cosign's `cosign verify-attestaton --type` can report a false positive if any attestation exists

GHSA-vjxv-45g9-9296 · BIT-cosign-2022-35929 · CVE-2022-35929 · GO-2022-0758

Published Aug 10, 2022 · Modified Dec 6, 2023

Description

cosign verify-attestation used with the --type flag will report a false positive verification when:

There is at least one attestation with a valid signature
There are NO attestations of the type being verified (--type defaults to "custom")

This can happen when signing with a standard keypair and with "keyless" signing with Fulcio. Users should upgrade to cosign version 1.10.1 or greater for a patch. Currently the only workaround is to upgrade.

References

WEB https://github.com/sigstore/cosign/security/advisories/GHSA-vjxv-45g9-9296
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-35929
WEB https://github.com/sigstore/cosign/commit/c5fda01a8ff33ca981f45a9f13e7fb6bd2080b94
PACKAGE https://github.com/sigstore/cosign

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes