Gitsign Signature Verification Vulnerability Leading to Trust Confusion

A vulnerability exists in Gitsign, a tool for signing Git commits using a GitHub or OIDC identity, in versions prior to 0.16.0. The issue arises because the 'gitsign verify' and 'gitsign verify-tag' commands re-encode commit and tag objects using go-git's 'EncodeWithoutSignature' method before verifying the signature. This process bypasses the raw Git object bytes, creating a discrepancy for malformed objects with duplicate tree headers. Git-core and go-git interpret these objects differently, leading to a situation where a signature verified by Gitsign does not correspond to the content Git-core presents to users. As a result, the integrity of the signature verification process is compromised, allowing for potential misuse.

Impact

Exploitation of this vulnerability allows for a verified signature to incorrectly endorse content that differs from what Git-core recognizes, creating a trust confusion. Additionally, an attacker can replay existing Gitsign signatures over crafted commits that Git-core interprets differently, without needing a signing key. This manipulation also causes inconsistencies in the object hash logged in Rekor, disrupting the integrity of the transparency log.

Reproduction

The vulnerability can be reproduced by creating a malformed commit object that includes duplicate tree headers, with one tree header pointing to attacker-controlled content. After crafting this commit, it can be added to a Git repository. When 'gitsign verify' is run on this commit, the verification will incorrectly succeed, while 'git verify-commit' will fail, highlighting the divergence caused by the vulnerability.

Remediation

Users are advised to update Gitsign to version 0.16.0 or later, where this vulnerability has been fixed.