GHSA-8pmp-678w-c8xx

Summary

gitsign may select the wrong Rekor entry to use during online verification when multiple entries are returned by the log.

Details

gitsign uses Rekor's search API to fetch entries that apply to a signature being verified. The parameters used for the search are the public key and the payload. The search API returns entries that match either condition rather than both. When gitsign's credential cache is used, there can be multiple entries that use the same ephemeral keypair / signing certificate. As gitsign assumes both conditions are matched by Rekor, there is no additional validation that the entry's hash matches the payload being verified, meaning that the wrong entry can be used to successfully pass verification.

PoC

Enable the credential cache and create commit signatures using the cached signing certificate. gitsign verify or git log --show-signature will demonstrate the use of the wrong entry index for the corresponding commit. Note that this depends on the order of matching entries in the response from the Rekor search API, so it may take a few attempts to trigger this.

Impact

Minimal. While gitsign does not match the payload against the entry, it does ensure that the certificate matches. This would need to be exploited during the certificate validity window (10 minutes) by the key holder.