GHSA-qqw8-7c2r-jxchLowCVSS 2.0

Sigstore Java has a vulnerability with bundle verification of integratedTime

Published
June 30, 2026
Last Modified
June 30, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

Regression: Verification of integratedTime from Rekor V1 Log Entry against Fuclio Certificate validity was missing

Details

  • PR #1008 erroneously removed verification of the integrated (Rekor entry) time) against the Fulcio certificate.
  • PR #1185 re-added this verification with enhancements that adhere to the Sigstore verification spec.
  • old sigstore-conformance test for this check was built incorrectly

PoC

A new bundle was added to sigstore-conformance to test this: sigstore-java:2.0.0 can be tested against it and shown to be unexpectedly passing Verify this bundle against a.txt

$ git clone [email protected]:sigstore/sigstore-java
$ git checkout v2.0.0
$ ./gradlew :sigstore-cli:build
$ tar -xf sigstore-cli/build/distributions/sigstore-cli-*-SNAPSHOT.tar --strip-components 1
$ ./bin/sigstore-cli verify --bundle=bundle.sigstore.json a.txt
# expect error but none

Impact

This vulnerability impacts only users verifying bundles with dev.sigstore:sigstore-java:2.0.0. Older versions are not affected, it is fixed in dev.sigstore:sigstore-java:2.1.0

A malicious actor may exploit this if they were able to access a users system and exfiltrate the temporary private key used during signing and then reuse an old fulcio certificate later without requiring direct access to the user's credentials.

Users may protect themselves by re-verifying their artifacts using the newest sigstore-java or another current sigstore client. Transparency logs may also be audited for unauthorized signatures for a suspected reused identity.

🎯 Affected products1

  • maven/dev.sigstore:sigstore-java:= 2.0.0

🔗 References (6)