diff --git a/go.mod b/go.mod
index d46196b633..9f87070da0 100644
--- a/go.mod
+++ b/go.mod
@@ -186,7 +186,7 @@ require (
 	github.com/in-toto/archivista v0.11.1 // indirect
 	github.com/in-toto/attestation v1.2.0 // indirect
 	github.com/in-toto/go-witness v0.9.2 // indirect
-	github.com/in-toto/in-toto-golang v0.10.0 // indirect
+	github.com/in-toto/in-toto-golang v0.11.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jcmturner/aescts/v2 v2.0.0 // indirect
 	github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect
diff --git a/go.sum b/go.sum
index 53be5b9b0c..24ab31340d 100644
--- a/go.sum
+++ b/go.sum
@@ -451,8 +451,8 @@ github.com/in-toto/attestation v1.2.0 h1:aPRUZ3azbqD7yEBD5fP3TD8Dszf+YHo284SOcpa
 github.com/in-toto/attestation v1.2.0/go.mod h1:r79G45gOmzPismgObLSL+rZTFxUgZLOQJI6LofTZgXk=
 github.com/in-toto/go-witness v0.9.2 h1:aX1v6Zf/r41BVRxBj06XjlRbHxMCVSPyrrcQxx5AHDM=
 github.com/in-toto/go-witness v0.9.2/go.mod h1:sdYvBKilEeeyVF3O4JduH2ekz3bc8ALAi57lGE5P+iM=
-github.com/in-toto/in-toto-golang v0.10.0 h1:+s2eZQSK3WmWfYV85qXVSBfqgawi/5L02MaqA4o/tpM=
-github.com/in-toto/in-toto-golang v0.10.0/go.mod h1:wjT4RiyFlLWCmLUJjwB8oZcjaq7HA390aMJcD3xXgmg=
+github.com/in-toto/in-toto-golang v0.11.0 h1:nfidMYBFx+E0lnmX5KUnN2Pdm8zdNKal1ayjJuzzRoA=
+github.com/in-toto/in-toto-golang v0.11.0/go.mod h1:u3PjTnwFKjp5a1YCcw8SJg0G+tMeKfVoWsWeFMDCMtw=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
diff --git a/vendor/github.com/in-toto/in-toto-golang/in_toto/match.go b/vendor/github.com/in-toto/in-toto-golang/in_toto/match.go
index 52373aa75f..a581d00f71 100644
--- a/vendor/github.com/in-toto/in-toto-golang/in_toto/match.go
+++ b/vendor/github.com/in-toto/in-toto-golang/in_toto/match.go
@@ -22,8 +22,12 @@ var errBadPattern = errors.New("syntax error in pattern")
 //	term:
 //		'*'         matches any sequence of non-/ characters
 //		'?'         matches any single non-/ character
-//		'[' [ '^' ] { character-range } ']'
+//		'[' [ '!' ] { character-range } ']'
 //		            character class (must be non-empty)
+//
+// NOTE: Only '!' is supported for character class negation, not '^'. This is to
+// ensure compatibility with in-toto-python.
+//
 //		c           matches character c (c != '*', '?', '\\', '[')
 //		'\\' c      matches character c
 //
@@ -141,7 +145,7 @@ func matchChunk(chunk, s string) (rest string, ok bool, err error) {
 			chunk = chunk[1:]
 			// possibly negated
 			negated := false
-			if len(chunk) > 0 && chunk[0] == '^' {
+			if len(chunk) > 0 && chunk[0] == '!' {
 				negated = true
 				chunk = chunk[1:]
 			}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 66964390c2..07067ffbfc 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -873,7 +873,7 @@ github.com/in-toto/go-witness/cryptoutil
 github.com/in-toto/go-witness/dsse
 github.com/in-toto/go-witness/log
 github.com/in-toto/go-witness/timestamp
-# github.com/in-toto/in-toto-golang v0.10.0
+# github.com/in-toto/in-toto-golang v0.11.0
 ## explicit; go 1.24.0
 github.com/in-toto/in-toto-golang/in_toto
 github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common