diff --git a/pkg/cmd/attestation/verification/tuf.go b/pkg/cmd/attestation/verification/tuf.go
index ad4b43670..b87f466e8 100644
--- a/pkg/cmd/attestation/verification/tuf.go
+++ b/pkg/cmd/attestation/verification/tuf.go
@@ -3,7 +3,9 @@ package verification
 import (
 	_ "embed"
 	"os"
+	"path/filepath"
 
+	"github.com/cli/go-gh/v2/pkg/config"
 	"github.com/sigstore/sigstore-go/pkg/tuf"
 )
 
@@ -23,6 +25,9 @@ func DefaultOptionsWithCacheSetting() *tuf.Options {
 		opts.DisableLocalCache = true
 	}
 
+	// Set the cache path to a directory owned by the CLI
+	opts.CachePath = filepath.Join(config.CacheDir(), ".sigstore", "root")
+
 	return opts
 }
 
diff --git a/pkg/cmd/attestation/verification/tuf_test.go b/pkg/cmd/attestation/verification/tuf_test.go
index 348f9b222..7d816bf82 100644
--- a/pkg/cmd/attestation/verification/tuf_test.go
+++ b/pkg/cmd/attestation/verification/tuf_test.go
@@ -2,8 +2,10 @@ package verification
 
 import (
 	"os"
+	"path/filepath"
 	"testing"
 
+	"github.com/cli/go-gh/v2/pkg/config"
 	"github.com/stretchr/testify/require"
 )
 
@@ -14,4 +16,5 @@ func TestGitHubTUFOptions(t *testing.T) {
 	require.Equal(t, GitHubTUFMirror, opts.RepositoryBaseURL)
 	require.NotNil(t, opts.Root)
 	require.True(t, opts.DisableLocalCache)
+	require.Equal(t, filepath.Join(config.CacheDir(), ".sigstore", "root"), opts.CachePath)
 }