Sigstore is not vulnerable to the psychic signature vulnerability in Java.
This repository demonstrates this in two ways:
-
cmd/uploadbadsig
attempts to upload a "psychic signature" to Rekor and fails. -
cmd/csvcheck
takes in a CSV file containing signatures from Rekor, and scans for "psychic signatures."signatures.csv
contains an example, including a fake psychic signature.