Sigstore Pyschic Signature Checker

Sigstore is not vulnerable to the psychic signature vulnerability in Java.

This repository demonstrates this in two ways:

cmd/uploadbadsig attempts to upload a "psychic signature" to Rekor and fails.
cmd/csvcheck takes in a CSV file containing signatures from Rekor, and scans for "psychic signatures." signatures.csv contains an example, including a fake psychic signature.

Name		Name	Last commit message	Last commit date
Latest commit History 2 Commits
cmd		cmd
.envrc		.envrc
.gitignore		.gitignore
README.md		README.md
flake.lock		flake.lock
flake.nix		flake.nix
go.mod		go.mod
go.sum		go.sum
signatures.csv		signatures.csv

Provide feedback