CVE-2026-44310

Name of the Vulnerable Software and Affected Versions Gitsign versions 0.4.0 through 0.14.x

Description In the CertVerifier.Verify() function within pkg/git/verifier.go, the software unconditionally dereferences the first element of a certificate slice (certs[0]) after calling sd.GetCertificates() without verifying the slice length. A structurally valid CMS/PKCS7 signed message can contain an empty certificate set, causing GetCertificates() to return an empty slice and triggering an index-out-of-range panic.

When the gitsign --verify code path is used (such as when invoked by git verify-commit), this panic is silently recovered by the Wrap() function in internal/io/streams.go. Because Wrap() returns nil instead of an error upon recovery, the application exits with code 0. This leads callers that rely solely on exit codes, such as certain scripts or CI pipelines, to incorrectly interpret a failed verification as a success.

Recommendations For versions 0.4.0 through 0.14.x, update to version 0.15.0. As a temporary mitigation, restrict the use of the CertVerifier.Verify() function or the gitsign --verify command in automated pipelines that rely exclusively on exit codes for verification success.