Gitsign's Rekor public keys fetched from upstream API instead of local TUF client.

Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise the default public good instance (`rekor.sigstore.dev`) - anyone using this instance is unaffected. This issue was fixed in v0.8.0. No known workarounds are available.

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N

密码学签名的验证不恰当

Gitsign 安全漏洞

Gitsign是Gitsign个人开发者的一个能够免密钥完成对Git提交进行签名的工具。 Gitsign 0.6.0版本至0.8.0之前版本存在安全漏洞，该漏洞源于Rekor公钥是通过Rekor API获取的，而不是通过本地TUF客户端获取，可能会被欺骗而信任不正确的签名。

N/A

N/A