PT-2026-37206 — Improper Verification of Cryptographic Signature in Go Github.Com/Supply-Chain-Tools/Gitverify

PT-2026-37206 · Go · Github.Com/Supply-Chain-Tools/Gitverify

Published

2026-04-24

Updated

2026-04-24

CVSS v4.0

5.3

Medium

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

gitverify is still a prototype.

Impact

The bug is related to requireSignedTags which is on by default: an unsigned annotated tag would pass the verification. The commit pointed to by the tag would still have to be signed by a maintainer or a contributor.

Patches

Since the initial commit, fixed in c2c60da05d5c73621d0ce7ea02770bacd79ec8b1 (no semantic versions yet).

Workarounds

Fix

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347

Related Identifiers

GHSA-H829-5CG7-6HFF

Affected Products

Github.Com/Supply-Chain-Tools/Gitverify