CVE-2023-47122

Name of the Vulnerable Software and Affected Versions gitsign versions 0.6.0 through 0.8.0

Description The issue concerns how Rekor public keys are fetched in gitsign. Instead of using the local TUF client, versions of gitsign starting with 0.6.0 and prior to 0.8.0 fetch these keys via the Rekor API. This could potentially allow gitsign clients to trust incorrect signatures if the upstream Rekor server is compromised. However, there is no known compromise of the default public good instance, rekor.sigstore.dev, which means users of this instance are unlikely to be affected.

Recommendations For gitsign versions 0.6.0 through 0.7.x, update to version 0.8.0 to resolve the issue. For version 0.8.0 and later, no action is required as the issue is already fixed in these versions. As a temporary workaround for versions prior to 0.8.0, consider restricting the use of the Rekor API for fetching public keys until the update to version 0.8.0 can be applied.