBGUlVVSm5OemgzUVZGVlJVWklUbkJhTTA0d1lqTktiRXd6VG5BS1dqTk9NR0l6U214TVYzQjZUVUl3UjBOcGMwZEJVVkZDWnpjNGQwRlJXVVZFTTBwc1dtNU5kbUZIVm1oYVNFMTJZbGRHY0dKcVFUZENaMjl5UW1kRlJRcEJXVTh2VFVGRlNVSkRNRTFMTW1nd1pFaENlazlwT0haa1J6bHlXbGMwZFZsWFRqQmhWemwxWTNrMWJtRllVbTlrVjBveFl6SldlVmt5T1hWa1IxWjFDbVJETldwaU1qQjNXbEZaUzB0M1dVSkNRVWRFZG5wQlFrTlJVbGhFUmxadlpFaFNkMk42YjNaTU1tUndaRWRvTVZscE5XcGlNakIyWXpKc2JtTXpVbllLWTIxVmRtTXliRzVqTTFKMlkyMVZkR0Z1VFhaTWJXUndaRWRvTVZscE9UTmlNMHB5V20xNGRtUXpUWFpqYlZaeldsZEdlbHBUTlRWaVYzaEJZMjFXYlFwamVUbHZXbGRHYTJONU9YUlpWMngxVFVSblIwTnBjMGRCVVZGQ1p6YzRkMEZSYjBWTFozZHZUa1JhYkU1NlFURk9iVnB0VDFScmVFMXRWbWxhYlZac0NrNVVTVFZQUjFFMVRrUkJlVTVFWnpWT1YwVTFXbTFXYUU1NldtcE5SRUZrUW1kdmNrSm5SVVZCV1U4dlRVRkZURUpCT0UxRVYyUndaRWRvTVZscE1XOEtZak5PTUZwWFVYZE9kMWxMUzNkWlFrSkJSMFIyZWtGQ1JFRlJjRVJEWkc5a1NGSjNZM3B2ZGt3eVpIQmtSMmd4V1drMWFtSXlNSFpqTW14dVl6TlNkZ3BqYlZWMll6SnNibU16VW5aamJWVjBZVzVOZDA5QldVdExkMWxDUWtGSFJIWjZRVUpFVVZGeFJFTm5NRTV0VlROTlJGVXlXbTFaTlU5VVJYbGFWMHB0Q2xwWFZURk5hbXMwV2tSck1FMUVTVEJQUkdzeFdWUnNiVnBYUlROT2JVMTNUVUk0UjBOcGMwZEJVVkZDWnpjNGQwRlJORVZGVVhkUVkyMVdiV041T1c4S1dsZEdhMk41T1hSWlYyeDFUVUpyUjBOcGMwZEJVVkZDWnpjNGQwRlJPRVZEZDNkS1RrUnJNVTVVWXpCT1ZGVXhUVU56UjBOcGMwZEJVVkZDWnpjNGR3cEJVa0ZGU0ZGM1ltRklVakJqU0UwMlRIazVibUZZVW05a1YwbDFXVEk1ZEV3elRuQmFNMDR3WWpOS2JFMUNaMGREYVhOSFFWRlJRbWMzT0hkQlVrVkZDa05uZDBsT2VrVjNUMVJaZWs1VVRYZGFVVmxMUzNkWlFrSkJSMFIyZWtGQ1JXZFNXRVJHVm05a1NGSjNZM3B2ZGt3eVpIQmtSMmd4V1drMWFtSXlNSFlLWXpKc2JtTXpVblpqYlZWMll6SnNibU16VW5aamJWVjBZVzVOZGt4dFpIQmtSMmd4V1drNU0ySXpTbkphYlhoMlpETk5kbU50Vm5OYVYwWjZXbE0xTlFwaVYzaEJZMjFXYldONU9XOWFWMFpyWTNrNWRGbFhiSFZOUkdkSFEybHpSMEZSVVVKbk56aDNRVkpOUlV0bmQyOU9SRnBzVG5wQk1VNXRXbTFQVkd0NENrMXRWbWxhYlZac1RsUkpOVTlIVVRWT1JFRjVUa1JuTlU1WFJUVmFiVlpvVG5wYWFrMUVRVlZDWjI5eVFtZEZSVUZaVHk5TlFVVlZRa0ZaVFVKSVFqRUtZekpuZDFkbldVdExkMWxDUWtGSFJIWjZRVUpHVVZKTlJFVndiMlJJVW5kamVtOTJUREprY0dSSGFERlphVFZxWWpJd2RtTXliRzVqTTFKMlkyMVZkZ3BqTW14dVl6TlNkbU50VlhSaGJrMTJXVmRPTUdGWE9YVmplVGw1WkZjMWVreDZhM2hOVkZrd1RVUlZNMDVxV1haWldGSXdXbGN4ZDJSSVRYWk5WRUZYQ2tKbmIzSkNaMFZGUVZsUEwwMUJSVmRDUVdkTlFtNUNNVmx0ZUhCWmVrTkNhV2RaUzB0M1dVSkNRVWhYWlZGSlJVRm5VamhDU0c5QlpVRkNNa0ZPTURrS1RVZHlSM2g0UlhsWmVHdGxTRXBzYms1M1MybFRiRFkwTTJwNWRDODBaVXRqYjBGMlMyVTJUMEZCUVVKcU5FcHFjMkZ6UVVGQlVVUkJSV04zVWxGSlp3cEtUMUV4VEM5c1NqY3hTVmxNVDJNMlZIWjRNV0pCVmtReFEya3hPVkJVYVZaU04xUnVUWGROSzB4alEwbFJSRmRuZVZGMllWRnRTU3RQYTJSdWEyaGpDa1ZGZFV0NGFuaFdlWFEyYjJ0cVMzbFROVVU1YkdoR01DOVVRVXRDWjJkeGFHdHFUMUJSVVVSQmQwNXdRVVJDYlVGcVJVRnBSM0pMU0dNM1RDczFiallLYjJocWJYZzBZV3RrUjBJdk1VaDVlVXRxYkhZemFVaEtObk55WkRORGNEWlZiWGx0YzFaT2FGaDZjVGRqV0RsQk1VVlNRVUZxUlVGeWVuVkhNbE0wTUFwU2NGVjJXV3hpTW1aTFN5dFFibmxXTm13dlJrUnRjRkY1TTB0UVlYZFZaR2gyVWtsUmVUQnBWMWc0UzJ3MFVYb3dkM0pIY2psTFVBb3RMUzB0TFVWT1JDQkRSVkpVU1VaSlEwRlVSUzB0TFMwdCIsInNpZyI6IlRVVlpRMGxSUTJGTFQzSkRWVGM1ZFVwSFNDczRiV3B4VVdabFdISk1jRFpWZUdwU2FqQndRamhXYVdGQ0swRmhVSGRKYUVGTFZuWkhlVGxNVTFsNE5saHdkVzEyYzNacFJIWXpPVkY1Y2psVWJURnJTVkF2VUd0SVowUTJXa1ozIn1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjdiMDNhM2U0ZDhlNzg1NmJkMTgyZmVhMWZhMjVlZTkyNzhhOTNhM2QwZTVhNWFjZDAzY2ExZjA3ZWViZDJkNGQifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJkOTk1MjRjZjUwZjdhYjNmM2Y5NDY5ZjNjMzJmNzg0N2ZkOTI1NmUzYTZiZTgwYzEwYzk0MGQ2ZmYzNjkxZjg3In19fX0="}],"timestampVerificationData":{"rfc3161Timestamps":[]}},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoicGtnOm5wbS9zaWdzdG9yZUAyLjMuMSIsImRpZ2VzdCI6eyJzaGE1MTIiOiJmMDZmYmY1YzM1M2NjMGRiMDkzOTA0YjljYWMwZDUzYjQxMmQ4M2RmZjZiODBlNjA0N2Q5Nzg2NzA4YTM4ZTVjMzEwNWNhZDRlOTEzZGZjMjJkYmU4Yzk5OWIzZmUwMjlkNDc5NjlmZTc1NDA2ODQzYjgxNjNkYjZmZDIyZjY4MSJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjEiLCJwcmVkaWNhdGUiOnsiYnVpbGREZWZpbml0aW9uIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vc2xzYS1mcmFtZXdvcmsuZ2l0aHViLmlvL2dpdGh1Yi1hY3Rpb25zLWJ1aWxkdHlwZXMvd29ya2Zsb3cvdjEiLCJleHRlcm5hbFBhcmFtZXRlcnMiOnsid29ya2Zsb3ciOnsicmVmIjoicmVmcy9oZWFkcy9tYWluIiwicmVwb3NpdG9yeSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qcyIsInBhdGgiOiIuZ2l0aHViL3dvcmtmbG93cy9yZWxlYXNlLnltbCJ9fSwiaW50ZXJuYWxQYXJhbWV0ZXJzIjp7ImdpdGh1YiI6eyJldmVudF9uYW1lIjoicHVzaCIsInJlcG9zaXRvcnlfaWQiOiI0OTU1NzQ1NTUiLCJyZXBvc2l0b3J5X293bmVyX2lkIjoiNzEwOTYzNTMifX0sInJlc29sdmVkRGVwZW5kZW5jaWVzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzQHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJnaXRDb21taXQiOiI0NmU3MDU2ZmY5OTEyZWJmZWU1Mjk4ZDk0MDI0ODk1YTlmZWE3NmMwIn19XX0sInJ1bkRldGFpbHMiOnsiYnVpbGRlciI6eyJpZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL3J1bm5lci9naXRodWItaG9zdGVkIn0sIm1ldGFkYXRhIjp7Imludm9jYXRpb25JZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qcy9hY3Rpb25zL3J1bnMvOTExNjQwNTc2Ni9hdHRlbXB0cy8xIn19fX0=","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEYCIQCaKOrCU79uJGH+8mjqQfeXrLp6UxjRj0pB8ViaB+AaPwIhAKVvGy9LSYx6XpumvsviDv39Qyr9Tm1kIP/PkHgD6ZFw","keyid":""}]}}}]}
\ No newline at end of file
diff --git a/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v1-prega.tgz b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v1-prega.tgz
new file mode 100644
index 000000000..7ba678b2f
Binary files /dev/null and b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v1-prega.tgz differ
diff --git a/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v1-prega.tgz.json b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v1-prega.tgz.json
new file mode 100644
index 000000000..6b5e213a6
--- /dev/null
+++ b/cli/slsa-verifier/testdata/npm/gha/provenance-npm-test-cli-v1-prega.tgz.json
@@ -0,0 +1 @@
+{"attestations":[{"predicateType":"https://github.com/npm/attestation/tree/main/specs/publish/v0.1","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.2","verificationMaterial":{"publicKey":{"hint":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"},"tlogEntries":[{"logIndex":"94408157","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1715879526","inclusionPromise":{"signedEntryTimestamp":"MEYCIQDkjdI8FSIueIjj2gR8wCWfoI8ZE2MkowvePTj7qIWuwwIhAIb9sqganwJsjY+YqQpnoU6/zXnjSA3VQg+bWFUcS0Kl"},"inclusionProof":{"logIndex":"90244726","rootHash":"b45zjIwrqMHFQdj7eah4JmY18uZ8NuHTn5IzKFNQZfY=","treeSize":"90244728","hashes":["CBwx0crk7DmjBDAbMu09vJS9JSk6WVsUZuSu+At5qXI=","a0BFEFO7LYyqePtySj7JqyFKFGXZzT7C9xbTYaELcVo=","vSJ2uxKfUKcwQ7BFmd+oFoUe0DA1Foi//ifdbZ3ZudY=","ogORDTX4fquF71Dpr4nHFcJdN/5X3Gx+dwlUFs7Ia5c=","Kbilom1zVb4oHUwvtKCL9UnBc0moHb6J8Pc72uQr7/o=","9sanCtp3c8yFZrbZk7REJZwNSYCNbhr7KVYSAJ2xpYM=","OKRI+AcHglVnOX/7ruRu/my6q4rXy7UvP+1ZaPyCBjE=","eV18+1YG77etZMZt/Is5pyU55tBdkU38nFSI8xZ4UHQ=","wtw+ScYxnHik5h+Z3CT9BHO0z3InVNliNrZ+ESZ77s4=","I6ByblwycX/FVOmItiqNfJszyhjOOlojcKfpBtTwikg=","Y8HGC24e6i45rvtDIHoGyhfneeeGabrTnPMPRgKmP2Q=","sjohk/3DQIfXTgf/5XpwtdF7yNbrf8YykOMHr1CyBYQ=","98enzMaC+x5oCMvIZQA5z8vu2apDMCFvE/935NfuPw8="],"checkpoint":{"envelope":"rekor.sigstore.dev - 2605736670972794746\n90244728\nb45zjIwrqMHFQdj7eah4JmY18uZ8NuHTn5IzKFNQZfY=\n\n— rekor.sigstore.dev wNI9ajBFAiEAj2qidu/429JnvXnJZc0jLZ84MLHXOihfYSVrKR35X8oCIBYSbEMYNenZQwkLrnPSJf0THE2c3iX+RIIm5+z4zOvz\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7ImtleWlkIjoiU0hBMjU2OmpsM2J3c3d1ODBQampva0NnaDBvMnc1YzJVNExoUUFFNTdnajljejFrekEiLCJwdWJsaWNLZXkiOiJMUzB0TFMxQ1JVZEpUaUJRVlVKTVNVTWdTMFZaTFMwdExTMEtUVVpyZDBWM1dVaExiMXBKZW1vd1EwRlJXVWxMYjFwSmVtb3dSRUZSWTBSUlowRkZNVTlzWWpONlRVRkdSbmhZUzBocFNXdFJUelZqU2pOWmFHdzFhVFpWVUhBclNXaDFkR1ZDU21KMVNHTkJOVlZ2WjB0dk1FVlhkR3hYZDFjMlMxTmhTMjlVVGtWWlREZEtiRU5SYVZadWEyaENhM1JWWjJjOVBRb3RMUzB0TFVWT1JDQlFWVUpNU1VNZ1MwVlpMUzB0TFMwPSIsInNpZyI6IlRVVlpRMGxSUTJoc2MzUnFjbVpHT0RGS2NrTlJUbVp2TlRka1pETTBVbnBUVmtkTlFqTTNXSEIwUzNScGVVazRVM2RKYUVGUWRVRnVjRGxYVEZWbVF6ZFdVR05UZDJkV01WbDFUa1pwTkV4aGRXeDRWVTFTV0dsT2JXeENWRWtyIn1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6ImJkZjU2NzdkMmU5NzA3YjZjZjlmMjI5ZTNlZTQ5YzU3YTA2YTc2Njg5OTE3MTZiZWVjZDgzMTQ4MWM2ODkzNzkifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI3M2VmYTM4MzY3MmQ5MTM5ZjI4OGNhYjUwNDFmNTRmMjViMTAxOTNmMjE3NWM1YTY5OTJlYjFjNWEyOTE2ZWJlIn19fX0="}],"timestampVerificationData":{"rfc3161Timestamps":[]}},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJwa2c6bnBtL3NpZ3N0b3JlQDIuMy4xIiwiZGlnZXN0Ijp7InNoYTUxMiI6ImYwNmZiZjVjMzUzY2MwZGIwOTM5MDRiOWNhYzBkNTNiNDEyZDgzZGZmNmI4MGU2MDQ3ZDk3ODY3MDhhMzhlNWMzMTA1Y2FkNGU5MTNkZmMyMmRiZThjOTk5YjNmZTAyOWQ0Nzk2OWZlNzU0MDY4NDNiODE2M2RiNmZkMjJmNjgxIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ucG0vYXR0ZXN0YXRpb24vdHJlZS9tYWluL3NwZWNzL3B1Ymxpc2gvdjAuMSIsInByZWRpY2F0ZSI6eyJuYW1lIjoic2lnc3RvcmUiLCJ2ZXJzaW9uIjoiMi4zLjEiLCJyZWdpc3RyeSI6Imh0dHBzOi8vcmVnaXN0cnkubnBtanMub3JnIn19","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEYCIQChlstjrfF81JrCQNfo57dd34RzSVGMB37XptKtiyI8SwIhAPuAnp9WLUfC7VPcSwgV1YuNFi4LaulxUMRXiNmlBTI+","keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"}]}}},{"predicateType":"https://slsa.dev/provenance/v1","bundle":{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.2","verificationMaterial":{"x509CertificateChain":{"certificates":[{"rawBytes":"MIIGtjCCBjugAwIBAgIUPzOfg5rUz4af/sOkmfhlrXz2JZswCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQwNTE2MTcxMjAyWhcNMjQwNTE2MTcyMjAyWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqlOwSeIrmmph4loSbX5k2m2GUQcKoYzK9g8HN+UTd+6ulYQZsolBdVEKsnyQKfxj7+usOE35b+d6ZyCXFLm6pqOCBVowggVWMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU4dH5K8dC3pQFp1KtQtvMHun4GxcwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wYwYDVR0RAQH/BFkwV4ZVaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sQHJlZnMvaGVhZHMvbWFpbjA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMBIGCisGAQQBg78wAQIEBHB1c2gwNgYKKwYBBAGDvzABAwQoNDZlNzA1NmZmOTkxMmViZmVlNTI5OGQ5NDAyNDg5NWE5ZmVhNzZjMDAVBgorBgEEAYO/MAEEBAdSZWxlYXNlMCIGCisGAQQBg78wAQUEFHNpZ3N0b3JlL3NpZ3N0b3JlLWpzMB0GCisGAQQBg78wAQYED3JlZnMvaGVhZHMvbWFpbjA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wZQYKKwYBBAGDvzABCQRXDFVodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wAQoEKgwoNDZlNzA1NmZmOTkxMmViZmVlNTI5OGQ5NDAyNDg5NWE5ZmVhNzZjMDAdBgorBgEEAYO/MAELBA8MDWdpdGh1Yi1ob3N0ZWQwNwYKKwYBBAGDvzABDAQpDCdodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMwOAYKKwYBBAGDvzABDQQqDCg0NmU3MDU2ZmY5OTEyZWJmZWU1Mjk4ZDk0MDI0ODk1YTlmZWE3NmMwMB8GCisGAQQBg78wAQ4EEQwPcmVmcy9oZWFkcy9tYWluMBkGCisGAQQBg78wAQ8ECwwJNDk1NTc0NTU1MCsGCisGAQQBg78wARAEHQwbaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlMBgGCisGAQQBg78wAREECgwINzEwOTYzNTMwZQYKKwYBBAGDvzABEgRXDFVodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wARMEKgwoNDZlNzA1NmZmOTkxMmViZmVlNTI5OGQ5NDAyNDg5NWE5ZmVhNzZjMDAUBgorBgEEAYO/MAEUBAYMBHB1c2gwWgYKKwYBBAGDvzABFQRMDEpodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvYWN0aW9ucy9ydW5zLzkxMTY0MDU3NjYvYXR0ZW1wdHMvMTAWBgorBgEEAYO/MAEWBAgMBnB1YmxpYzCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABj4JjsasAAAQDAEcwRQIgJOQ1L/lJ71IYLOc6Tvx1bAVD1Ci19PTiVR7TnMwM+LcCIQDWgyQvaQmI+OkdnkhcEEuKxjxVyt6okjKyS5E9lhF0/TAKBggqhkjOPQQDAwNpADBmAjEAiGrKHc7L+5n6ohjmx4akdGB/1HyyKjlv3iHJ6srd3Cp6UmymsVNhXzq7cX9A1ERAAjEArzuG2S40RpUvYlb2fKK+PnyV6l/FDmpQy3KPawUdhvRIQy0iWX8Kl4Qz0wrGr9KP"}]},"tlogEntries":[{"logIndex":"94408136","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1715879523","inclusionPromise":{"signedEntryTimestamp":"MEQCIB24PdvUXcJ3P91lq3iEElpWSGEj7WQqX4E7SkOpxVaUAiBp6nOZ7kuE4RvY8U6H9WPXpsk9hUW1OphZaRIIU8bhQw=="},"inclusionProof":{"logIndex":"90244705","rootHash":"COSIc1jqxpbuuTChPdiTqtZBBve7GAVJqTYjqAaM940=","treeSize":"90244708","hashes":["IeNtiZieCO7efuaWmerFBzmfa5eQl9sE6SS+aTWG4w8=","FHYD8qvdyunMzYGhwDrZGNE0X3Y4486euLfJWyNr090=","Kbilom1zVb4oHUwvtKCL9UnBc0moHb6J8Pc72uQr7/o=","9sanCtp3c8yFZrbZk7REJZwNSYCNbhr7KVYSAJ2xpYM=","OKRI+AcHglVnOX/7ruRu/my6q4rXy7UvP+1ZaPyCBjE=","eV18+1YG77etZMZt/Is5pyU55tBdkU38nFSI8xZ4UHQ=","wtw+ScYxnHik5h+Z3CT9BHO0z3InVNliNrZ+ESZ77s4=","I6ByblwycX/FVOmItiqNfJszyhjOOlojcKfpBtTwikg=","Y8HGC24e6i45rvtDIHoGyhfneeeGabrTnPMPRgKmP2Q=","sjohk/3DQIfXTgf/5XpwtdF7yNbrf8YykOMHr1CyBYQ=","98enzMaC+x5oCMvIZQA5z8vu2apDMCFvE/935NfuPw8="],"checkpoint":{"envelope":"rekor.sigstore.dev - 2605736670972794746\n90244708\nCOSIc1jqxpbuuTChPdiTqtZBBve7GAVJqTYjqAaM940=\n\n— rekor.sigstore.dev wNI9ajBEAiAkKWVCpp/N5yF/GlQkAyKQxUsjc3Vpu04YyALJvrBsvAIgcZfXJsJdwLdgUAWwnekWg8YXS4gfz/DM1wVhhcouJBE=\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVWQwYWtORFFtcDFaMEYzU1VKQlowbFZVSHBQWm1jMWNsVjZOR0ZtTDNOUGEyMW1hR3h5V0hveVNscHpkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BSZDA1VVJUSk5WR040VFdwQmVWZG9ZMDVOYWxGM1RsUkZNazFVWTNsTmFrRjVWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWeGJFOTNVMlZKY20xdGNHZzBiRzlUWWxnMWF6SnRNa2RWVVdOTGIxbDZTemxuT0VnS1RpdFZWR1FyTm5Wc1dWRmFjMjlzUW1SV1JVdHpibmxSUzJaNGFqY3JkWE5QUlRNMVlpdGtObHA1UTFoR1RHMDJjSEZQUTBKV2IzZG5aMVpYVFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZVMFpFZzFDa3M0WkVNemNGRkdjREZMZEZGMGRrMUlkVzQwUjNoamQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQxbDNXVVJXVWpCU1FWRklMMEpHYTNkV05GcFdZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRETk9jRm96VGpCaU0wcHNURE5PY0FwYU0wNHdZak5LYkV4WGNIcE1lVFZ1WVZoU2IyUlhTWFprTWpsNVlUSmFjMkl6WkhwTU0wcHNZa2RXYUdNeVZYVmxWekZ6VVVoS2JGcHVUWFpoUjFab0NscElUWFppVjBad1ltcEJOVUpuYjNKQ1owVkZRVmxQTDAxQlJVSkNRM1J2WkVoU2QyTjZiM1pNTTFKMllUSldkVXh0Um1wa1IyeDJZbTVOZFZveWJEQUtZVWhXYVdSWVRteGpiVTUyWW01U2JHSnVVWFZaTWpsMFRVSkpSME5wYzBkQlVWRkNaemM0ZDBGUlNVVkNTRUl4WXpKbmQwNW5XVXRMZDFsQ1FrRkhSQXAyZWtGQ1FYZFJiMDVFV214T2VrRXhUbTFhYlU5VWEzaE5iVlpwV20xV2JFNVVTVFZQUjFFMVRrUkJlVTVFWnpWT1YwVTFXbTFXYUU1NldtcE5SRUZXQ2tKbmIzSkNaMFZGUVZsUEwwMUJSVVZDUVdSVFdsZDRiRmxZVG14TlEwbEhRMmx6UjBGUlVVSm5OemgzUVZGVlJVWklUbkJhTTA0d1lqTktiRXd6VG5BS1dqTk9NR0l6U214TVYzQjZUVUl3UjBOcGMwZEJVVkZDWnpjNGQwRlJXVVZFTTBwc1dtNU5kbUZIVm1oYVNFMTJZbGRHY0dKcVFUZENaMjl5UW1kRlJRcEJXVTh2VFVGRlNVSkRNRTFMTW1nd1pFaENlazlwT0haa1J6bHlXbGMwZFZsWFRqQmhWemwxWTNrMWJtRllVbTlrVjBveFl6SldlVmt5T1hWa1IxWjFDbVJETldwaU1qQjNXbEZaUzB0M1dVSkNRVWRFZG5wQlFrTlJVbGhFUmxadlpFaFNkMk42YjNaTU1tUndaRWRvTVZscE5XcGlNakIyWXpKc2JtTXpVbllLWTIxVmRtTXliRzVqTTFKMlkyMVZkR0Z1VFhaTWJXUndaRWRvTVZscE9UTmlNMHB5V20xNGRtUXpUWFpqYlZaeldsZEdlbHBUTlRWaVYzaEJZMjFXYlFwamVUbHZXbGRHYTJONU9YUlpWMngxVFVSblIwTnBjMGRCVVZGQ1p6YzRkMEZSYjBWTFozZHZUa1JhYkU1NlFURk9iVnB0VDFScmVFMXRWbWxhYlZac0NrNVVTVFZQUjFFMVRrUkJlVTVFWnpWT1YwVTFXbTFXYUU1NldtcE5SRUZrUW1kdmNrSm5SVVZCV1U4dlRVRkZURUpCT0UxRVYyUndaRWRvTVZscE1XOEtZak5PTUZwWFVYZE9kMWxMUzNkWlFrSkJSMFIyZWtGQ1JFRlJjRVJEWkc5a1NGSjNZM3B2ZGt3eVpIQmtSMmd4V1drMWFtSXlNSFpqTW14dVl6TlNkZ3BqYlZWMll6SnNibU16VW5aamJWVjBZVzVOZDA5QldVdExkMWxDUWtGSFJIWjZRVUpFVVZGeFJFTm5NRTV0VlROTlJGVXlXbTFaTlU5VVJYbGFWMHB0Q2xwWFZURk5hbXMwV2tSck1FMUVTVEJQUkdzeFdWUnNiVnBYUlROT2JVMTNUVUk0UjBOcGMwZEJVVkZDWnpjNGQwRlJORVZGVVhkUVkyMVdiV041T1c4S1dsZEdhMk41T1hSWlYyeDFUVUpyUjBOcGMwZEJVVkZDWnpjNGQwRlJPRVZEZDNkS1RrUnJNVTVVWXpCT1ZGVXhUVU56UjBOcGMwZEJVVkZDWnpjNGR3cEJVa0ZGU0ZGM1ltRklVakJqU0UwMlRIazVibUZZVW05a1YwbDFXVEk1ZEV3elRuQmFNMDR3WWpOS2JFMUNaMGREYVhOSFFWRlJRbWMzT0hkQlVrVkZDa05uZDBsT2VrVjNUMVJaZWs1VVRYZGFVVmxMUzNkWlFrSkJSMFIyZWtGQ1JXZFNXRVJHVm05a1NGSjNZM3B2ZGt3eVpIQmtSMmd4V1drMWFtSXlNSFlLWXpKc2JtTXpVblpqYlZWMll6SnNibU16VW5aamJWVjBZVzVOZGt4dFpIQmtSMmd4V1drNU0ySXpTbkphYlhoMlpETk5kbU50Vm5OYVYwWjZXbE0xTlFwaVYzaEJZMjFXYldONU9XOWFWMFpyWTNrNWRGbFhiSFZOUkdkSFEybHpSMEZSVVVKbk56aDNRVkpOUlV0bmQyOU9SRnBzVG5wQk1VNXRXbTFQVkd0NENrMXRWbWxhYlZac1RsUkpOVTlIVVRWT1JFRjVUa1JuTlU1WFJUVmFiVlpvVG5wYWFrMUVRVlZDWjI5eVFtZEZSVUZaVHk5TlFVVlZRa0ZaVFVKSVFqRUtZekpuZDFkbldVdExkMWxDUWtGSFJIWjZRVUpHVVZKTlJFVndiMlJJVW5kamVtOTJUREprY0dSSGFERlphVFZxWWpJd2RtTXliRzVqTTFKMlkyMVZkZ3BqTW14dVl6TlNkbU50VlhSaGJrMTJXVmRPTUdGWE9YVmplVGw1WkZjMWVreDZhM2hOVkZrd1RVUlZNMDVxV1haWldGSXdXbGN4ZDJSSVRYWk5WRUZYQ2tKbmIzSkNaMFZGUVZsUEwwMUJSVmRDUVdkTlFtNUNNVmx0ZUhCWmVrTkNhV2RaUzB0M1dVSkNRVWhYWlZGSlJVRm5VamhDU0c5QlpVRkNNa0ZPTURrS1RVZHlSM2g0UlhsWmVHdGxTRXBzYms1M1MybFRiRFkwTTJwNWRDODBaVXRqYjBGMlMyVTJUMEZCUVVKcU5FcHFjMkZ6UVVGQlVVUkJSV04zVWxGSlp3cEtUMUV4VEM5c1NqY3hTVmxNVDJNMlZIWjRNV0pCVmtReFEya3hPVkJVYVZaU04xUnVUWGROSzB4alEwbFJSRmRuZVZGMllWRnRTU3RQYTJSdWEyaGpDa1ZGZFV0NGFuaFdlWFEyYjJ0cVMzbFROVVU1YkdoR01DOVVRVXRDWjJkeGFHdHFUMUJSVVVSQmQwNXdRVVJDYlVGcVJVRnBSM0pMU0dNM1RDczFiallLYjJocWJYZzBZV3RrUjBJdk1VaDVlVXRxYkhZemFVaEtObk55WkRORGNEWlZiWGx0YzFaT2FGaDZjVGRqV0RsQk1VVlNRVUZxUlVGeWVuVkhNbE0wTUFwU2NGVjJXV3hpTW1aTFN5dFFibmxXTm13dlJrUnRjRkY1TTB0UVlYZFZaR2gyVWtsUmVUQnBWMWc0UzJ3MFVYb3dkM0pIY2psTFVBb3RMUzB0TFVWT1JDQkRSVkpVU1VaSlEwRlVSUzB0TFMwdCIsInNpZyI6IlRVVlpRMGxSUTJGTFQzSkRWVGM1ZFVwSFNDczRiV3B4VVdabFdISk1jRFpWZUdwU2FqQndRamhXYVdGQ0swRmhVSGRKYUVGTFZuWkhlVGxNVTFsNE5saHdkVzEyYzNacFJIWXpPVkY1Y2psVWJURnJTVkF2VUd0SVowUTJXa1ozIn1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjdiMDNhM2U0ZDhlNzg1NmJkMTgyZmVhMWZhMjVlZTkyNzhhOTNhM2QwZTVhNWFjZDAzY2ExZjA3ZWViZDJkNGQifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJkOTk1MjRjZjUwZjdhYjNmM2Y5NDY5ZjNjMzJmNzg0N2ZkOTI1NmUzYTZiZTgwYzEwYzk0MGQ2ZmYzNjkxZjg3In19fX0="}],"timestampVerificationData":{"rfc3161Timestamps":[]}},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoicGtnOm5wbS9zaWdzdG9yZUAyLjMuMSIsImRpZ2VzdCI6eyJzaGE1MTIiOiJmMDZmYmY1YzM1M2NjMGRiMDkzOTA0YjljYWMwZDUzYjQxMmQ4M2RmZjZiODBlNjA0N2Q5Nzg2NzA4YTM4ZTVjMzEwNWNhZDRlOTEzZGZjMjJkYmU4Yzk5OWIzZmUwMjlkNDc5NjlmZTc1NDA2ODQzYjgxNjNkYjZmZDIyZjY4MSJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjEiLCJwcmVkaWNhdGUiOnsiYnVpbGREZWZpbml0aW9uIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vc2xzYS1mcmFtZXdvcmsuZ2l0aHViLmlvL2dpdGh1Yi1hY3Rpb25zLWJ1aWxkdHlwZXMvd29ya2Zsb3cvdjEiLCJleHRlcm5hbFBhcmFtZXRlcnMiOnsid29ya2Zsb3ciOnsicmVmIjoicmVmcy9oZWFkcy9tYWluIiwicmVwb3NpdG9yeSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qcyIsInBhdGgiOiIuZ2l0aHViL3dvcmtmbG93cy9yZWxlYXNlLnltbCJ9fSwiaW50ZXJuYWxQYXJhbWV0ZXJzIjp7ImdpdGh1YiI6eyJldmVudF9uYW1lIjoicHVzaCIsInJlcG9zaXRvcnlfaWQiOiI0OTU1NzQ1NTUiLCJyZXBvc2l0b3J5X293bmVyX2lkIjoiNzEwOTYzNTMifX0sInJlc29sdmVkRGVwZW5kZW5jaWVzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzQHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJnaXRDb21taXQiOiI0NmU3MDU2ZmY5OTEyZWJmZWU1Mjk4ZDk0MDI0ODk1YTlmZWE3NmMwIn19XX0sInJ1bkRldGFpbHMiOnsiYnVpbGRlciI6eyJpZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL3J1bm5lci9naXRodWItaG9zdGVkIn0sIm1ldGFkYXRhIjp7Imludm9jYXRpb25JZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qcy9hY3Rpb25zL3J1bnMvOTExNjQwNTc2Ni9hdHRlbXB0cy8xIn19fX0=","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEYCIQCaKOrCU79uJGH+8mjqQfeXrLp6UxjRj0pB8ViaB+AaPwIhAKVvGy9LSYx6XpumvsviDv39Qyr9Tm1kIP/PkHgD6ZFw","keyid":""}]}}}]}
\ No newline at end of file
diff --git a/docs/npm.md b/docs/npm.md
new file mode 100644
index 000000000..8bacc3e86
--- /dev/null
+++ b/docs/npm.md
@@ -0,0 +1,83 @@
+# NPM
+
+## Provenance
+
+### V1
+
+Unwrapped and base64-decoded from the Sigstore Bundles and DSSE Envelopes, NPM V1 attestations are actually two parts: SLSA's build provenance and NPM's publish attestations. slsa-verifier will verify the envelopes and bundles around both attestations with the attestations file.
+
+example build attestation
+
+```json
+$ curl -Ss $(npm view gundam-visor@1.0.1 --json | jq -r '.dist.attestations.url') | jq '.attestations[1].bundle.dsseEnvelope.payload' -r | base64 -d | jq
+{
+  "_type": "https://in-toto.io/Statement/v1",
+  "subject": [
+    {
+      "name": "pkg:npm/gundam-visor@1.0.1",
+      "digest": {
+        "sha512": "8d9d7972f676516c75014aa074e11ae604d98f0b64ec6725a61e2838ff3dab162118fa71433fb31e1550d30bd0dec9d086ce032b94457b583900c507acf39c40"
+      }
+    }
+  ],
+  "predicateType": "https://slsa.dev/provenance/v1",
+  "predicate": {
+    "buildDefinition": {
+      "buildType": "https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1",
+      "externalParameters": {
+        "workflow": {
+          "ref": "refs/tags/v1.0.1",
+          "repository": "https://github.com/ramonpetgrave64/gundam-visor",
+          "path": ".github/workflows/npm-publish.yml"
+        }
+      },
+      "internalParameters": {
+        "github": {
+          "event_name": "release",
+          "repository_id": "810002373",
+          "repository_owner_id": "32398091"
+        }
+      },
+      "resolvedDependencies": [
+        {
+          "uri": "git+https://github.com/ramonpetgrave64/gundam-visor@refs/tags/v1.0.1",
+          "digest": {
+            "gitCommit": "599500821344b070902a7a5666064bfdaba715df"
+          }
+        }
+      ]
+    },
+    "runDetails": {
+      "builder": {
+        "id": "https://github.com/actions/runner/github-hosted"
+      },
+      "metadata": {
+        "invocationId": "https://github.com/ramonpetgrave64/gundam-visor/actions/runs/9358004112/attempts/1"
+      }
+    }
+  }
+}
+```
+
+exmaple publish attestation
+
+```json
+$ curl -Ss $(npm view gundam-visor@1.0.1 --json | jq -r '.dist.attestations.url') | jq '.attestations[0].bundle.dsseEnvelope.payload' -r | base64 -d | jq
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "subject": [
+    {
+      "name": "pkg:npm/gundam-visor@1.0.1",
+      "digest": {
+        "sha512": "8d9d7972f676516c75014aa074e11ae604d98f0b64ec6725a61e2838ff3dab162118fa71433fb31e1550d30bd0dec9d086ce032b94457b583900c507acf39c40"
+      }
+    }
+  ],
+  "predicateType": "https://github.com/npm/attestation/tree/main/specs/publish/v0.1",
+  "predicate": {
+    "name": "gundam-visor",
+    "version": "1.0.1",
+    "registry": "https://registry.npmjs.org"
+  }
+}
+```
diff --git a/verifiers/internal/gha/npm.go b/verifiers/internal/gha/npm.go
index ea4c9c79b..a30289cac 100644
--- a/verifiers/internal/gha/npm.go
+++ b/verifiers/internal/gha/npm.go
@@ -29,6 +29,17 @@ const (
 	publishAttestationV01 = "https://github.com/npm/attestation/tree/main/specs/publish/"
 )
 
+var intotoStatements = map[string]bool{
+	intoto.StatementInTotoV01:         true,
+	"https://in-toto.io/Statement/v1": true,
+}
+var provenancePredicates = map[string]bool{
+	common.ProvenanceV02Type: true,
+	common.ProvenanceV1Type:  true,
+}
+var publishPredicates = map[string]bool{
+	publishAttestationV01: true,
+}
 var errrorInvalidAttestations = errors.New("invalid npm attestations")
 var attestationKeyAtomicValue atomic.Value
 
@@ -95,7 +106,7 @@ func extractAttestations(attestations []attestation) (*attestation, *attestation
 	for i := range attestations {
 		att := attestations[i]
 		// Provenance type verification.
-		if att.PredicateType == common.ProvenanceV02Type {
+		if _, ok := provenancePredicates[att.PredicateType]; ok {
 			provenanceAttestation = &att
 		}
 		// Publish type verification.
@@ -174,18 +185,16 @@ func (n *Npm) verifyPublishAttestationSignature() error {
 }
 
 func (n *Npm) verifyIntotoHeaders() error {
-	if err := verifyIntotoTypes(n.verifiedProvenanceAtt,
-		common.ProvenanceV02Type, intoto.PayloadType, false); err != nil {
+	if err := verifyIntotoTypes(n.verifiedProvenanceAtt, provenancePredicates, intoto.PayloadType, false); err != nil {
 		return err
 	}
-	if err := verifyIntotoTypes(n.verifiedPublishAtt,
-		publishAttestationV01, intoto.PayloadType, true); err != nil {
+	if err := verifyIntotoTypes(n.verifiedPublishAtt, publishPredicates, intoto.PayloadType, true); err != nil {
 		return err
 	}
 	return nil
 }
 
-func verifyIntotoTypes(att *SignedAttestation, predicateType, payloadType string, prefix bool) error {
+func verifyIntotoTypes(att *SignedAttestation, predicateTypes map[string]bool, payloadType string, prefix bool) error {
 	env := att.Envelope
 	pyld, err := base64.StdEncoding.DecodeString(env.Payload)
 	if err != nil {
@@ -204,20 +213,30 @@ func verifyIntotoTypes(att *SignedAttestation, predicateType, payloadType string
 	}
 
 	// Statement verification.
-	if statement.Type != intoto.StatementInTotoV01 {
-		return fmt.Errorf("%w: expected statement type '%v', got '%s'",
-			serrors.ErrorInvalidDssePayload, intoto.StatementInTotoV01, statement.Type)
+	if _, exists := intotoStatements[statement.Type]; !exists {
+		return fmt.Errorf("%w: expected statement header type one of '%v', got '%s'",
+			serrors.ErrorInvalidDssePayload, intotoStatements, statement.Type)
 	}
 
-	if !prefix && statement.PredicateType != predicateType {
-		return fmt.Errorf("%w: expected predicate type '%v', got '%s'",
-			serrors.ErrorInvalidDssePayload, predicateType, statement.PredicateType)
-	}
-	if prefix && !strings.HasPrefix(statement.PredicateType, predicateType) {
-		return fmt.Errorf("%w: expected predicate type '%v', got '%s'",
-			serrors.ErrorInvalidDssePayload, predicateType, statement.PredicateType)
+	if !prefix {
+		if _, exists := predicateTypes[statement.PredicateType]; !exists {
+			return fmt.Errorf("%w: expected predicate type one of '%v', got '%s'", serrors.ErrorInvalidDssePayload, predicateTypes, statement.PredicateType)
+		}
 	}
 
+	if prefix {
+		hasPrefix := false
+		for k := range predicateTypes {
+			if strings.HasPrefix(statement.PredicateType, k) {
+				hasPrefix = true
+				break
+			}
+		}
+		if !hasPrefix {
+			return fmt.Errorf("%w: expected predicate type with prefix one of '%v', got '%s'",
+				serrors.ErrorInvalidDssePayload, predicateTypes, statement.PredicateType)
+		}
+	}
 	return nil
 }
 
diff --git a/verifiers/internal/gha/npm_test.go b/verifiers/internal/gha/npm_test.go
index e9c3d6d4f..fcd7454f4 100644
--- a/verifiers/internal/gha/npm_test.go
+++ b/verifiers/internal/gha/npm_test.go
@@ -18,6 +18,14 @@ import (
 	"github.com/slsa-framework/slsa-verifier/v2/verifiers/utils"
 )
 
+var mismatchProvenancePredicates = map[string]bool{
+	common.ProvenanceV02Type + "a": true,
+	common.ProvenanceV1Type + "a":  true,
+}
+var mismatchPublishPredicates = map[string]bool{
+	publishAttestationV01 + "a": true,
+}
+
 func Test_verifyName(t *testing.T) {
 	t.Parallel()
 
@@ -963,17 +971,18 @@ func Test_verifyIntotoTypes(t *testing.T) {
 	t.Parallel()
 
 	tests := []struct {
-		name          string
-		att           *SignedAttestation
-		predicateType string
-		payloadType   string
-		prefix        bool
-		err           error
+		name           string
+		att            *SignedAttestation
+		predicateType  string
+		predicateTypes map[string]bool
+		payloadType    string
+		prefix         bool
+		err            error
 	}{
 		{
-			name:          "prov correct",
-			predicateType: common.ProvenanceV02Type,
-			payloadType:   intoto.PayloadType,
+			name:           "prov correct v0.2",
+			predicateTypes: provenancePredicates,
+			payloadType:    intoto.PayloadType,
 			att: &SignedAttestation{
 				Envelope: &dsselib.Envelope{
 					PayloadType: "application/vnd.in-toto+json",
@@ -982,9 +991,20 @@ func Test_verifyIntotoTypes(t *testing.T) {
 			},
 		},
 		{
-			name:          "prov mismatch payload type",
-			predicateType: common.ProvenanceV02Type,
-			payloadType:   intoto.PayloadType,
+			name:           "prov correct v1",
+			predicateTypes: provenancePredicates,
+			payloadType:    intoto.PayloadType,
+			att: &SignedAttestation{
+				Envelope: &dsselib.Envelope{
+					PayloadType: "application/vnd.in-toto+json",
+					Payload:     "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoicGtnOm5wbS9zaWdzdG9yZUAyLjMuMSIsImRpZ2VzdCI6eyJzaGE1MTIiOiJmMDZmYmY1YzM1M2NjMGRiMDkzOTA0YjljYWMwZDUzYjQxMmQ4M2RmZjZiODBlNjA0N2Q5Nzg2NzA4YTM4ZTVjMzEwNWNhZDRlOTEzZGZjMjJkYmU4Yzk5OWIzZmUwMjlkNDc5NjlmZTc1NDA2ODQzYjgxNjNkYjZmZDIyZjY4MSJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjEiLCJwcmVkaWNhdGUiOnsiYnVpbGREZWZpbml0aW9uIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vc2xzYS1mcmFtZXdvcmsuZ2l0aHViLmlvL2dpdGh1Yi1hY3Rpb25zLWJ1aWxkdHlwZXMvd29ya2Zsb3cvdjEiLCJleHRlcm5hbFBhcmFtZXRlcnMiOnsid29ya2Zsb3ciOnsicmVmIjoicmVmcy9oZWFkcy9tYWluIiwicmVwb3NpdG9yeSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qcyIsInBhdGgiOiIuZ2l0aHViL3dvcmtmbG93cy9yZWxlYXNlLnltbCJ9fSwiaW50ZXJuYWxQYXJhbWV0ZXJzIjp7ImdpdGh1YiI6eyJldmVudF9uYW1lIjoicHVzaCIsInJlcG9zaXRvcnlfaWQiOiI0OTU1NzQ1NTUiLCJyZXBvc2l0b3J5X293bmVyX2lkIjoiNzEwOTYzNTMifX0sInJlc29sdmVkRGVwZW5kZW5jaWVzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzQHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJnaXRDb21taXQiOiI0NmU3MDU2ZmY5OTEyZWJmZWU1Mjk4ZDk0MDI0ODk1YTlmZWE3NmMwIn19XX0sInJ1bkRldGFpbHMiOnsiYnVpbGRlciI6eyJpZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL3J1bm5lci9naXRodWItaG9zdGVkIn0sIm1ldGFkYXRhIjp7Imludm9jYXRpb25JZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qcy9hY3Rpb25zL3J1bnMvOTExNjQwNTc2Ni9hdHRlbXB0cy8xIn19fX0=",
+				},
+			},
+		},
+		{
+			name:           "prov mismatch payload type",
+			predicateTypes: provenancePredicates,
+			payloadType:    intoto.PayloadType,
 			att: &SignedAttestation{
 				Envelope: &dsselib.Envelope{
 					PayloadType: "application/vnd.in-toto+jso",
@@ -994,9 +1014,9 @@ func Test_verifyIntotoTypes(t *testing.T) {
 			err: serrors.ErrorInvalidDssePayload,
 		},
 		{
-			name:          "prov mismatch predicate type",
-			predicateType: common.ProvenanceV02Type + "a",
-			payloadType:   intoto.PayloadType,
+			name:           "prov mismatch predicate type",
+			predicateTypes: mismatchProvenancePredicates,
+			payloadType:    intoto.PayloadType,
 			att: &SignedAttestation{
 				Envelope: &dsselib.Envelope{
 					PayloadType: "application/vnd.in-toto+json",
@@ -1006,10 +1026,10 @@ func Test_verifyIntotoTypes(t *testing.T) {
 			err: serrors.ErrorInvalidDssePayload,
 		},
 		{
-			name:          "publish correct",
-			predicateType: publishAttestationV01,
-			prefix:        true,
-			payloadType:   intoto.PayloadType,
+			name:           "publish correct",
+			predicateTypes: publishPredicates,
+			prefix:         true,
+			payloadType:    intoto.PayloadType,
 			att: &SignedAttestation{
 				Envelope: &dsselib.Envelope{
 					PayloadType: "application/vnd.in-toto+json",
@@ -1018,10 +1038,10 @@ func Test_verifyIntotoTypes(t *testing.T) {
 			},
 		},
 		{
-			name:          "publish mismatch payload type",
-			predicateType: publishAttestationV01,
-			prefix:        true,
-			payloadType:   intoto.PayloadType,
+			name:           "publish mismatch payload type",
+			predicateTypes: publishPredicates,
+			prefix:         true,
+			payloadType:    intoto.PayloadType,
 			att: &SignedAttestation{
 				Envelope: &dsselib.Envelope{
 					PayloadType: "application/vnd.in-toto+jso",
@@ -1031,10 +1051,10 @@ func Test_verifyIntotoTypes(t *testing.T) {
 			err: serrors.ErrorInvalidDssePayload,
 		},
 		{
-			name:          "publish mismatch predicate type",
-			predicateType: publishAttestationV01 + "a",
-			prefix:        true,
-			payloadType:   intoto.PayloadType,
+			name:           "publish mismatch predicate type",
+			predicateTypes: mismatchPublishPredicates,
+			prefix:         true,
+			payloadType:    intoto.PayloadType,
 			att: &SignedAttestation{
 				Envelope: &dsselib.Envelope{
 					PayloadType: "application/vnd.in-toto+json",
@@ -1049,7 +1069,7 @@ func Test_verifyIntotoTypes(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 
-			err := verifyIntotoTypes(tt.att, tt.predicateType, tt.payloadType, tt.prefix)
+			err := verifyIntotoTypes(tt.att, tt.predicateTypes, tt.payloadType, tt.prefix)
 			if !errCmp(err, tt.err) {
 				t.Errorf(cmp.Diff(err, tt.err))
 			}
diff --git a/verifiers/internal/gha/provenance_forgeable.go b/verifiers/internal/gha/provenance_forgeable.go
index bd65b0e25..79043aeea 100644
--- a/verifiers/internal/gha/provenance_forgeable.go
+++ b/verifiers/internal/gha/provenance_forgeable.go
@@ -9,13 +9,21 @@ import (
 	"github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha/slsaprovenance/common"
 	"github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha/slsaprovenance/iface"
 	slsav02 "github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha/slsaprovenance/v0.2"
+	slsav1 "github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha/slsaprovenance/v1.0"
 )
 
 func verifyProvenanceMatchesCertificate(prov iface.Provenance, workflow *WorkflowIdentity) error {
 	// See the generation at https://github.com/npm/cli/blob/latest/workspaces/libnpmpublish/lib/provenance.js.
 	// Verify systemParameters.
-	if err := verifySystemParameters(prov, workflow); err != nil {
-		return err
+	switch typedProv := prov.(type) {
+	case *slsav1.NpmCLIGithubActionsProvenance:
+		if err := verifyNpmCLIGithubActionsV1SystemParameters(typedProv, workflow); err != nil {
+			return err
+		}
+	default:
+		if err := verifySystemParameters(typedProv, workflow); err != nil {
+			return err
+		}
 	}
 
 	// Verify v0.2 parameters.
@@ -125,23 +133,45 @@ func verifyMetadata(prov iface.Provenance, workflow *WorkflowIdentity) error {
 
 func verifyCommonMetadata(prov iface.Provenance, workflow *WorkflowIdentity) error {
 	// Verify build invocation ID.
-	invocationID, err := prov.GetBuildInvocationID()
+	provInvocationID, err := prov.GetBuildInvocationID()
 	if err != nil {
 		return err
 	}
 
-	runID, runAttempt, err := getRunIDs(workflow)
-	if err != nil {
-		return err
-	}
+	if provInvocationID != "" {
+		// Verify runID and runAttempt.
+		var provRunID string
+		var provRunAttempt string
+		switch prov.(type) {
+		case *slsav1.NpmCLIGithubActionsProvenance:
+			provenanceInvocationIDParts := strings.Split(strings.TrimPrefix(provInvocationID, "https://github.com/"), "/")
+			lenParts := len(provenanceInvocationIDParts)
+			if lenParts != 7 {
+				return fmt.Errorf("%w: invalid invocation ID: %v", serrors.ErrorInvalidFormat, provInvocationID)
+			}
+			provRunID = provenanceInvocationIDParts[lenParts-3]
+			provRunAttempt = provenanceInvocationIDParts[lenParts-1]
+		default:
+			provenanceInvocationIDParts := strings.Split(provInvocationID, "-")
+			if len(provenanceInvocationIDParts) != 2 {
+				return fmt.Errorf("%w: invalid invocation ID: %v", serrors.ErrorInvalidFormat, provInvocationID)
+			}
+			provRunID = provenanceInvocationIDParts[0]
+			provRunAttempt = provenanceInvocationIDParts[1]
+		}
+
+		certRunID, certRunAttempt, err := getRunIDs(workflow)
+		if err != nil {
+			return err
+		}
 
-	// Only verify a non-empty buildID claim.
-	if invocationID != "" {
-		expectedID := fmt.Sprintf("%v-%v", runID, runAttempt)
-		if invocationID != expectedID {
-			return fmt.Errorf("%w: invocation ID: '%v' != '%v'",
-				serrors.ErrorMismatchCertificate, invocationID,
-				expectedID)
+		if provRunID != certRunID {
+			return fmt.Errorf("%w: run ID: '%v' != '%v'",
+				serrors.ErrorMismatchCertificate, provRunID, certRunID)
+		}
+		if provRunAttempt != certRunAttempt {
+			return fmt.Errorf("%w: run ID: '%v' != '%v'",
+				serrors.ErrorMismatchCertificate, provRunAttempt, certRunAttempt)
 		}
 	}
 
@@ -245,6 +275,34 @@ func verifyV02BuildConfig(prov iface.Provenance) error {
 	return nil
 }
 
+func verifyNpmCLIGithubActionsV1SystemParameters(prov *slsav1.NpmCLIGithubActionsProvenance, workflow *WorkflowIdentity) error {
+	sysParams, err := prov.GetSystemParameters()
+	if err != nil {
+		return err
+	}
+	githubParams, ok := sysParams["github"].(map[string]interface{})
+	if !ok {
+		return fmt.Errorf("%w: %s", serrors.ErrorInvalidFormat, "github parameters")
+	}
+	// Verify that the parameters contain only fields we are able to verify
+	// and that the values match the certificate.
+	supportedNames := map[string]*string{
+		"event_name":          &workflow.BuildTrigger,
+		"repository_id":       workflow.SourceID,
+		"repository_owner_id": workflow.SourceOwnerID,
+	}
+	for k := range githubParams {
+		certValue, ok := supportedNames[k]
+		if !ok {
+			return fmt.Errorf("%w: unknown '%s' parameter", serrors.ErrorMismatchCertificate, k)
+		}
+		if err := verifySystemParameter(githubParams, k, certValue); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 func verifySystemParameters(prov iface.Provenance, workflow *WorkflowIdentity) error {
 	/*
 		"environment": {
diff --git a/verifiers/internal/gha/slsaprovenance/common/buildtypes.go b/verifiers/internal/gha/slsaprovenance/common/buildtypes.go
index 5efa39e9e..1d8f59477 100644
--- a/verifiers/internal/gha/slsaprovenance/common/buildtypes.go
+++ b/verifiers/internal/gha/slsaprovenance/common/buildtypes.go
@@ -21,6 +21,9 @@ var (
 
 	// NpmCLIBuildTypeV2 is the buildType for provenance generated by the npm cli.
 	NpmCLIBuildTypeV2 = "https://github.com/npm/cli/gha/v2"
+
+	// NpmCLIGithubActionsBuildTypeV1 is the buildType for provenance by the npm cli from GitHub Actions.
+	NpmCLIGithubActionsBuildTypeV1 = "https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1"
 )
 
 // Legacy buildTypes.
diff --git a/verifiers/internal/gha/slsaprovenance/v1.0/base.go b/verifiers/internal/gha/slsaprovenance/v1.0/base.go
index 81f0e493c..74774e8fe 100644
--- a/verifiers/internal/gha/slsaprovenance/v1.0/base.go
+++ b/verifiers/internal/gha/slsaprovenance/v1.0/base.go
@@ -135,9 +135,9 @@ func (p *provenanceV1) GetWorkflowInputs() (map[string]interface{}, error) {
 // GetBuildTriggerPath implements Provenance.GetBuildTriggerPath.
 func (p *provenanceV1) GetBuildTriggerPath() (string, error) {
 	// TODO(#566): verify the ref and repo as well.
-	sysParams, ok := p.prov.Predicate.BuildDefinition.ExternalParameters.(map[string]interface{})
-	if !ok {
-		return "", fmt.Errorf("%w: %s", serrors.ErrorInvalidDssePayload, "system parameters type")
+	sysParams, err := p.getExternalParameters()
+	if err != nil {
+		return "", err
 	}
 
 	w, ok := sysParams["workflow"]
@@ -145,12 +145,19 @@ func (p *provenanceV1) GetBuildTriggerPath() (string, error) {
 		return "", fmt.Errorf("%w: %s", serrors.ErrorInvalidDssePayload, "workflow parameters type")
 	}
 
-	wMap, ok := w.(map[string]string)
-	if !ok {
+	var v string
+	// In a previous implementation, `w` was asserted to be a `map[string]string`.
+	// `w` may originally have been meant to be a `map[string]interface{}`, but there is not enough test coverage to be sure.
+	// See https://github.com/slsa-framework/slsa-verifier/pull/641/files#diff-8a6f19cc5906bcab1f16457810caf0806567ad7db6cb125d1b41a971ab525c39L78.
+	switch wMap := w.(type) {
+	case map[string]interface{}:
+		v, ok = wMap["path"].(string)
+	case map[string]string:
+		v, ok = wMap["path"]
+	default:
 		return "", fmt.Errorf("%w: %s", serrors.ErrorInvalidDssePayload, "workflow not a map")
 	}
 
-	v, ok := wMap["path"]
 	if !ok {
 		return "", fmt.Errorf("%w: %s", serrors.ErrorInvalidDssePayload, "no path entry on workflow")
 	}
@@ -186,3 +193,12 @@ func (p *provenanceV1) GetSystemParameters() (map[string]any, error) {
 
 	return sysParams, nil
 }
+
+// getExternalParameters() implements Provenance.getExternalParameters.
+func (p *provenanceV1) getExternalParameters() (map[string]interface{}, error) {
+	externalParams, ok := p.prov.Predicate.BuildDefinition.ExternalParameters.(map[string]interface{})
+	if !ok {
+		return nil, fmt.Errorf("%w: %s", serrors.ErrorInvalidDssePayload, "external parameters type")
+	}
+	return externalParams, nil
+}
diff --git a/verifiers/internal/gha/slsaprovenance/v1.0/base_test.go b/verifiers/internal/gha/slsaprovenance/v1.0/base_test.go
new file mode 100644
index 000000000..bab1eb4d1
--- /dev/null
+++ b/verifiers/internal/gha/slsaprovenance/v1.0/base_test.go
@@ -0,0 +1,214 @@
+package v1
+
+import (
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	slsa1 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1"
+	serrors "github.com/slsa-framework/slsa-verifier/v2/errors"
+	"github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha/slsaprovenance/iface"
+)
+
+type testProvenance struct {
+	*provenanceV1
+}
+
+var testPath = "./path/to/workflow.yml"
+
+func Test_GetExternalParams(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name           string
+		prov           testProvenance
+		expectedParams map[string]interface{}
+		expectedError  error
+	}{
+		{
+			name: "empty build definition",
+			prov: testProvenance{
+				provenanceV1: &provenanceV1{
+					prov: &Attestation{
+						Predicate: slsa1.ProvenancePredicate{
+							BuildDefinition: slsa1.ProvenanceBuildDefinition{},
+						},
+					},
+				},
+			},
+			expectedParams: nil,
+			expectedError:  serrors.ErrorInvalidDssePayload,
+		},
+		{
+			name: "success: empty external parameters",
+			prov: testProvenance{
+				provenanceV1: &provenanceV1{
+					prov: &Attestation{
+						Predicate: slsa1.ProvenancePredicate{
+							BuildDefinition: slsa1.ProvenanceBuildDefinition{
+								ExternalParameters: map[string]interface{}{},
+							},
+						},
+					},
+				},
+			},
+			expectedParams: make(map[string]interface{}),
+			expectedError:  nil,
+		},
+		{
+			name: "success: non-empty external parameters",
+			prov: testProvenance{
+				provenanceV1: &provenanceV1{
+					prov: &Attestation{
+						Predicate: slsa1.ProvenancePredicate{
+							BuildDefinition: slsa1.ProvenanceBuildDefinition{
+								ExternalParameters: map[string]interface{}{
+									"key": "value",
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedParams: map[string]interface{}{
+				"key": "value",
+			},
+			expectedError: nil,
+		},
+	}
+	for i := range testCases {
+		tt := testCases[i]
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			params, err := tt.prov.getExternalParameters()
+			if diff := cmp.Diff(tt.expectedError, err, cmpopts.EquateErrors()); diff != "" {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if diff := cmp.Diff(params, tt.expectedParams); diff != "" {
+				t.Fatalf("unexpected trigger URI: %s", diff)
+			}
+		})
+	}
+}
+
+func Test_GetBuildTriggerPath(t *testing.T) {
+	t.Parallel()
+	testCases := []struct {
+		name          string
+		prov          iface.Provenance
+		expectedPath  string
+		expectedError error
+	}{
+		{
+			name: "missing workflow",
+			prov: testProvenance{
+				provenanceV1: &provenanceV1{
+					prov: &Attestation{
+						Predicate: slsa1.ProvenancePredicate{
+							BuildDefinition: slsa1.ProvenanceBuildDefinition{
+								ExternalParameters: map[string]interface{}{
+									"other": map[string]interface{}{},
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedPath:  "",
+			expectedError: serrors.ErrorInvalidDssePayload,
+		},
+		{
+			name: "workflow as map[string]interface{} missing path",
+			prov: testProvenance{
+				provenanceV1: &provenanceV1{
+					prov: &Attestation{
+						Predicate: slsa1.ProvenancePredicate{
+							BuildDefinition: slsa1.ProvenanceBuildDefinition{
+								ExternalParameters: map[string]interface{}{
+									"workflow": map[string]interface{}{
+										"key": "value",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedPath:  "",
+			expectedError: serrors.ErrorInvalidDssePayload,
+		},
+		{
+			name: "workflow as map[string]string missing path",
+			prov: testProvenance{
+				provenanceV1: &provenanceV1{
+					prov: &Attestation{
+						Predicate: slsa1.ProvenancePredicate{
+							BuildDefinition: slsa1.ProvenanceBuildDefinition{
+								ExternalParameters: map[string]interface{}{
+									"workflow": map[string]string{
+										"key": "value",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedPath:  "",
+			expectedError: serrors.ErrorInvalidDssePayload,
+		},
+		{
+			name: "success: workflow as map[string]string",
+			prov: testProvenance{
+				provenanceV1: &provenanceV1{
+					prov: &Attestation{
+						Predicate: slsa1.ProvenancePredicate{
+							BuildDefinition: slsa1.ProvenanceBuildDefinition{
+								ExternalParameters: map[string]interface{}{
+									"workflow": map[string]string{
+										"path": testPath,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedPath: testPath,
+		},
+		{
+			name: "success: workflow as map[string]interface{}",
+			prov: testProvenance{
+				provenanceV1: &provenanceV1{
+					prov: &Attestation{
+						Predicate: slsa1.ProvenancePredicate{
+							BuildDefinition: slsa1.ProvenanceBuildDefinition{
+								ExternalParameters: map[string]interface{}{
+									"workflow": map[string]interface{}{
+										"path": testPath,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedPath: testPath,
+		},
+	}
+	for i := range testCases {
+		tt := testCases[i]
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			triggerPath, err := tt.prov.GetBuildTriggerPath()
+			if diff := cmp.Diff(tt.expectedError, err, cmpopts.EquateErrors()); diff != "" {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if got, want := triggerPath, tt.expectedPath; got != want {
+				t.Fatalf("unexpected trigger URI, got: %q, want: %q", got, want)
+			}
+		})
+	}
+}
diff --git a/verifiers/internal/gha/slsaprovenance/v1.0/npmcli_github_actions.go b/verifiers/internal/gha/slsaprovenance/v1.0/npmcli_github_actions.go
new file mode 100644
index 000000000..643ed2178
--- /dev/null
+++ b/verifiers/internal/gha/slsaprovenance/v1.0/npmcli_github_actions.go
@@ -0,0 +1,34 @@
+package v1
+
+import (
+	"fmt"
+
+	serrors "github.com/slsa-framework/slsa-verifier/v2/errors"
+)
+
+// NpmCLIGithubActionsBuildType is the build type for the npm-cli GitHub Actions builder.
+type NpmCLIGithubActionsProvenance struct {
+	*provenanceV1
+}
+
+// TriggerURI implements Provenance.TriggerURI.
+func (p *NpmCLIGithubActionsProvenance) TriggerURI() (string, error) {
+	externalParams, err := p.getExternalParameters()
+	if err != nil {
+		return "", err
+	}
+	workflow, ok := externalParams["workflow"].(map[string]interface{})
+	if !ok {
+		return "", fmt.Errorf("%w: %s", serrors.ErrorInvalidFormat, "workflow parameters")
+	}
+	repository, ok := workflow["repository"].(string)
+	if !ok {
+		return "", fmt.Errorf("%w: %s", serrors.ErrorInvalidFormat, "workflow parameters: repository")
+	}
+	ref, ok := workflow["ref"].(string)
+	if !ok {
+		return "", fmt.Errorf("%w: %s", serrors.ErrorInvalidFormat, "workflow parameters: ref")
+	}
+	uri := fmt.Sprintf("git+%s@%s", repository, ref)
+	return uri, nil
+}
diff --git a/verifiers/internal/gha/slsaprovenance/v1.0/npmcli_github_actions_test.go b/verifiers/internal/gha/slsaprovenance/v1.0/npmcli_github_actions_test.go
new file mode 100644
index 000000000..ae0a3c900
--- /dev/null
+++ b/verifiers/internal/gha/slsaprovenance/v1.0/npmcli_github_actions_test.go
@@ -0,0 +1,138 @@
+package v1
+
+import (
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	slsa1 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1"
+	serrors "github.com/slsa-framework/slsa-verifier/v2/errors"
+)
+
+var (
+	testProvRepository = "https://github.com/sigstore/sigstore-js"
+	testProvRef        = "refs/heads/main"
+	testProvTriggerURI = "git+https://github.com/sigstore/sigstore-js@refs/heads/main"
+)
+
+func Test_NpmCLIGithubActionsProvenance_TriggerURI(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name       string
+		prov       NpmCLIGithubActionsProvenance
+		triggerURI string
+		err        error
+	}{
+		{
+			name: "empty external parameters",
+			prov: NpmCLIGithubActionsProvenance{
+				provenanceV1: &provenanceV1{
+					prov: &Attestation{
+						Predicate: slsa1.ProvenancePredicate{
+							BuildDefinition: slsa1.ProvenanceBuildDefinition{
+								ExternalParameters: map[string]interface{}{},
+							},
+						},
+					},
+				},
+			},
+			triggerURI: "",
+			err:        serrors.ErrorInvalidFormat,
+		},
+		{
+			name: "empty workflow parameters",
+			prov: NpmCLIGithubActionsProvenance{
+				provenanceV1: &provenanceV1{
+					prov: &Attestation{
+						Predicate: slsa1.ProvenancePredicate{
+							BuildDefinition: slsa1.ProvenanceBuildDefinition{
+								ExternalParameters: map[string]interface{}{
+									"workflow": map[string]interface{}{},
+								},
+							},
+						},
+					},
+				},
+			},
+			triggerURI: "",
+			err:        serrors.ErrorInvalidFormat,
+		},
+		{
+			name: "missing repository parameter",
+			prov: NpmCLIGithubActionsProvenance{
+				provenanceV1: &provenanceV1{
+					prov: &Attestation{
+						Predicate: slsa1.ProvenancePredicate{
+							BuildDefinition: slsa1.ProvenanceBuildDefinition{
+								ExternalParameters: map[string]interface{}{
+									"workflow": map[string]interface{}{
+										"ref": testProvRef,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			triggerURI: "",
+			err:        serrors.ErrorInvalidFormat,
+		},
+		{
+			name: "missing ref parameter",
+			prov: NpmCLIGithubActionsProvenance{
+				provenanceV1: &provenanceV1{
+					prov: &Attestation{
+						Predicate: slsa1.ProvenancePredicate{
+							BuildDefinition: slsa1.ProvenanceBuildDefinition{
+								ExternalParameters: map[string]interface{}{
+									"workflow": map[string]interface{}{
+										"repository": testProvRef,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			triggerURI: "",
+			err:        serrors.ErrorInvalidFormat,
+		},
+		{
+			name: "success",
+			prov: NpmCLIGithubActionsProvenance{
+				provenanceV1: &provenanceV1{
+					prov: &Attestation{
+						Predicate: slsa1.ProvenancePredicate{
+							BuildDefinition: slsa1.ProvenanceBuildDefinition{
+								ExternalParameters: map[string]interface{}{
+									"workflow": map[string]interface{}{
+										"repository": testProvRepository,
+										"ref":        testProvRef,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			triggerURI: testProvTriggerURI,
+			err:        nil,
+		},
+	}
+
+	for i := range testCases {
+		tt := testCases[i]
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			triggerURI, err := tt.prov.TriggerURI()
+			if diff := cmp.Diff(tt.err, err, cmpopts.EquateErrors()); diff != "" {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if got, want := triggerURI, tt.triggerURI; got != want {
+				t.Fatalf("unexpected trigger URI, got: %q, want: %q", got, want)
+			}
+		})
+	}
+}
diff --git a/verifiers/internal/gha/slsaprovenance/v1.0/provenance.go b/verifiers/internal/gha/slsaprovenance/v1.0/provenance.go
index 6f44d9b9c..089eef4f1 100644
--- a/verifiers/internal/gha/slsaprovenance/v1.0/provenance.go
+++ b/verifiers/internal/gha/slsaprovenance/v1.0/provenance.go
@@ -42,11 +42,20 @@ func newContainerBased(a *Attestation) iface.Provenance {
 	}
 }
 
+func newNpmCLIGithubActions(a *Attestation) iface.Provenance {
+	return &NpmCLIGithubActionsProvenance{
+		provenanceV1: &provenanceV1{
+			prov: a,
+		},
+	}
+}
+
 // buildTypeMap is a map of builder IDs to supported buildTypes.
 var buildTypeMap = map[string]map[string]provFunc{
 	common.GenericDelegatorBuilderID:         {common.BYOBBuildTypeV0: newBYOB},
 	common.GenericLowPermsDelegatorBuilderID: {common.BYOBBuildTypeV0: newBYOB},
 	common.ContainerBasedBuilderID:           {common.ContainerBasedBuildTypeV01Draft: newContainerBased},
+	common.NpmCLIHostedBuilderID:             {common.NpmCLIGithubActionsBuildTypeV1: newNpmCLIGithubActions},
 }
 
 // New returns a new Provenance object based on the payload.