sigstore-java, Missing Verification of integratedTime against Fulcio Certificate Validity, CVE-2024-55655 (Low) -DC-Jun2026-747

Listen to this Post

How CVE-2024-55655 Works

Sigstore is a project that uses short‑lived signing keys to sign software artifacts. To verify that a signature was made while the corresponding Fulcio certificate was still valid, Sigstore clients rely on a trusted timestamp. This timestamp can come from two sources: the `integratedTime` field in a Rekor log entry (which is included in the bundle) or a separate Signed Entry Timestamp (SET) from a trusted timestamping authority.
In sigstore‑java version 2.0.0, a regression was introduced by PR 1008, which erroneously removed the verification that the `integratedTime` from a Rekor V1 log entry falls within the validity period of the Fulcio certificate. Without this check, a malicious actor who has obtained a user’s temporary signing key (e.g., by exfiltrating it from the user’s system) could reuse an old Fulcio certificate to sign artifacts long after the certificate has expired, without needing to re‑authenticate with the user’s credentials. The verifier would accept the signature because it only checks the cryptographic material and does not enforce that the timestamp is within the certificate’s validity window.
This vulnerability affects only users who verify bundles using dev.sigstore:sigstore-java:2.0.0. Older versions are not affected, and the issue is fixed in version 2.1.0, where PR 1185 re‑added and enhanced the SET verification in the KeylessVerifier. The impact is considered low because Sigstore contains other enforcing components (such as the requirement for a valid signed entry timestamp) that limit the practical exploitability. However, in scenarios where a monitor or witness relies solely on the timestamp check to detect log inconsistencies, the missing verification could allow a compromised log to present different views to different clients.

DailyCVE Form

Platform: …… sigstore-java
Version: …….. 2.0.0
Vulnerability : Missing integratedTime vs Fulcio validity
Severity: ……. Low
date: ………. 2026-05-21 (fix released)

Prediction: …. Patch expected 2026-05-21 (already in 2.1.0)

Analytics – What Undercode Say

The following commands and code snippets demonstrate how to reproduce the issue and verify that the vulnerability exists in sigstore‑java 2.0.0.

Clone the sigstore-java repository and checkout the vulnerable version
$ git clone [email protected]:sigstore/sigstore-java
$ git checkout v2.0.0
Build the CLI tool
$ ./gradlew :sigstore-cli:build
Extract the built distribution
$ tar -xf sigstore-cli/build/distributions/sigstore-cli--SNAPSHOT.tar --strip-components 1
Verify a bundle that should fail (but passes due to the missing check)
$ ./bin/sigstore-cli verify --bundle=bundle.sigstore.json a.txt
Expected: error, but none is returned

The test bundle (bundle.sigstore.json) was added to the `sigstore-conformance` suite to demonstrate that `sigstore-java:2.0.0` unexpectedly passes verification even though the `integratedTime` is outside the certificate’s validity period.

Exploit

A malicious actor who gains access to a user’s system and exfiltrates the temporary private key used during signing can reuse an old Fulcio certificate at a later time. Because sigstore‑java 2.0.0 does not verify that the Rekor `integratedTime` falls within the certificate’s validity window, the attacker can sign arbitrary artifacts using the stolen key and the expired certificate. The verifier will accept the signature as valid, even though the certificate was no longer valid at the time of the alleged signing.
This attack does not require direct access to the user’s credentials (e.g., OIDC tokens) because the attacker only needs the private key and the old certificate. The transparency log (Rekor) will show an entry with a timestamp that may be outside the certificate’s validity period, but the verifier will not flag it.

Protection

  • Upgrade to `dev.sigstore:sigstore-java:2.1.0` or later, where the verification is re‑added and enhanced.
  • If you cannot upgrade immediately, re‑verify your artifacts using a different Sigstore client (e.g., `cosign` or sigstore-python) that correctly enforces the timestamp check.
  • Audit your transparency logs for any signatures that appear to use a certificate outside its validity period. This can help detect unauthorized reuse of old certificates.

Impact

  • Affected versions: Only `dev.sigstore:sigstore-java:2.0.0` is vulnerable. Older versions are not affected, and the fix is included in 2.1.0.
  • Attack vector: An attacker with access to a user’s temporary signing key can reuse an expired Fulcio certificate to sign artifacts, bypassing the certificate validity check.
  • Consequences: The attacker can produce valid‑looking signatures without the user’s consent, potentially leading to supply‑chain attacks or impersonation.
  • Mitigating factors: The vulnerability is considered low severity because Sigstore includes other mechanisms (such as the requirement for a valid SET) that limit the exploitability. Additionally, the attacker must already have access to the user’s system to exfiltrate the private key.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top