Skip to content

Update module github.com/sigstore/sigstore-go to v1.2.0 [SECURITY] (main)#3399

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-go-github.com-sigstore-sigstore-go-vulnerability
Open

Update module github.com/sigstore/sigstore-go to v1.2.0 [SECURITY] (main)#3399
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-go-github.com-sigstore-sigstore-go-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/sigstore/sigstore-go v1.1.4v1.2.0 age adoption passing confidence

sigstore-go has a multi-log threshold bypass via single compromised log

CVE-2026-49834 / GHSA-9vcr-p3rj-q5q6

More information

Details

Impact

What kind of vulnerability is it? Who is impacted?

A verifier configured with WithTransparencyLog(N>1) or WithSignedCertificateTimestamps(N>1) expected defense-in-depth against the compromise of a single log instance. However, threshold counting counted verified witnesses per-entry or per-validation-path rather than per-log-authority.

As a result, a single compromised transparency log could forge multiple entries with different indices, and a single compromised CT log could verify multiple times (either across multiple certificate chains or via multiple embedded SCTs), fully satisfying the multi-log threshold requirements and defeating the multi-log policy.

Note that this does not affect Cosign, as Cosign sets a threshold of 1.

Patches

Has the problem been patched? What versions should users upgrade to?

Upgrade to v1.1.5.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

There is no workaround, beyond relying on trusted logs.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

sigstore/sigstore-go (github.com/sigstore/sigstore-go)

v1.2.0

Compare Source

What's Changed

New Contributors

Full Changelog: sigstore/sigstore-go@v1.1.4...v1.2.0


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate

renovate Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor Author

ℹ️ Artifact update notice

File name: acceptance/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 11 additional dependencies were updated

Details:

Package Change
github.com/in-toto/in-toto-golang v0.10.0 -> v0.11.0
github.com/go-chi/chi/v5 v5.2.5 -> v5.3.0
github.com/google/certificate-transparency-go v1.3.2 -> v1.3.3
github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 -> v2.29.0
github.com/in-toto/attestation v1.1.2 -> v1.2.0
github.com/sigstore/rekor-tiles/v2 v2.0.1 -> v2.2.2-0.20260601073857-5d098a2b6443
github.com/sigstore/timestamp-authority/v2 v2.0.4 -> v2.1.2
github.com/theupdateframework/go-tuf/v2 v2.4.1 -> v2.4.2-0.20260407074541-7e8f69f906ef
github.com/transparency-dev/formats v0.0.0-20251017110053-404c0d5b696c -> v0.1.1
google.golang.org/genproto/googleapis/api v0.0.0-20260414002931-afd174a4e478 -> v0.0.0-20260526163538-3dc84a4a5aaa
google.golang.org/genproto/googleapis/rpc v0.0.0-20260414002931-afd174a4e478 -> v0.0.0-20260523011958-0a33c5d7ca68

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 10, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 8:43 PM UTC · Completed 8:48 PM UTC
Commit: 87c4a29 · View workflow run →

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 10, 2026

Copy link
Copy Markdown

Review

Verdict: Comment — medium-severity observation, non-blocking.

This is a Renovate-generated dependency bump updating github.com/sigstore/sigstore-go from v1.1.4 to v1.2.0 in the acceptance/ sub-module to address CVE-2026-49834 (CVSS 5.9/Medium — multi-log threshold bypass via single compromised transparency log). The changes are confined to acceptance/go.mod and acceptance/go.sum, with transitive dependency updates pulled in by the new version.

The PR correctly updates the acceptance module. No source code, tests, or configuration files are modified. No secrets, injection patterns, or permission changes detected.

Findings

⚠ Medium — Incomplete security fix across modules

File: go.mod (line 333), tools/go.mod (line 483)

The root go.mod and tools/go.mod still pin github.com/sigstore/sigstore-go at v1.1.4 (as an indirect dependency), which remains affected by CVE-2026-49834. This PR only bumps the version in acceptance/go.mod.

While the vulnerability specifically requires multi-log threshold configurations (N>1) and may not be exploitable in all usage patterns, the production binary is built from the root module. No other open PR currently addresses the root module update.

Remediation: Update sigstore-go to v1.2.0 in the root go.mod and tools/go.mod as well, or confirm that a separate update is planned / these modules are unaffected by the CVE's specific preconditions.


Review dimensions
Dimension Result
Correctness ✅ No logic changes — dependency-only update
Security ⚠ Root module still references vulnerable version
Intent & coherence ✅ Mechanical Renovate update, authorization implicit
Style & conventions ✅ No style concerns — generated change
Documentation ✅ No documentation staleness — no code changes
Cross-repo contracts ✅ No exported API changes
Previous run

Review — approve

Security dependency update — sigstore-go v1.1.4 → v1.2.0 (CVE-2026-49834)

This Renovate bot PR updates sigstore-go and its transitive dependencies in the acceptance/ module to address CVE-2026-49834 (CVSS 5.9 Medium), a multi-log threshold bypass vulnerability.

What was reviewed

  • Files changed: acceptance/go.mod, acceptance/go.sum (2 files, 220+/228−)
  • Primary update: github.com/sigstore/sigstore-go v1.1.4 → v1.2.0
  • Related direct dependency updates: sigstore/rekor v1.5.0 → v1.5.2, sigstore/sigstore v1.10.5 → v1.10.8, in-toto/in-toto-golang v0.10.0 → v0.11.0, secure-systems-lab/go-securesystemslib v0.10.0 → v0.11.0, go-openapi/strfmt v0.26.1 → v0.26.3
  • Notable transitive changes: tink-crypto/tink-go-awskms/v2/v3 (major version bump), addition of filippo.io/mldsa (post-quantum signatures), removal of unused DB driver dependencies (jackc/pgx, go-sql-driver/mysql), various go-openapi package updates

Assessment

Correctness: The go.mod and go.sum changes are internally consistent. No application code is modified. Dependency resolution follows standard Go module semantics.

Security: The PR correctly patches CVE-2026-49834 in the acceptance test module. The vulnerability requires configuring WithTransparencyLog(N>1) or WithSignedCertificateTimestamps(N>1) — a pattern not used anywhere in this codebase. The main module's go.mod still carries sigstore-go v1.1.4 // indirect, but practical risk is minimal since (a) the CVE requires multi-log threshold > 1 which is not configured, and (b) the indirect dependency is pulled in through cosign/v3 which uses threshold 1.

Scope: Changes are entirely within the acceptance/ module (test infrastructure). No production code is affected.

Compatibility risk: Low. While the transitive dependency changes are extensive, they are managed by Go's module system and the acceptance test suite will validate compatibility.

Finding

Severity Category File Description
low security/dependency-lag go.mod The root module still depends on sigstore-go v1.1.4 (indirect, via cosign/v3). While CVE-2026-49834 does not practically affect this codebase (multi-log threshold > 1 is not configured), consider updating the root module's sigstore-go dependency for consistency and defense-in-depth. This may require a separate PR if cosign/v3 hasn't updated its dependency chain.

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added the ready-for-merge All reviewers approved — ready to merge label Jul 10, 2026
@codecov

codecov Bot commented Jul 10, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag Coverage Δ
acceptance 54.26% <ø> (+<0.01%) ⬆️
generative 16.80% <ø> (ø)
integration 27.97% <ø> (ø)
unit 71.74% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@renovate renovate Bot force-pushed the renovate/main-go-github.com-sigstore-sigstore-go-vulnerability branch from 501eda7 to 076ea61 Compare July 14, 2026 19:56
@github-actions github-actions Bot added size: L and removed size: XL labels Jul 14, 2026
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 14, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 7:57 PM UTC · Completed 8:02 PM UTC
Commit: 87c4a29 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment and removed ready-for-merge All reviewers approved — ready to merge labels Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants