3 matches found
CVE-2026-44309
A flaw was found in gitsign, a tool used for signing Git commits. This vulnerability, affecting the verify and verify-tag functions, occurs because gitsign re-encodes commit and tag objects before validating their signatures. A remote attacker could exploit this by crafting a malformed git object...
UBUNTU-CVE-2026-44309
Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. Prior to 0.16.0, gitsign verify and gitsign verify-tag re-encode commit/tag objects through go-git's EncodeWithoutSignature before checking the signature, instead of verifying against the raw git...
CVE-2026-44309 gitsign verify accepts signatures over go-git-normalized bytes, enabling trust confusion on malformed commits
Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. Prior to 0.16.0, gitsign verify and gitsign verify-tag re-encode commit/tag objects through go-git's EncodeWithoutSignature before checking the signature, instead of verifying against the raw git...