It seems that there is an error reading the TUF key when verifying signatures. This is occurring in v1.3.1 at least and is breaking the slsa-github-generator workflows at their latest version of v1.2.1 as well.

FAILED: SLSA verification failed: could not find a matching valid signature entry: got unexpected errors updating local metadata and targets: error updating to TUF remote mirror: tuf: invalid key

Not sure if this is a backwards incompatibility issue after a Rekor server upgrade or whether the TUF keys are just broken, but I assume it's the former?

/cc @asraa

Related slsa-framework/slsa-github-generator#1163