GHSA-8pmp-678w-c8xx: gitsign may use incorrect Rekor entries during verification

November 5, 2024

gitsign may select the wrong Rekor entry to use during online verification when multiple entries are returned by the log.

References

github.com/advisories/GHSA-8pmp-678w-c8xx
github.com/sigstore/gitsign
github.com/sigstore/gitsign/security/advisories/GHSA-8pmp-678w-c8xx

Detect and mitigate GHSA-8pmp-678w-c8xx with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →