diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml
index a8356272e..851de9cb3 100644
--- a/.github/workflows/deployment.yml
+++ b/.github/workflows/deployment.yml
@@ -203,10 +203,8 @@ jobs:
               platform="x64"
               ;;
             *_arm64 )
-              echo "skipping building MSI for arm64 because WiX 3.11 doesn't support it: https://github.com/wixtoolset/issues/issues/6141" >&2
-              continue
-              #source_dir="$PWD/dist/windows_windows_arm64"
-              #platform="arm64"
+              source_dir="$PWD/dist/windows_windows_arm64"
+              platform="arm64"
               ;;
             * )
               printf "unsupported architecture: %s\n" "$MSI_NAME" >&2
@@ -299,7 +297,7 @@ jobs:
           rpmsign --addsign dist/*.rpm
       - name: Attest release artifacts
         if: inputs.environment == 'production'
-        uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
+        uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
         with:
           subject-path: "dist/gh_*"
       - name: Run createrepo
diff --git a/test/integration/attestation-cmd/verify/verify-with-custom-trusted-root.sh b/test/integration/attestation-cmd/verify/verify-with-custom-trusted-root.sh
new file mode 100755
index 000000000..89a3a4556
--- /dev/null
+++ b/test/integration/attestation-cmd/verify/verify-with-custom-trusted-root.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Get the root directory of the repository
+rootDir="$(git rev-parse --show-toplevel)"
+
+ghBuildPath="$rootDir/bin/gh"
+
+artifactPath="$rootDir/pkg/cmd/attestation/test/data/sigstore-js-2.1.0.tgz"
+bundlePath="$rootDir/pkg/cmd/attestation/test/data/sigstore-js-2.1.0_with_2_bundles.jsonl"
+
+# Download a custom trusted root for verification
+if ! $ghBuildPath attestation trusted-root > trusted_root.jsonl; then
+    # cleanup test data
+    echo "Failed to download trusted root"
+    exit 1
+fi
+
+if ! $ghBuildPath attestation verify "$artifactPath" -b "$bundlePath" --digest-alg=sha512 --owner=sigstore --custom-trusted-root trusted_root.jsonl; then
+    echo "Failed to verify package with a Sigstore v0.2.0 bundle"
+    exit 1
+fi
diff --git a/test/integration/attestation-cmd/verify/verify-with-internal-github-sigstore.sh b/test/integration/attestation-cmd/verify/verify-with-internal-github-sigstore.sh
new file mode 100644
index 000000000..647a13a4c
--- /dev/null
+++ b/test/integration/attestation-cmd/verify/verify-with-internal-github-sigstore.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Get the root directory of the repository
+rootDir="$(git rev-parse --show-toplevel)"
+
+ghBuildPath="$rootDir/bin/gh"
+
+ghCLIArtifact="$rootDir/pkg/cmd/attestation/test/data/gh_2.60.1_windows_arm64.zip"
+
+# Verify the gh CLI artifact
+echo "Testing with package $ghCLIArtifact"
+if ! $ghBuildPath attestation verify "$ghCLIArtifact" --digest-alg=sha256 --owner=cli; then
+    echo "Failed to verify"
+    exit 1
+fi