Security release of dev.sigstore:sigstore-java:1.2.0 is now available
Appu Goundan
Hello sigstore Community,
The Security Response Committee and maintainers of sigstore/sigstore-java would like
to announce the availability of sigstore/sigstore-java 1.2.0
This addresses the following CVE(s):
* CVE-2024-53267 (medium): Vulnerability with bundle verification (log entries) https://github.com/sigstore/sigstore-java/security/advisories/GHSA-q4xm-6fjc-5f6w
* CVE-2024-54140 (low): Vulnerability with bundle verification (checkpoints)
https://github.com/sigstore/sigstore-java/security/advisories/GHSA-jp26-88mw-89qr
...
Upgrading to 1.2.0 is encouraged to fix these issues.
**Am I vulnerable?**
Signatures produced by sigstore-java are not compromised. Projects using sigstore-java's maven and gradle signing plugins are not affected by these issues.
If your project is verifying sigstore bundles using sigstore-java before v1.2.0, you are probably vulnerable.
Check your dependencies in your java projects. For build tools, the following typically work for single module projects `./gradlew :dependencies` or `mvn dependencies:list`
**How do I mitigate the vulnerability?**
Upgrading to sigstore-java 1.2.0 should mitigate the disclosed vulnerabilities.
If you are unable to upgrade, mitigations are available on the github advisories (CVE-2024-53267) (CVE-2024-54140)
A single mitigation for both CVEs can be achieved with the following:
Path bundleFile, artifact; // provided
var bundle = Bundle.from(bundleFile, StandardCharsets.UTF_8);
var rekorEntry = bundle.getEntries().get(0);
var artifactDigest = Files.asByteSource(artifact.toFile()).hash(Hashing.sha256()).asBytes();
// do regular keyless verification
try {
var verifier = KeylessVerifier.builder().sigstorePublicDefaults().build();
verifier.verify(artifact, bundle, VerificationOptions.empty());
// verification passed!
} catch (KeylessVerificationException e) {
// verification failed
}
// compare the rekor entry to what is expected (mitigate CVE-2024-53267)
var calculatedHashedRekord =
Base64.toBase64String(
HashedRekordRequest.newHashedRekordRequest(
artifactDigest, Certificates.toPemBytes(Certificates.getLeaf(bundle.getCertPath())), bundle.getMessageSignature().get().getSignature())
.toJsonPayload()
.getBytes(StandardCharsets.UTF_8));
if (!Objects.equals(calculatedHashedRekord, rekorEntry.getBody())) {
throw new Exception("Provided verification materials are inconsistent with log entry");
}
// verify the checkpoint signature (mitigate CVE-2024-54140)
var checkpoint = rekorEntry.getVerification().getInclusionProof().parsedCheckpoint();
var signedData = Splitter.on("\n\n").splitToList(rekorEntry.getVerification().getInclusionProof().getCheckpoint()).get(0) + "\n";
var tufClient = SigstoreTufClient.builder().usePublicGoodInstance().build();
tufClient.update();
var trustedRoot = tufClient.getSigstoreTrustedRoot();
var tlog = TransparencyLog.find(trustedRoot.getTLogs(), Hex.decode(rekorEntry.getLogID()), rekorEntry.getIntegratedTimeInstant());
if (!Verifiers.newVerifier(tlog.get().getPublicKey().toJavaPublicKey()).verify(signedData.getBytes(StandardCharsets.UTF_8), checkpoint.getSignatures().get(0).getSignature())) {
throw new Exception("Checkpoint signature was invalid");
}
**How do I upgrade?**
Upgrade references of `dev.sigstore:sigstore-java:<version>` to `dev.sigstore:sigstore-java:1.2.0`