gitsign/0.13.0-r7: cve remediation

[octo-sts]

gitsign/0.13.0-r7: fix GHSA-whqx-f9j3-ch6m

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/gitsign.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

Inspected git repositories: https://github.com/sigstore/gitsign/@v0.13.0

[octo-sts]

🛑 Build Failed: Compilation

pkg/rekor/rekor.go:196:50: not enough arguments in call to cosign.VerifyTLogEntryOffline
have ("context".Context, *models.LogEntryAnon, *"github.com/sigstore/cosign/v2/pkg/cosign".TrustedTransparencyLogPubKeys)
want ("context".Context, *models.LogEntryAnon, *"github.com/sigstore/cosign/v2/pkg/cosign".TrustedTransparencyLogPubKeys, root.TrustedMaterial)

Build Details

Category	Details
Build System	Go
Failure Point	go build command during Go compilation step

Root Cause Analysis 🔍

API breaking changes in the cosign dependency after version bump. The cosign.VerifyTLogEntryOffline function signature has changed to require an additional root.TrustedMaterial parameter, and the sign.SignerFromKeyOpts function now returns 3 values instead of 2. This indicates the dependency updates performed by the go/bump step introduced incompatible API changes.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: pkg/rekor/rekor.go

• modification at line 196 (cosign.VerifyTLogEntryOffline function call)
  Original:

cosign.VerifyTLogEntryOffline(ctx, entry, trustedKeys)

Replacement:

cosign.VerifyTLogEntryOffline(ctx, entry, trustedKeys, trustedMaterial)

Content:

Add the missing root.TrustedMaterial parameter to the cosign.VerifyTLogEntryOffline function call

• addition (Import section at top of file)
  Content:

Add import for root package if not already present: "github.com/sigstore/sigstore/pkg/tuf/root"

• addition (Before line 196 or in appropriate function scope)
  Content:

Initialize trustedMaterial variable, likely from existing TUF root or create new instance: trustedMaterial := &root.TrustedMaterial{} // or appropriate initialization

Click to expand fix analysis

Analysis

No similar build failures were provided for analysis. However, based on the error message, this is a clear case of API breaking changes in the cosign dependency after version bump. The cosign.VerifyTLogEntryOffline function signature has changed to require an additional root.TrustedMaterial parameter. This is a common pattern when dependencies introduce breaking changes - function signatures are modified to include additional required parameters for enhanced functionality or security.

Click to expand fix explanation

Explanation

The build failure is caused by an API breaking change in the cosign dependency where the VerifyTLogEntryOffline function now requires an additional root.TrustedMaterial parameter. This is a security enhancement that requires trusted material for verification. The fix involves adding the missing parameter to the function call and ensuring the appropriate trusted material is available. The trusted material typically contains root certificates and other cryptographic materials needed for verification. This change aligns with cosign v2.6.2's enhanced security model that requires explicit trusted material for verification operations.

Click to expand alternative approaches

Alternative Approaches

• Downgrade the cosign dependency to a compatible version that maintains the old API, but this goes against Wolfi's principle of keeping packages up to date
• Implement a compatibility layer or wrapper function that handles the API differences, but this adds unnecessary complexity
• Use a different verification method if cosign provides alternative APIs, but this may require more extensive code changes

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.