Security Advisories for github.com/sigstore/gitsign in go
Moderate
26 days ago
gitsign verify accepts signatures over go-git-normalized bytes, enabling trust confusion on malformed commits
go
github.com/sigstore/gitsign
Moderate
26 days ago
gitsign --verify panics on empty-certificate PKCS7 and exits 0, bypassing exit-code callers
go
github.com/sigstore/gitsign
Low
over 1 year ago
gitsign may use incorrect Rekor entries during verification
go
github.com/sigstore/gitsign
Moderate
over 2 years ago
Gitsign's Rekor public keys fetched from upstream API instead of local TUF client.
go
github.com/sigstore/gitsign