CVE-2026-44310 sigstore CVE debrief

Who should care

Organizations using Gitsign for Git commit verification in CI/CD pipelines, software supply chain security teams, and developers relying on `gitsign --verify` for commit signature validation in automated workflows.

Technical summary

The vulnerability exists in `pkg/git/verifier.go` where `CertVerifier.Verify()` unconditionally accesses `certs[0]` after calling `sd.GetCertificates()` without validating that the returned certificate slice is non-empty. A structurally valid DER-encoded CMS/PKCS7 message with no certificates causes an index-out-of-range panic. The panic recovery mechanism in `internal/io/streams.go`'s `Wrap()` function silently converts this to a `nil` return, and `main.go` exits with code 0. This causes any verification caller that checks only the process exit code to incorrectly treat the failed verification as successful. The issue affects Gitsign versions 0.4.0 through 0.14.x and is fixed in 0.15.0.

Defensive priority

medium

Recommended defensive actions

• Upgrade Gitsign to version 0.15.0 or later to address the verification bypass vulnerability
• Review any automated Git commit verification pipelines that rely solely on exit codes from `gitsign --verify` for the affected version range
• Consider adding secondary verification checks beyond exit code validation for critical code signing workflows
• Audit commit verification logs for any anomalous successful verifications during the affected period if Gitsign 0.4.0-0.14.x was in use

Evidence notes

The vulnerability stems from unconditional dereference of `certs[0]` in `CertVerifier.Verify()` at `pkg/git/verifier.go` after `sd.GetCertificates()` returns an empty slice without error. The panic is recovered by `internal/io/streams.go`'s `Wrap()` function, which returns `nil` instead of propagating an error. The `main.go` then exits with code 0, causing exit-code-only verification callers to misinterpret the result.

Official resources