pkg:Go/github.com/sigstore/gitsign

所有已知漏洞

• MEDIUM5.4CVE-2026-44310gitsign --verify panics on empty-certificate PKCS7 and exits 0, bypassing exit-code callers
  >= 0.4.0, < 0.15.0
• MEDIUM5.3CVE-2026-44309gitsign verify accepts signatures over go-git-normalized bytes, enabling trust confusion on malformed commits
  from 0, < 0.16.0
• MEDIUM4.2CVE-2023-47122Gitsign's Rekor public keys fetched from upstream API instead of local TUF client. in github.com/sigstore/gitsign
  >= 0.6.0, < 0.8.0
• MEDIUM4.2Gitsign's Rekor public keys fetched from upstream API instead of local TUF client. in github.com/sigstore/gitsign
  >= 0.6.0, < 0.8.0
• —gitsign may use incorrect Rekor entries during verification in github.com/sigstore/gitsign
  from 0, < 0.11.0
• —gitsign may use incorrect Rekor entries during verification in github.com/sigstore/gitsign
  from 0, < 0.11.0