PatchSiren cyber security CVE debrief

CVE-2026-44309 sigstore CVE debrief

## Summary Gitsign versions prior to 0.16.0 contain a signature verification bypass vulnerability. The `gitsign verify` and `gitsign verify-tag` commands re-encode Git commit and tag objects through go-git's `EncodeWithoutSignature` before signature verification, rather than verifying against raw object bytes. This creates a semantic mismatch: malformed objects with duplicate tree headers are parsed differently by git-core (uses first tree) versus go-git (uses second tree). An attacker can craft a signature over the go-git-normalized form that passes gitsign verification, while git-core resolves the commit to a completely different tree—breaking the invariant that verified signatures, git-core semantics, and Rekor-logged object hashes all refer to the same content. ## Impact Successful exploitation allows an attacker to present a commit that appears validly signed and logged in Rekor, yet git-core interprets it as referencing different content than what was signed. This undermines supply chain integrity guarantees for repositories using gitsign for keyless Sigstore signing. The CVSS 3.1 score of 5.3 (Medium) reflects the attack complexity requirements and user interaction needed. ## Affected Versions - Gitsign: prior to 0.16.0 ## Fixed Versions - Gitsign: 0.16.0 ## Recommended Actions 1. **Upgrade immediately** to gitsign 0.16.0 or later to obtain the signature verification fix. 2. **Audit recent commits** in repositories using gitsign for signing, particularly those with unusual object structures or from untrusted sources. 3. **Verify Rekor entries** for critical commits to ensure object hashes match expected content. 4. **Review CI/CD pipelines** using gitsign to ensure they use the patched version before processing signed commits. 5. **Consider additional verification** using git-core's native verification mechanisms as a defense-in-depth measure for high-assurance scenarios.