A vulnerability in Gitsign versions 0.4.0 through 0.14.x allows an attacker to craft a CMS/PKCS7 signed message with an empty certificate set that causes a panic during verification. Due to improper error handling in the verification code path, this panic is silently recovered and the process exits with code 0, causing automated verification systems to incorrectly interpret the failed verification as succ [truncated]
## Summary Gitsign versions prior to 0.16.0 contain a signature verification bypass vulnerability. The `gitsign verify` and `gitsign verify-tag` commands re-encode Git commit and tag objects through go-git's `EncodeWithoutSignature` before signature verification, rather than verifying against raw object bytes. This creates a semantic mismatch: malformed objects with duplicate tree headers are parsed diffe [truncated]
