diff --git a/Library/Homebrew/attestation.rb b/Library/Homebrew/attestation.rb
index c6808e68db..853643465f 100644
--- a/Library/Homebrew/attestation.rb
+++ b/Library/Homebrew/attestation.rb
@@ -59,11 +59,11 @@ module Homebrew
     def self.enabled?
       return false if Homebrew::EnvConfig.no_verify_attestations?
       return true if Homebrew::EnvConfig.verify_attestations?
-      return false if GitHub::API.credentials.blank?
       return false if ENV.fetch("CI", false)
       return false if OS.unsupported_configuration?
 
-      Homebrew::EnvConfig.developer? || Homebrew::EnvConfig.devcmdrun?
+      # Always check credentials last to avoid unnecessary credential extraction.
+      (Homebrew::EnvConfig.developer? || Homebrew::EnvConfig.devcmdrun?) && GitHub::API.credentials.present?
     end
 
     # Returns a path to a suitable `gh` executable for attestation verification.
diff --git a/Library/Homebrew/utils/github/api.rb b/Library/Homebrew/utils/github/api.rb
index 4dc96c50d5..324986fce2 100644
--- a/Library/Homebrew/utils/github/api.rb
+++ b/Library/Homebrew/utils/github/api.rb
@@ -177,8 +177,9 @@ module GitHub
                                                        print_stderr: false
         return unless result.success?
 
-        github_username = git_credential_out[/username=(.+)/, 1]
-        github_password = git_credential_out[/password=(.+)/, 1]
+        git_credential_out.force_encoding("ASCII-8BIT")
+        github_username = git_credential_out[/^username=(.+)/, 1]
+        github_password = git_credential_out[/^password=(.+)/, 1]
         return unless github_username
 
         # Don't use passwords from the keychain unless they look like