- Package:
- src:gitsign
- Source:
- src:gitsign
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-07 20:51:02 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerabilities were published for gitsign. CVE-2026-44309[0]: | Gitsign is a keyless Sigstore to signing tool for Git commits with | your a GitHub / OIDC identity. Prior to 0.16.0, gitsign verify and | gitsign verify-tag re-encode commit/tag objects through go-git's | EncodeWithoutSignature before checking the signature, instead of | verifying against the raw git object bytes. For malformed objects | with duplicate tree headers, git-core and go-git parse different | trees: git-core uses the first, go-git uses the second. A signature | crafted over the go-git-normalized form (second tree) passes gitsign | verify while git-core resolves the commit to a completely different | tree. This breaks the invariant that a verified signature, the | commit semantics git-core presents to users, and the object hash | logged in Rekor all refer to the same content. This vulnerability is | fixed in 0.16.0. CVE-2026-44310[1]: | Gitsign is a keyless Sigstore to signing tool for Git commits with | your a GitHub / OIDC identity. From 0.4.0 to before 0.15.0, | CertVerifier.Verify() in pkg/git/verifier.go unconditionally | dereferences certs[0] after sd.GetCertificates() without checking | the slice length. A CMS/PKCS7 signed message with an empty | certificate set is a structurally valid DER payload; | GetCertificates() returns an empty slice with no error, causing an | immediate index-out-of-range panic. On the gitsign --verify code | path (the GPG-compatible mode invoked by git verify-commit), the | panic is silently recovered by internal/io/streams.go's Wrap() | function, which returns nil instead of an error. main.go then exits | with code 0, causing exit-code-only verification callers to | interpret the failed verification as success. This vulnerability is | fixed in 0.15.0. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-44309 https://www.cve.org/CVERecord?id=CVE-2026-44309 https://github.com/sigstore/gitsign/security/advisories/GHSA-7rmh-48mx-2vwc [1] https://security-tracker.debian.org/tracker/CVE-2026-44310 https://www.cve.org/CVERecord?id=CVE-2026-44310 https://github.com/sigstore/gitsign/security/advisories/GHSA-7c37-gx6w-8vc5 Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of
gitsign, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1136789@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Josefsson <simon@josefsson.org> (supplier of updated gitsign package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 07 Jun 2026 21:33:24 +0200
Source: gitsign
Architecture: source
Version: 0.16.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Changed-By: Simon Josefsson <simon@josefsson.org>
Closes: 1136789
Changes:
gitsign (0.16.0-1) unstable; urgency=medium
.
* New upstream (Closes: #1136789)
- CVE-2026-44309
- CVE-2026-44310
* Disable failing test
* Bump upstream copyright years
Checksums-Sha1:
2ba5ddf61b62202fdbe8d7134c9a09cfa340e187 2772 gitsign_0.16.0-1.dsc
cb823fdc14250772aa04a318b488567054b3470e 259404 gitsign_0.16.0.orig.tar.xz
ab311da37e7e767ee8ee564e1505c9ec2a860f52 4728 gitsign_0.16.0-1.debian.tar.xz
e0e46c66951b80e7c6cccb3ed2b02e8b722be6b9 488700 gitsign_0.16.0-1.git.tar.xz
59c135bf046f39daa9e0b994b861f22e6624d4ec 17492 gitsign_0.16.0-1_source.buildinfo
Checksums-Sha256:
2a6574912dc15c60c01a4dd509edc33c966db2334ae7bdbd1d9929123fa434c0 2772 gitsign_0.16.0-1.dsc
041d57fdc57d23ce2c98a5ceeedb5726e8603ff1f6787be40198f6b98c827ec2 259404 gitsign_0.16.0.orig.tar.xz
07a318d96c8e43be7ccdbb2a604cec9135fdb7f5554b6282ab6dd772f8ec6d8b 4728 gitsign_0.16.0-1.debian.tar.xz
f56c11c0d47a83901c914df1836a7b44e1d99ac0138af02b8eff5f6cf749eff2 488700 gitsign_0.16.0-1.git.tar.xz
57a2f6e09e3d8e42d5d5755b2a521980045a15626ac0e722b936b653182b5da1 17492 gitsign_0.16.0-1_source.buildinfo
Files:
6a006cdefe110e170b90c72c693cf8c9 2772 vcs optional gitsign_0.16.0-1.dsc
506079466f835f2d50149fb9073aabd6 259404 vcs optional gitsign_0.16.0.orig.tar.xz
67b55f8b70b98c1fc785eb870199f4a3 4728 vcs optional gitsign_0.16.0-1.debian.tar.xz
d81e82e375087c80d5cd59a287b2c217 488700 vcs None gitsign_0.16.0-1.git.tar.xz
abbe1a3abd1fda002c9e1a58f2a92ddb 17492 vcs optional gitsign_0.16.0-1_source.buildinfo
Git-Tag-Info: tag=5bd7bc59e909af79e6f2d279ad766fde2c23e290 fp=a3cc9c870b9d310abad4cf2f51722b08fe4745a2
Git-Tag-Tagger: Simon Josefsson <simon@josefsson.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmol1N4ACgkQYG0ITkaD
wHnsqA//aHhu2xRr8IIITDwiT+A3xfTmoNXptKvmXkWZXru3+O00SsmWEufLBSDB
5tvUHsFUgYca6rXj0U9AEgZK+UOG28tO2oNPbl1zERFnWsydrVhGAZm5ftbAD5+6
0sN3UAT8nHUrDlHG3M2LwPU/l94kLqKc2bOW8kTCF2F86qeEIjaGcvLfabJzn3zC
43HdQ5cylsOCUfZ0aB4p5UthDNW8W2V/DTnAi9HOan4NQEcpiWIwuUCzAFjqBRSr
Rc7+xKkz4R5YYCorrFLVLIgeYlM+yqbG2KhVAScRoi5/Q5Ihdkp0o+mrLQ2frGy+
wYEvIfJkM9hbZbJU+WYBGO//BxxtxOlODGovJgY1u1pvl79pnJRu+K6q3COUqVWC
o2LGDceFR23/BGyGVdwKqzQYV1/PEsMUJrrhYGr3baJE55/mwg2hq+jPug4o/72c
WICLhbLM9Wnzi7YtrKklDRrgKqKYn9jimUyLtwzviqp7+Yp+KMzhGVCmyBjPZFRb
lcmjyCMntfJr2LJbPDPqjrc9iuCz9tu8GOFYMD5qApo2DM3aEXTwi8mcEBWvGulB
ryGZMwnx7SDSchdaXzMxnwcU0ry8pTsonyvrM7aVI1M/cDdO3BFLYiDFOxY3bHd0
i6/X6MgrKiO+7GWj05wIw+EJlcv8QPj7fd29+thmNxqolVzaxZU=
=wqq2
-----END PGP SIGNATURE-----