DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-H829-5CG7-6HFF: GHSA-H829-5CG7-6HFF: Improper Tag Signature Verification in Gitverify

#security #cve #cybersecurity #ghsa

GHSA-H829-5CG7-6HFF: Improper Tag Signature Verification in Gitverify

Vulnerability ID: GHSA-H829-5CG7-6HFF
CVSS Score: 5.3
Published: 2026-04-24

The gitverify tool contains a logic inversion vulnerability in its signature verification routines. This flaw allows unsigned annotated Git tags to bypass security policies intended to enforce cryptographic signatures.

TL;DR

A logic inversion in gitverify allows unsigned annotated Git tags to bypass security policies. Attackers can inject unsigned references into supply chains relying on this tool for integrity verification.

Technical Details

  • CWE ID: CWE-347
  • Secondary CWE: CWE-697
  • Attack Vector: Network
  • CVSS Score: 5.3
  • Impact: Integrity Bypass
  • Exploit Status: None

Affected Systems

  • github.com/supply-chain-tools/gitverify
  • gitverify: < c2c60da05d5c73621d0ce7ea02770bacd79ec8b1 (Fixed in: c2c60da05d5c73621d0ce7ea02770bacd79ec8b1)

Code Analysis

Commit: c2c60da

Fix logic inversion in tag signature verification

--- a/gitverify/verify.go
+++ b/gitverify/verify.go
@@ -711,7 +711,7 @@ func validateTag(tag *plumbing.Reference, state *gitkit.RepoState, repoConfig *R
                    return err
                }
            case SignatureTypeNone:
-               if !repoConfig.requireSignedTags {
+               if repoConfig.requireSignedTags {
                    return fmt.Errorf("unsigned annotated tag: %s", t.Name)
                }
            default:
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Update the github.com/supply-chain-tools/gitverify package to the patched version.
  • Implement independent commit signature verification in CI/CD pipelines as a defense-in-depth measure.

Remediation Steps:

  1. Identify all projects and pipelines utilizing the github.com/supply-chain-tools/gitverify package.
  2. Update the package dependency to include commit c2c60da05d5c73621d0ce7ea02770bacd79ec8b1.
  3. Recompile any static binaries that incorporate the gitverify library.
  4. Verify the fix by pushing an unsigned annotated tag to a test repository and confirming that gitverify correctly rejects it.

References

Read the full report for GHSA-H829-5CG7-6HFF on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)