Skip to content

Update module github.com/sigstore/sigstore-go to v1.2.0 [SECURITY] (release-v0.8)#3400

Open
renovate[bot] wants to merge 1 commit into
release-v0.8from
renovate/release-v0.8-go-github.com-sigstore-sigstore-go-vulnerability
Open

Update module github.com/sigstore/sigstore-go to v1.2.0 [SECURITY] (release-v0.8)#3400
renovate[bot] wants to merge 1 commit into
release-v0.8from
renovate/release-v0.8-go-github.com-sigstore-sigstore-go-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/sigstore/sigstore-go v1.1.4v1.2.0 age adoption passing confidence

sigstore-go has a multi-log threshold bypass via single compromised log

CVE-2026-49834 / GHSA-9vcr-p3rj-q5q6

More information

Details

Impact

What kind of vulnerability is it? Who is impacted?

A verifier configured with WithTransparencyLog(N>1) or WithSignedCertificateTimestamps(N>1) expected defense-in-depth against the compromise of a single log instance. However, threshold counting counted verified witnesses per-entry or per-validation-path rather than per-log-authority.

As a result, a single compromised transparency log could forge multiple entries with different indices, and a single compromised CT log could verify multiple times (either across multiple certificate chains or via multiple embedded SCTs), fully satisfying the multi-log threshold requirements and defeating the multi-log policy.

Note that this does not affect Cosign, as Cosign sets a threshold of 1.

Patches

Has the problem been patched? What versions should users upgrade to?

Upgrade to v1.1.5.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

There is no workaround, beyond relying on trusted logs.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

sigstore/sigstore-go (github.com/sigstore/sigstore-go)

v1.2.0

Compare Source

What's Changed

New Contributors

Full Changelog: sigstore/sigstore-go@v1.1.4...v1.2.0


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate

renovate Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor Author

ℹ️ Artifact update notice

File name: acceptance/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 12 additional dependencies were updated

Details:

Package Change
github.com/google/go-containerregistry v0.21.5 -> v0.21.6
github.com/in-toto/in-toto-golang v0.10.0 -> v0.11.0
github.com/go-chi/chi/v5 v5.2.5 -> v5.3.0
github.com/google/certificate-transparency-go v1.3.2 -> v1.3.3
github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 -> v2.29.0
github.com/in-toto/attestation v1.1.2 -> v1.2.0
github.com/sigstore/rekor-tiles/v2 v2.0.1 -> v2.2.2-0.20260601073857-5d098a2b6443
github.com/sigstore/timestamp-authority/v2 v2.0.4 -> v2.1.2
github.com/theupdateframework/go-tuf/v2 v2.4.1 -> v2.4.2-0.20260407074541-7e8f69f906ef
github.com/transparency-dev/formats v0.0.0-20251017110053-404c0d5b696c -> v0.1.1
google.golang.org/genproto/googleapis/api v0.0.0-20260414002931-afd174a4e478 -> v0.0.0-20260526163538-3dc84a4a5aaa
google.golang.org/genproto/googleapis/rpc v0.0.0-20260414002931-afd174a4e478 -> v0.0.0-20260523011958-0a33c5d7ca68

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 10, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 8:50 PM UTC · Completed 8:54 PM UTC
Commit: 87c4a29 · View workflow run →

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 10, 2026

Copy link
Copy Markdown

Review — ✅ Approve

PR: #3400 — Update module github.com/sigstore/sigstore-go to v1.2.0 [SECURITY] (release-v0.8)
Author: renovate[bot]
Base: release-v0.8

Summary

This is an automated Renovate security update bumping sigstore-go from v1.1.4 to v1.2.0 in the acceptance/ module. The update addresses CVE-2026-49834 (GHSA-9vcr-p3rj-q5q6), a multi-log threshold bypass vulnerability (CVSS 5.9, Medium) where a single compromised transparency log could forge multiple entries to satisfy multi-log threshold requirements.

Changes reviewed

File Nature
acceptance/go.mod Direct dep bump (sigstore-go v1.1.4 → v1.2.0) + transitive dep updates
acceptance/go.sum Checksum file updated to match new dependency versions

Analysis

Correctness: The changes are machine-generated by Renovate and limited to go.mod/go.sum in the acceptance/ module. Version bumps are consistent — the direct dependency (sigstore-go) and all transitive dependencies (rekor-tiles, timestamp-authority, go-tuf, certificate-transparency-go, in-toto-golang, in-toto/attestation, etc.) are updated to compatible versions. Several unused transitive dependencies were pruned (aws-sdk-go v1, jackc/pgx, go-sql-driver/mysql), which is expected when upstream cleans its dependency tree.

Security: The PR correctly addresses the CVE. The vulnerability allowed a single compromised log to bypass multi-log threshold verification — a meaningful fix for supply chain verification tooling. The update from v1.1.4 to v1.2.0 includes the patch (fix landed in v1.1.5 and is included in v1.2.0).

Scope & intent: The PR is appropriately scoped to the acceptance/ module where sigstore-go is a direct dependency. No source code changes are included, which is expected for a pure dependency version bump.

Follow-up note: The root go.mod and tools/go.mod also carry sigstore-go v1.1.4 as an indirect dependency. Since no Go source files directly import sigstore-go (it enters transitively via sigstore/cosign), the exposure through these modules depends on whether cosign's codepaths exercise the vulnerable threshold logic. A separate update for those modules would provide defense-in-depth. This is tracked as a low-severity follow-up below.

Findings

# Severity Category File Description
1 low security go.mod Root and tools/ modules still pin sigstore-go v1.1.4 (indirect). Consider a follow-up PR to bump these as well for full CVE-2026-49834 coverage across all modules.
Previous run

Review — approve

Security dependency update for CVE-2026-49834

This PR updates github.com/sigstore/sigstore-go from v1.1.4 to v1.2.0 in the acceptance submodule to address CVE-2026-49834 — a multi-log threshold bypass vulnerability (CVSS 5.9/Medium) that allows a single compromised transparency log to satisfy multi-log verification thresholds.

Changes reviewed

File Nature
acceptance/go.mod Bump sigstore-go v1.1.4 → v1.2.0 plus transitive dependency updates
acceptance/go.sum Corresponding checksum updates

Analysis

  • Correctness: The dependency update is straightforward. Only go.mod and go.sum in the acceptance/ submodule are modified — no source code changes, so there is no risk of behavioral regression from code changes. The transitive dependency version bumps (sigstore, rekor, protobuf-specs, timestamp-authority, go-openapi, otel, grpc, etc.) are consistent with the sigstore-go v1.2.0 dependency graph.
  • Security: The CVE fix is the primary motivation and is correctly addressed by this update. The fix prevents multi-log threshold bypasses where a single compromised log could forge multiple entries to satisfy defense-in-depth requirements.
  • Scope: Appropriately scoped — this only touches the acceptance test module's dependencies, which is the correct scope for a Renovate-managed module update.

Observations

Main module also depends on vulnerable version: The root go.mod lists github.com/sigstore/sigstore-go v1.1.4 as an indirect dependency. This PR does not update the root module. A separate update for the root module should be tracked to ensure the vulnerability is fully addressed across all modules.

Verdict

Approve — Clean security dependency update with no source code changes.

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added the ready-for-merge All reviewers approved — ready to merge label Jul 10, 2026
@codecov

codecov Bot commented Jul 10, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag Coverage Δ
acceptance 54.86% <ø> (-0.01%) ⬇️
generative 18.14% <ø> (ø)
integration 26.99% <ø> (ø)
unit 68.66% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@renovate renovate Bot force-pushed the renovate/release-v0.8-go-github.com-sigstore-sigstore-go-vulnerability branch from a523834 to d2ab8c3 Compare July 14, 2026 15:29
@github-actions github-actions Bot added size: L and removed size: XL labels Jul 14, 2026
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 14, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 3:30 PM UTC · Completed 3:34 PM UTC
Commit: 87c4a29 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge and removed ready-for-merge All reviewers approved — ready to merge labels Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ready-for-merge All reviewers approved — ready to merge release-v0.8 renovate size: L

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants