gitsign - Debian Package Tracker

general

source: gitsign (main)
version: 0.13.0-4
maintainer: Debian Go Packaging Team (DMD)
uploaders: Simon Josefsson [DMD]
arch: all any
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 0.13.0-2
testing: 0.13.0-4
unstable: 0.13.0-4
exp: 0.14.0-1~exp0

versioned links

0.13.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.13.0-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.14.0-1~exp0: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

gitsign
golang-github-sigstore-gitsign-dev

action needed

Marked for autoremoval on 21 June due to docker.io: #1136031 high

Version 0.13.0-4 of gitsign is marked for autoremoval from testing on Sun 21 Jun 2026. It depends (transitively) on docker.io, affected by #1136031. You should try to prevent the removal by fixing these RC bugs.

Created: 2026-05-15 Last update: 2026-05-22 22:18

A new upstream version is available: 0.16.0 high

A new upstream version 0.16.0 is available, you should consider packaging it.

Created: 2026-02-19 Last update: 2026-05-22 19:30

The VCS repository is not up to date, push the missing commits. high

vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits and/or your tags, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.

Created: 2026-03-15 Last update: 2026-05-17 10:34

2 security issues in trixie high

There are 2 open security issues in trixie.

2 important issues:

CVE-2026-44309: Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. Prior to 0.16.0, gitsign verify and gitsign verify-tag re-encode commit/tag objects through go-git's EncodeWithoutSignature before checking the signature, instead of verifying against the raw git object bytes. For malformed objects with duplicate tree headers, git-core and go-git parse different trees: git-core uses the first, go-git uses the second. A signature crafted over the go-git-normalized form (second tree) passes gitsign verify while git-core resolves the commit to a completely different tree. This breaks the invariant that a verified signature, the commit semantics git-core presents to users, and the object hash logged in Rekor all refer to the same content. This vulnerability is fixed in 0.16.0.
CVE-2026-44310: Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. From 0.4.0 to before 0.15.0, CertVerifier.Verify() in pkg/git/verifier.go unconditionally dereferences certs[0] after sd.GetCertificates() without checking the slice length. A CMS/PKCS7 signed message with an empty certificate set is a structurally valid DER payload; GetCertificates() returns an empty slice with no error, causing an immediate index-out-of-range panic. On the gitsign --verify code path (the GPG-compatible mode invoked by git verify-commit), the panic is silently recovered by internal/io/streams.go's Wrap() function, which returns nil instead of an error. main.go then exits with code 0, causing exit-code-only verification callers to interpret the failed verification as success. This vulnerability is fixed in 0.15.0.

Created: 2026-05-15 Last update: 2026-05-16 05:16

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2026-44309: Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. Prior to 0.16.0, gitsign verify and gitsign verify-tag re-encode commit/tag objects through go-git's EncodeWithoutSignature before checking the signature, instead of verifying against the raw git object bytes. For malformed objects with duplicate tree headers, git-core and go-git parse different trees: git-core uses the first, go-git uses the second. A signature crafted over the go-git-normalized form (second tree) passes gitsign verify while git-core resolves the commit to a completely different tree. This breaks the invariant that a verified signature, the commit semantics git-core presents to users, and the object hash logged in Rekor all refer to the same content. This vulnerability is fixed in 0.16.0.
CVE-2026-44310: Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. From 0.4.0 to before 0.15.0, CertVerifier.Verify() in pkg/git/verifier.go unconditionally dereferences certs[0] after sd.GetCertificates() without checking the slice length. A CMS/PKCS7 signed message with an empty certificate set is a structurally valid DER payload; GetCertificates() returns an empty slice with no error, causing an immediate index-out-of-range panic. On the gitsign --verify code path (the GPG-compatible mode invoked by git verify-commit), the panic is silently recovered by internal/io/streams.go's Wrap() function, which returns nil instead of an error. main.go then exits with code 0, causing exit-code-only verification callers to interpret the failed verification as success. This vulnerability is fixed in 0.15.0.

Created: 2026-05-15 Last update: 2026-05-16 05:16

2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:

CVE-2026-44309: Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. Prior to 0.16.0, gitsign verify and gitsign verify-tag re-encode commit/tag objects through go-git's EncodeWithoutSignature before checking the signature, instead of verifying against the raw git object bytes. For malformed objects with duplicate tree headers, git-core and go-git parse different trees: git-core uses the first, go-git uses the second. A signature crafted over the go-git-normalized form (second tree) passes gitsign verify while git-core resolves the commit to a completely different tree. This breaks the invariant that a verified signature, the commit semantics git-core presents to users, and the object hash logged in Rekor all refer to the same content. This vulnerability is fixed in 0.16.0.
CVE-2026-44310: Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. From 0.4.0 to before 0.15.0, CertVerifier.Verify() in pkg/git/verifier.go unconditionally dereferences certs[0] after sd.GetCertificates() without checking the slice length. A CMS/PKCS7 signed message with an empty certificate set is a structurally valid DER payload; GetCertificates() returns an empty slice with no error, causing an immediate index-out-of-range panic. On the gitsign --verify code path (the GPG-compatible mode invoked by git verify-commit), the panic is silently recovered by internal/io/streams.go's Wrap() function, which returns nil instead of an error. main.go then exits with code 0, causing exit-code-only verification callers to interpret the failed verification as success. This vulnerability is fixed in 0.15.0.

Created: 2026-05-15 Last update: 2026-05-16 05:16

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.3).

Created: 2026-03-31 Last update: 2026-03-31 15:01

news

[rss feed]

[2026-03-25] gitsign 0.13.0-4 MIGRATED to testing (Debian testing watch)
[2026-03-15] Accepted gitsign 0.14.0-1~exp0 (source) into experimental (Simon Josefsson)
[2026-02-18] Accepted gitsign 0.13.0-4 (source) into unstable (Simon Josefsson)
[2026-02-18] Accepted gitsign 0.13.0-4~exp0 (source) into experimental (Simon Josefsson)
[2025-10-24] gitsign 0.13.0-3 MIGRATED to testing (Debian testing watch)
[2025-10-08] Accepted gitsign 0.13.0-3 (source) into unstable (Simon Josefsson)
[2025-06-07] gitsign 0.13.0-2 MIGRATED to testing (Debian testing watch)
[2025-06-02] Accepted gitsign 0.13.0-2 (source) into unstable (Simon Josefsson)
[2025-04-13] gitsign 0.13.0-1 MIGRATED to testing (Debian testing watch)
[2025-04-10] Accepted gitsign 0.13.0-1 (source) into unstable (Simon Josefsson)
[2025-02-19] gitsign 0.12.0-4 MIGRATED to testing (Debian testing watch)
[2025-02-14] Accepted gitsign 0.12.0-4 (source) into unstable (Simon Josefsson)
[2025-01-29] gitsign 0.12.0-3 MIGRATED to testing (Debian testing watch)
[2025-01-22] Accepted gitsign 0.12.0-3 (source) into unstable (Simon Josefsson)
[2025-01-21] Accepted gitsign 0.12.0-2 (source) into unstable (Simon Josefsson)
[2025-01-21] Accepted gitsign 0.12.0-1 (source amd64 all) into unstable (Debian FTP Masters) (signed by: Simon Josefsson)
[2025-01-20] Accepted gitsign 0.11.0-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Simon Josefsson)

bugs [bug history graph]

all: 1
RC: 0
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, exp, reproducibility, cross
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.13.0-4