The vulnerability occurs in the CertVerifier.Verify() function of gitsign, where certs[0] is accessed without verifying that the certificate slice returned by sd.GetCertificates() is non-empty. A CMS/PKCS7 signed message with an empty certificate set is valid DER but leads to an empty slice and thus an immediate panic due to out-of-range indexing. The panic is caught and suppressed by internal/io/streams.go's Wrap() function, which returns nil instead of an error. Consequently, the main verification logic exits with code 0, causing callers relying solely on exit codes to mistakenly treat a failed verification as successful. This flaw affects gitsign versions from 0.4.0 up to 0.15.0 and was resolved in version 0.15.0.

The vulnerability causes the gitsign verification process to incorrectly report success when verification actually fails due to an empty certificate set. This can lead to false trust in Git commit signatures, undermining the integrity verification process. There is no direct confidentiality or integrity compromise from exploitation itself, but the reliability of signature verification is impacted. The CVSS score is 5.4 (medium severity), reflecting the impact on integrity and availability (due to application panic). No known exploits are reported in the wild.

This vulnerability is fixed in gitsign version 0.15.0. Users should upgrade to version 0.15.0 or later to resolve the issue. Since no official patch or advisory link is provided, verify the upgrade from the official sigstore gitsign release channels. Until upgraded, users should be aware that verification exit codes may be unreliable for affected versions. No other mitigations are indicated.