Hanazuki

**Name of the Vulnerable Software and Affected Versions** sigstore-ruby versions prior to 0.2.3 **Description** The software does not correctly handle verification failures when the artifact digest does not match the digest in the in-toto attestation subject. Specifically, the `Sigstore::Verifier#verify` function does not propagate the `VerificationFailure` returned by `verify in toto`. This results in successful verification even when the artifact does not match the attested subject, impacting the verification of DSSE bundles containing in-toto statements. **Recommendations** Update to version 0.2.3 or later.