Gitsign Unconditional Index Dereference Vulnerability in Certificate Verification

A vulnerability exists in Gitsign versions 0.4.0 prior to 0.15.0, where the certificate verification process in 'pkg/git/verifier.go' improperly handles empty certificate sets. The 'CertVerifier.Verify()' function unconditionally accesses 'certs[0]' after calling 'sd.GetCertificates()', without verifying the length of the returned slice. This oversight leads to an 'index out of range' panic when a CMS/PKCS7 signed message is received with no certificates, a scenario that is structurally valid but not properly managed. In GPG-compatible mode, this panic is silently caught and converted into a nil error, causing the program to exit with a success code, misleading verification processes that rely solely on exit codes.

Impact

Exploitation of this vulnerability causes a panic due to an invalid index access, which is then recovered silently, allowing the process to exit with a success code. This bypasses proper verification for signatures stripped of certificates, making them appear valid. Additionally, the panic disrupts normal verification output, which could be problematic for users relying on automated scripts or CI pipelines.

Reproduction

To reproduce this vulnerability, create a CMS/PKCS7 signed message that intentionally omits the certificate set. This can be done by stripping the certificates from a valid Gitsign signature using available ASN.1 tooling, and then reattaching the signature to a commit in a Git repository. Once the commit is pushed to an accessible repository, the vulnerability can be triggered by running 'gitsign --verify' or 'git verify-commit' on the affected commit, which will result in a panic due to the empty certificate set. The process will exit with code 0, falsely indicating a successful verification.

Remediation

Users can upgrade to Gitsign version 0.15.0 or later, where this vulnerability has been fixed.