Sigstore Gitsign
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Sigstore Gitsign.
By the Year
In 2026 there have been 0 vulnerabilities in Sigstore Gitsign. Gitsign did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 0 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 1 | 5.30 |
It may take a day or so for new Gitsign vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Sigstore Gitsign Security Vulnerabilities
gitsign 0.6<0.8 Keyless Git Signing Trust Hijack via Compromised Rekor API
CVE-2023-47122
5.3 - Medium
- November 10, 2023
Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise the default public good instance (`rekor.sigstore.dev`) - anyone using this instance is unaffected. This issue was fixed in v0.8.0. No known workarounds are available.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Sigstore Gitsign or by Sigstore? Click the Watch button to subscribe.
