diff --git a/api/src/api/package.rs b/api/src/api/package.rs
index 378780153..11f4ce998 100644
--- a/api/src/api/package.rs
+++ b/api/src/api/package.rs
@@ -1973,7 +1973,7 @@ mod test {
       .unwrap();
 
     fn update_bundle_subject(bundle: &mut ProvenanceBundle, subject: Subject) {
-      let subject = serde_json::json!({ "subject": subject });
+      let subject = serde_json::json!({ "subject": [subject] });
       bundle.content.dsse_envelope.payload = BASE64_STANDARD
         .encode(serde_json::to_string(&subject).unwrap().as_bytes());
     }
diff --git a/api/src/provenance.rs b/api/src/provenance.rs
index baf213cc5..0be386993 100644
--- a/api/src/provenance.rs
+++ b/api/src/provenance.rs
@@ -104,7 +104,17 @@ pub struct Subject {
 #[derive(Debug, Serialize, Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub struct ProvenanceAttestation {
-  pub subject: Subject,
+  pub subject: ProvenanceAttestationSubject,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+#[serde(untagged)]
+pub enum ProvenanceAttestationSubject {
+  Subjects(Vec<Subject>),
+  // NOTE: this should be removed in the future. It is only here to support
+  // old Deno CLI versions that sent invalid SLSA attestations where the subject
+  // was not wrapped in an array.
+  Subject(Subject),
 }
 
 pub fn verify(
@@ -118,6 +128,16 @@ pub fn verify(
     serde_json::from_slice::<ProvenanceAttestation>(&payload)?.subject
   };
 
+  let subject = match subject {
+    ProvenanceAttestationSubject::Subjects(subjects) => {
+      if subjects.len() != 1 {
+        bail!("Invalid subject");
+      }
+      subjects.into_iter().next().unwrap()
+    }
+    ProvenanceAttestationSubject::Subject(subject) => subject,
+  };
+
   if subject.name != subject_name {
     bail!("Invalid subject name");
   }