diff --git a/Library/Homebrew/attestation.rb b/Library/Homebrew/attestation.rb
index 7dd23bdad4..45a1cadf49 100644
--- a/Library/Homebrew/attestation.rb
+++ b/Library/Homebrew/attestation.rb
@@ -86,6 +86,24 @@ module Homebrew
       T.must(@gh_executable)
     end
 
+    # Prioritize installing `gh` first if it's in the formula list
+    # or check for the existence of the `gh` executable elsewhere.
+    #
+    # This ensures that a valid version of `gh` is installed before
+    # we use it to check the attestations of any other formulae we
+    # want to install.
+    #
+    # @api private
+    sig { params(formulae: T::Array[Formula]).returns(T::Array[Formula]) }
+    def self.sort_formulae_for_install(formulae)
+      if formulae.include?(Formula["gh"])
+        [Formula["gh"]] | formulae
+      else
+        Homebrew::Attestation.gh_executable
+        formulae
+      end
+    end
+
     # Verifies the given bottle against a cryptographic attestation of build provenance.
     #
     # The provenance is verified as originating from `signing_repository`, which is a `String`
diff --git a/Library/Homebrew/cmd/install.rb b/Library/Homebrew/cmd/install.rb
index 9b8b9d59e4..8197a6b694 100644
--- a/Library/Homebrew/cmd/install.rb
+++ b/Library/Homebrew/cmd/install.rb
@@ -263,13 +263,7 @@ module Homebrew
           end
         end
 
-        if Homebrew::Attestation.enabled?
-          if formulae.include?(Formula["gh"])
-            formulae.unshift(T.must(formulae.delete(Formula["gh"])))
-          else
-            Homebrew::Attestation.gh_executable
-          end
-        end
+        formulae = Homebrew::Attestation.sort_formulae_for_install(formulae) if Homebrew::Attestation.enabled?
 
         # if the user's flags will prevent bottle only-installations when no
         # developer tools are available, we need to stop them early on
diff --git a/Library/Homebrew/cmd/reinstall.rb b/Library/Homebrew/cmd/reinstall.rb
index 5ace087d93..b81b390f20 100644
--- a/Library/Homebrew/cmd/reinstall.rb
+++ b/Library/Homebrew/cmd/reinstall.rb
@@ -124,14 +124,7 @@ module Homebrew
           end
         end
 
-        if Homebrew::Attestation.enabled?
-          if formulae.include?(Formula["gh"])
-            # Move `gh` to the front of the list so that it gets installed first.
-            formulae = [Formula["gh"]] | formulae
-          else
-            Homebrew::Attestation.gh_executable
-          end
-        end
+        formulae = Homebrew::Attestation.sort_formulae_for_install(formulae) if Homebrew::Attestation.enabled?
 
         Install.perform_preinstall_checks
 
diff --git a/Library/Homebrew/cmd/upgrade.rb b/Library/Homebrew/cmd/upgrade.rb
index f3cceed9de..b803edee84 100644
--- a/Library/Homebrew/cmd/upgrade.rb
+++ b/Library/Homebrew/cmd/upgrade.rb
@@ -134,14 +134,7 @@ module Homebrew
         only_upgrade_formulae = formulae.present? && casks.blank?
         only_upgrade_casks = casks.present? && formulae.blank?
 
-        if Homebrew::Attestation.enabled?
-          if formulae.include?(Formula["gh"])
-            # Move `gh` to the front of the list so that it gets installed first.
-            formulae = [Formula["gh"]] | formulae
-          else
-            Homebrew::Attestation.gh_executable
-          end
-        end
+        formulae = Homebrew::Attestation.sort_formulae_for_install(formulae) if Homebrew::Attestation.enabled?
 
         upgrade_outdated_formulae(formulae) unless only_upgrade_casks
         upgrade_outdated_casks(casks) unless only_upgrade_formulae