First published: Tue Nov 14 2023(Updated: )
### Impact In certain versions of gitsign, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise the default public good instance (`rekor.sigstore.dev`) - anyone using this instance is unlikely to be affected. ### Patches This was fixed in v0.8.0 via https://github.com/sigstore/gitsign/pull/399 ### Workarounds n/a ### References _Are there any links users can visit to find out more?_ https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model
|Affected Software||Affected Version||How to fix|
In certain versions of gitsign, Rekor public keys were fetched via the Rekor API instead of through the local TUF client, potentially allowing incorrect signatures to be trusted if the upstream Rekor server is compromised.
GHSA-xvrc-2wvh-49vc can potentially trick gitsign clients into trusting incorrect signatures if the upstream Rekor server is compromised.
The severity of GHSA-xvrc-2wvh-49vc is medium with a severity value of 4.2.
Versions between 0.6.0 (inclusive) and 0.8.0 (exclusive) of gitsign are affected by GHSA-xvrc-2wvh-49vc.
The Common Weakness Enumeration (CWE) ID for GHSA-xvrc-2wvh-49vc is 347.