Moderate severityNVD Advisory· Published Oct 6, 2022· Updated Apr 23, 2025
Digital Signature Hash Algorithms Not Validated in sylabs/sif
CVE-2022-39237
Description
syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the github.com/sylabs/sif/v2/pkg/integrity package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SIF reference implementation did not enforce cryptographically secure hash algorithms for digital signature verification, allowing weak hashes.
In the Singularity Image Format (SIF) reference implementation, versions prior to 2.8.1, the github.com/sylabs/sif/v2/pkg/integrity package failed to verify that the hash algorithm used for metadata digests and signature hashes is cryptographically secure during digital signature verification [2][4]. This oversight allowed the use of weak or deprecated hash algorithms such as MD5 and SHA1, which are known to be vulnerable to collision attacks.
An attacker could exploit this vulnerability by crafting a SIF image with a digital signature that uses a weak hash algorithm. Since the integrity package did not reject such algorithms, the forged signature could be accepted as valid even if the underlying hash is not secure [3]. The attack requires the ability to present a malicious image to a system relying on the affected package for signature verification.
Successful exploitation could allow an attacker to bypass signature validation, enabling the distribution and execution of tampered or malicious containers. This undermines the trust guarantees provided by digital signatures in SIF images.
The issue is fixed in version v2.8.1 of the module, which now enforces the use of cryptographically secure hash algorithms [2][4]. Users are strongly advised to upgrade. Those unable to upgrade should independently validate that the hash algorithms used are cryptographically secure [2].
References
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/sylabs/sif/v2Go | < 2.8.1 | 2.8.1 |
Affected products
5- ghsa-coords4 versionspkg:golang/github.com/sylabs/sif/v2pkg:rpm/opensuse/apptainer&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/apptainer&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/singularity-ce&distro=openSUSE%20Tumbleweed
< 2.8.1+ 3 more
- (no CPE)range: < 2.8.1
- (no CPE)range: < 1.1.2-lp154.2.1
- (no CPE)range: < 1.1.2-1.1
- (no CPE)range: < 4.1.3-1.1
- sylabs/sifv5Range: < 2.8.1
Patches
107fb86029a12Merge pull request from GHSA-m5m3-46gj-wch8
28 files changed · +149 −73
pkg/integrity/clearsign.go+32 −2 modified@@ -1,4 +1,4 @@ -// Copyright (c) 2020, Sylabs Inc. All rights reserved. +// Copyright (c) 2020-2022, Sylabs Inc. All rights reserved. // This software is licensed under a 3-clause BSD license. Please consult the LICENSE.md file // distributed with the sources of this project regarding your rights to use or distribute this // software. @@ -7,6 +7,7 @@ package integrity import ( "bytes" + "crypto" "encoding/json" "errors" "io" @@ -18,9 +19,32 @@ import ( var errClearsignedMsgNotFound = errors.New("clearsigned message not found") +// Hash functions specified for OpenPGP in RFC4880, excluding those that are not currently +// recommended by NIST. +var supportedPGPAlgorithms = []crypto.Hash{ + crypto.SHA224, + crypto.SHA256, + crypto.SHA384, + crypto.SHA512, +} + +// hashAlgorithmSupported returns whether h is a supported PGP hash function. +func hashAlgorithmSupported(h crypto.Hash) bool { + for _, alg := range supportedPGPAlgorithms { + if alg == h { + return true + } + } + return false +} + // signAndEncodeJSON encodes v, clear-signs it with privateKey, and writes it to w. If config is // nil, sensible defaults are used. func signAndEncodeJSON(w io.Writer, v interface{}, privateKey *packet.PrivateKey, config *packet.Config) error { + if !hashAlgorithmSupported(config.Hash()) { + return errHashUnsupported + } + // Get clearsign encoder. plaintext, err := clearsign.Encode(w, privateKey, config) if err != nil { @@ -59,7 +83,13 @@ func verifyAndDecode(data []byte, kr openpgp.KeyRing) (*openpgp.Entity, []byte, } // Check signature. - e, err := openpgp.CheckDetachedSignature(kr, bytes.NewReader(b.Bytes), b.ArmoredSignature.Body, nil) + e, err := openpgp.CheckDetachedSignatureAndHash( + kr, + bytes.NewReader(b.Bytes), + b.ArmoredSignature.Body, + supportedPGPAlgorithms, + nil, + ) return e, b.Plaintext, rest, err }
pkg/integrity/clearsign_test.go+13 −4 modified@@ -1,4 +1,4 @@ -// Copyright (c) 2020-2021, Sylabs Inc. All rights reserved. +// Copyright (c) 2020-2022, Sylabs Inc. All rights reserved. // This software is licensed under a 3-clause BSD license. Please consult the LICENSE.md file // distributed with the sources of this project regarding your rights to use or distribute this // software. @@ -9,13 +9,15 @@ import ( "bufio" "bytes" "crypto" + "encoding/json" "errors" "io" "reflect" "strings" "testing" "github.com/ProtonMail/go-crypto/openpgp" + "github.com/ProtonMail/go-crypto/openpgp/clearsign" pgperrors "github.com/ProtonMail/go-crypto/openpgp/errors" "github.com/ProtonMail/go-crypto/openpgp/packet" "github.com/sebdah/goldie/v2" @@ -41,7 +43,7 @@ func TestSignAndEncodeJSON(t *testing.T) { }{ {name: "EncryptedKey", key: &encryptedKey, wantErr: true}, {name: "DefaultHash", key: e.PrivateKey}, - {name: "SHA1", key: e.PrivateKey, hash: crypto.SHA1}, + {name: "SHA1", key: e.PrivateKey, hash: crypto.SHA1, wantErr: true}, {name: "SHA224", key: e.PrivateKey, hash: crypto.SHA224}, {name: "SHA256", key: e.PrivateKey, hash: crypto.SHA256}, {name: "SHA384", key: e.PrivateKey, hash: crypto.SHA384}, @@ -121,7 +123,7 @@ func TestVerifyAndDecodeJSON(t *testing.T) { {name: "CorruptedSignature", el: openpgp.EntityList{e}, corrupter: corruptSignature}, {name: "VerifyOnly", el: openpgp.EntityList{e}, wantEntity: e}, {name: "DefaultHash", el: openpgp.EntityList{e}, output: &testType{}, wantEntity: e}, - {name: "SHA1", hash: crypto.SHA1, el: openpgp.EntityList{e}, output: &testType{}, wantEntity: e}, + {name: "SHA1", hash: crypto.SHA1, el: openpgp.EntityList{e}, wantErr: pgperrors.StructuralError("hash algorithm mismatch with cleartext message headers")}, //nolint:lll {name: "SHA224", hash: crypto.SHA224, el: openpgp.EntityList{e}, output: &testType{}, wantEntity: e}, {name: "SHA256", hash: crypto.SHA256, el: openpgp.EntityList{e}, output: &testType{}, wantEntity: e}, {name: "SHA384", hash: crypto.SHA384, el: openpgp.EntityList{e}, output: &testType{}, wantEntity: e}, @@ -136,10 +138,17 @@ func TestVerifyAndDecodeJSON(t *testing.T) { config := packet.Config{ DefaultHash: tt.hash, } - err := signAndEncodeJSON(&b, testValue, e.PrivateKey, &config) + + // Manually sign and encode rather than calling signAndEncodeJSON, since we want to + // test unsupported hash algorithms. + plaintext, err := clearsign.Encode(&b, e.PrivateKey, &config) if err != nil { t.Fatal(err) } + if err := json.NewEncoder(plaintext).Encode(testValue); err != nil { + t.Fatal(err) + } + plaintext.Close() // Introduce corruption, if applicable. if tt.corrupter != nil {
pkg/integrity/digest.go+11 −9 modified@@ -22,12 +22,14 @@ var ( errDigestMalformed = errors.New("digest malformed") ) -var supportedAlgorithms = map[crypto.Hash]string{ - crypto.SHA1: "sha1", - crypto.SHA224: "sha224", - crypto.SHA256: "sha256", - crypto.SHA384: "sha384", - crypto.SHA512: "sha512", +// Hash functions supported for digests. +var supportedDigestAlgorithms = map[crypto.Hash]string{ + crypto.SHA224: "sha224", + crypto.SHA256: "sha256", + crypto.SHA384: "sha384", + crypto.SHA512: "sha512", + crypto.SHA512_224: "sha512_224", + crypto.SHA512_256: "sha512_256", } // hashValue calculates a digest by applying hash function h to the contents read from r. If h is @@ -52,7 +54,7 @@ type digest struct { // newDigest returns a new digest. If h is not supported, errHashUnsupported is returned. If digest // is malformed, errDigestMalformed is returned. func newDigest(h crypto.Hash, value []byte) (digest, error) { - if _, ok := supportedAlgorithms[h]; !ok { + if _, ok := supportedDigestAlgorithms[h]; !ok { return digest{}, errHashUnsupported } @@ -104,7 +106,7 @@ func (d digest) matches(r io.Reader) (bool, error) { // MarshalJSON marshals d into string of format "alg:value". func (d digest) MarshalJSON() ([]byte, error) { - n, ok := supportedAlgorithms[d.hash] + n, ok := supportedDigestAlgorithms[d.hash] if !ok { return nil, errHashUnsupported } @@ -130,7 +132,7 @@ func (d *digest) UnmarshalJSON(data []byte) error { return fmt.Errorf("%w: %v", errDigestMalformed, err) } - for h, n := range supportedAlgorithms { + for h, n := range supportedDigestAlgorithms { if n == name { digest, err := newDigest(h, v) if err != nil {
pkg/integrity/digest_test.go+47 −17 modified@@ -114,14 +114,14 @@ func TestDigest_MarshalJSON(t *testing.T) { wantErr error }{ { - name: "UnsupportedHash", + name: "HashUnsupportedMD5", hash: crypto.MD5, wantErr: errHashUnsupported, }, { - name: "SHA1", - hash: crypto.SHA1, - value: "597f6a540010f94c15d71806a99a2c8710e747bd", + name: "HashUnsupportedSHA1", + hash: crypto.SHA1, + wantErr: errHashUnsupported, }, { name: "SHA224", @@ -143,6 +143,16 @@ func TestDigest_MarshalJSON(t *testing.T) { hash: crypto.SHA512, value: "db3974a97f2407b7cae1ae637c0030687a11913274d578492558e39c16c017de84eacdc8c62fe34ee4e12b4b1428817f09b6a2760c3f8a664ceae94d2434a593", //nolint:lll }, + { + name: "SHA512_224", + hash: crypto.SHA512_224, + value: "06001bf08dfb17d2b54925116823be230e98b5c6c278303bc4909a8c", + }, + { + name: "SHA512_256", + hash: crypto.SHA512_256, + value: "3d37fe58435e0d87323dee4a2c1b339ef954de63716ee79f5747f94d974f913f", + }, } for _, tt := range tests { @@ -193,60 +203,80 @@ func TestDigest_UnmarshalJSON(t *testing.T) { wantErr: errDigestMalformed, }, { - name: "UnsupportedHash", + name: "HashUnsupportedMD5", r: strings.NewReader(`"md5:b0804ec967f48520697662a204f5fe72"`), wantErr: errHashUnsupported, }, + { + name: "HashUnsupportedSHA1", + r: strings.NewReader(`"sha1:597f6a540010f94c15d71806a99a2c8710e747bd"`), + wantErr: errHashUnsupported, + }, { name: "DigestMalformedNotHex", - r: strings.NewReader(`"sha1:oops"`), + r: strings.NewReader(`"sha256:oops"`), wantErr: errDigestMalformed, }, { name: "DigestMalformedIncorrectLen", - r: strings.NewReader(`"sha1:597f"`), + r: strings.NewReader(`"sha256:597f"`), wantErr: errDigestMalformed, }, - { - name: "SHA1", - r: strings.NewReader(`"sha1:597f6a540010f94c15d71806a99a2c8710e747bd"`), - wantHash: crypto.SHA1, - wantValue: "597f6a540010f94c15d71806a99a2c8710e747bd", - }, { name: "SHA224", r: strings.NewReader(`"sha224:95041dd60ab08c0bf5636d50be85fe9790300f39eb84602858a9b430"`), - wantHash: crypto.SHA1, + wantHash: crypto.SHA224, wantValue: "95041dd60ab08c0bf5636d50be85fe9790300f39eb84602858a9b430", }, { name: "SHA256", r: strings.NewReader(`"sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447"`), - wantHash: crypto.SHA1, + wantHash: crypto.SHA256, wantValue: "a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447", }, { name: "SHA384", r: strings.NewReader(`"sha384:6b3b69ff0a404f28d75e98a066d3fc64fffd9940870cc68bece28545b9a75086b343d7a1366838083e4b8f3ca6fd3c80"`), //nolint:lll - wantHash: crypto.SHA1, + wantHash: crypto.SHA384, wantValue: "6b3b69ff0a404f28d75e98a066d3fc64fffd9940870cc68bece28545b9a75086b343d7a1366838083e4b8f3ca6fd3c80", }, { name: "SHA512", r: strings.NewReader(`"sha512:db3974a97f2407b7cae1ae637c0030687a11913274d578492558e39c16c017de84eacdc8c62fe34ee4e12b4b1428817f09b6a2760c3f8a664ceae94d2434a593"`), //nolint:lll - wantHash: crypto.SHA1, + wantHash: crypto.SHA512, wantValue: "db3974a97f2407b7cae1ae637c0030687a11913274d578492558e39c16c017de84eacdc8c62fe34ee4e12b4b1428817f09b6a2760c3f8a664ceae94d2434a593", //nolint:lll }, + { + name: "SHA512_224", + r: strings.NewReader(`"sha512_224:06001bf08dfb17d2b54925116823be230e98b5c6c278303bc4909a8c"`), + wantHash: crypto.SHA512_224, + wantValue: "06001bf08dfb17d2b54925116823be230e98b5c6c278303bc4909a8c", + }, + { + name: "SHA512_256", + r: strings.NewReader(`"sha512_256:3d37fe58435e0d87323dee4a2c1b339ef954de63716ee79f5747f94d974f913f"`), + wantHash: crypto.SHA512_256, + wantValue: "3d37fe58435e0d87323dee4a2c1b339ef954de63716ee79f5747f94d974f913f", + }, } for _, tt := range tests { tt := tt t.Run(tt.name, func(t *testing.T) { var d digest + err := json.NewDecoder(tt.r).Decode(&d) if got, want := err, tt.wantErr; !errors.Is(got, want) { t.Fatalf("got error %v, want %v", got, want) } + + if got, want := d.hash, tt.wantHash; got != want { + t.Errorf("got hash %v, want %v", got, want) + } + + if got, want := hex.EncodeToString(d.value), tt.wantValue; got != want { + t.Errorf("got value %v, want %v", got, want) + } }) } }
pkg/integrity/metadata_test.go+15 −11 modified@@ -1,4 +1,4 @@ -// Copyright (c) 2020-2021, Sylabs Inc. All rights reserved. +// Copyright (c) 2020-2022, Sylabs Inc. All rights reserved. // This software is licensed under a 3-clause BSD license. Please consult the LICENSE.md file // distributed with the sources of this project regarding your rights to use or distribute this // software. @@ -35,12 +35,14 @@ func TestGetHeaderMetadata(t *testing.T) { wantErr error }{ {name: "HashUnavailable", header: bytes.NewReader(b), hash: crypto.MD4, wantErr: errHashUnavailable}, - {name: "HashUnsupported", header: bytes.NewReader(b), hash: crypto.MD5, wantErr: errHashUnsupported}, - {name: "SHA1", header: bytes.NewReader(b), hash: crypto.SHA1}, + {name: "HashUnsupportedMD5", header: bytes.NewReader(b), hash: crypto.MD5, wantErr: errHashUnsupported}, + {name: "HashUnsupportedSHA1", header: bytes.NewReader(b), hash: crypto.SHA1, wantErr: errHashUnsupported}, {name: "SHA224", header: bytes.NewReader(b), hash: crypto.SHA224}, {name: "SHA256", header: bytes.NewReader(b), hash: crypto.SHA256}, {name: "SHA384", header: bytes.NewReader(b), hash: crypto.SHA384}, {name: "SHA512", header: bytes.NewReader(b), hash: crypto.SHA512}, + {name: "SHA512_224", header: bytes.NewReader(b), hash: crypto.SHA512_224}, + {name: "SHA512_256", header: bytes.NewReader(b), hash: crypto.SHA512_256}, } for _, tt := range tests { @@ -88,13 +90,15 @@ func TestGetObjectMetadata(t *testing.T) { wantErr error }{ {name: "HashUnavailable", descr: bytes.NewReader(rid0), hash: crypto.MD4, wantErr: errHashUnavailable}, - {name: "HashUnsupported", descr: bytes.NewReader(rid0), hash: crypto.MD5, wantErr: errHashUnsupported}, - {name: "RelativeID", relativeID: 1, descr: bytes.NewReader(rid1), data: strings.NewReader("blah"), hash: crypto.SHA1}, - {name: "SHA1", descr: bytes.NewReader(rid0), data: strings.NewReader("blah"), hash: crypto.SHA1}, + {name: "HashUnsupportedMD5", descr: bytes.NewReader(rid0), hash: crypto.MD5, wantErr: errHashUnsupported}, + {name: "HashUnsupportedSHA1", descr: bytes.NewReader(rid0), hash: crypto.SHA1, wantErr: errHashUnsupported}, + {name: "RelativeID", relativeID: 1, descr: bytes.NewReader(rid1), data: strings.NewReader("blah"), hash: crypto.SHA256}, //nolint:lll {name: "SHA224", descr: bytes.NewReader(rid0), data: strings.NewReader("blah"), hash: crypto.SHA224}, {name: "SHA256", descr: bytes.NewReader(rid0), data: strings.NewReader("blah"), hash: crypto.SHA256}, {name: "SHA384", descr: bytes.NewReader(rid0), data: strings.NewReader("blah"), hash: crypto.SHA384}, {name: "SHA512", descr: bytes.NewReader(rid0), data: strings.NewReader("blah"), hash: crypto.SHA512}, + {name: "SHA512_224", descr: bytes.NewReader(rid0), data: strings.NewReader("blah"), hash: crypto.SHA512_224}, + {name: "SHA512_256", descr: bytes.NewReader(rid0), data: strings.NewReader("blah"), hash: crypto.SHA512_256}, } for _, tt := range tests { @@ -139,11 +143,11 @@ func TestGetImageMetadata(t *testing.T) { wantErr error }{ {name: "HashUnavailable", hash: crypto.MD4, wantErr: errHashUnavailable}, - {name: "HashUnsupported", hash: crypto.MD5, wantErr: errHashUnsupported}, - {name: "MinimumIDInvalid", minID: 2, ods: []sif.Descriptor{od1}, hash: crypto.SHA1, wantErr: errMinimumIDInvalid}, - {name: "Object1", minID: 1, ods: []sif.Descriptor{od1}, hash: crypto.SHA1}, - {name: "Object2", minID: 1, ods: []sif.Descriptor{od2}, hash: crypto.SHA1}, - {name: "SHA1", minID: 1, ods: []sif.Descriptor{od1, od2}, hash: crypto.SHA1}, + {name: "HashUnsupportedMD5", hash: crypto.MD5, wantErr: errHashUnsupported}, + {name: "HashUnsupportedSHA1", hash: crypto.SHA1, wantErr: errHashUnsupported}, + {name: "MinimumIDInvalid", minID: 2, ods: []sif.Descriptor{od1}, hash: crypto.SHA256, wantErr: errMinimumIDInvalid}, + {name: "Object1", minID: 1, ods: []sif.Descriptor{od1}, hash: crypto.SHA256}, + {name: "Object2", minID: 1, ods: []sif.Descriptor{od2}, hash: crypto.SHA256}, {name: "SHA224", minID: 1, ods: []sif.Descriptor{od1, od2}, hash: crypto.SHA224}, {name: "SHA256", minID: 1, ods: []sif.Descriptor{od1, od2}, hash: crypto.SHA256}, {name: "SHA384", minID: 1, ods: []sif.Descriptor{od1, od2}, hash: crypto.SHA384},
pkg/integrity/sign_test.go+22 −8 modified@@ -1,4 +1,4 @@ -// Copyright (c) 2020-2021, Sylabs Inc. All rights reserved. +// Copyright (c) 2020-2022, Sylabs Inc. All rights reserved. // This software is licensed under a 3-clause BSD license. Please consult the LICENSE.md file // distributed with the sources of this project regarding your rights to use or distribute this // software. @@ -272,7 +272,7 @@ func TestGroupSigner_SignWithEntity(t *testing.T) { f: twoGroups, id: 1, ods: []sif.Descriptor{d1}, - mdHash: crypto.SHA1, + mdHash: crypto.SHA256, sigConfig: &packet.Config{ Time: fixedTime, }, @@ -285,7 +285,7 @@ func TestGroupSigner_SignWithEntity(t *testing.T) { f: twoGroups, id: 1, ods: []sif.Descriptor{d2}, - mdHash: crypto.SHA1, + mdHash: crypto.SHA256, sigConfig: &packet.Config{ Time: fixedTime, }, @@ -298,7 +298,7 @@ func TestGroupSigner_SignWithEntity(t *testing.T) { f: twoGroups, id: 1, ods: []sif.Descriptor{d1, d2}, - mdHash: crypto.SHA1, + mdHash: crypto.SHA256, sigConfig: &packet.Config{ Time: fixedTime, }, @@ -311,20 +311,34 @@ func TestGroupSigner_SignWithEntity(t *testing.T) { f: twoGroups, id: 2, ods: []sif.Descriptor{d3}, - mdHash: crypto.SHA1, + mdHash: crypto.SHA256, sigConfig: &packet.Config{ Time: fixedTime, }, }, e: e, }, + { + name: "SignatureConfigSHA224", + gs: groupSigner{ + f: twoGroups, + id: 1, + ods: []sif.Descriptor{d1, d2}, + mdHash: crypto.SHA256, + sigConfig: &packet.Config{ + DefaultHash: crypto.SHA224, + Time: fixedTime, + }, + }, + e: e, + }, { name: "SignatureConfigSHA256", gs: groupSigner{ f: twoGroups, id: 1, ods: []sif.Descriptor{d1, d2}, - mdHash: crypto.SHA1, + mdHash: crypto.SHA256, sigConfig: &packet.Config{ DefaultHash: crypto.SHA256, Time: fixedTime, @@ -338,7 +352,7 @@ func TestGroupSigner_SignWithEntity(t *testing.T) { f: twoGroups, id: 1, ods: []sif.Descriptor{d1, d2}, - mdHash: crypto.SHA1, + mdHash: crypto.SHA256, sigConfig: &packet.Config{ DefaultHash: crypto.SHA384, Time: fixedTime, @@ -352,7 +366,7 @@ func TestGroupSigner_SignWithEntity(t *testing.T) { f: twoGroups, id: 1, ods: []sif.Descriptor{d1, d2}, - mdHash: crypto.SHA1, + mdHash: crypto.SHA256, sigConfig: &packet.Config{ DefaultHash: crypto.SHA512, Time: fixedTime,
pkg/integrity/testdata/TestDigest_MarshalJSON/SHA1.golden+0 −1 removed@@ -1 +0,0 @@ -"sha1:597f6a540010f94c15d71806a99a2c8710e747bd"
pkg/integrity/testdata/TestDigest_MarshalJSON/SHA512_224.golden+1 −0 added@@ -0,0 +1 @@ +"sha512_224:06001bf08dfb17d2b54925116823be230e98b5c6c278303bc4909a8c"
pkg/integrity/testdata/TestDigest_MarshalJSON/SHA512_256.golden+1 −0 added@@ -0,0 +1 @@ +"sha512_256:3d37fe58435e0d87323dee4a2c1b339ef954de63716ee79f5747f94d974f913f"
pkg/integrity/testdata/TestGetHeaderMetadata/SHA1.golden+0 −1 removed@@ -1 +0,0 @@ -{"digest":"sha1:bd6b562b49ff04470f641ad3c971822303049826"}
pkg/integrity/testdata/TestGetHeaderMetadata/SHA512_224.golden+1 −0 added@@ -0,0 +1 @@ +{"digest":"sha512_224:d5f9767e096056fcf381b801e2b0b80b33acdc09b7a7e3a1c504231e"}
pkg/integrity/testdata/TestGetHeaderMetadata/SHA512_256.golden+1 −0 added@@ -0,0 +1 @@ +{"digest":"sha512_256:eb199aeab4047ca6430890372769681045c20b1a0a4a78b595ab62dbdfc9285f"}
pkg/integrity/testdata/TestGetImageMetadata/Object1.golden+1 −1 modified@@ -1 +1 @@ -{"version":1,"header":{"digest":"sha1:86696357e7806b51baf75fc0bf9b8fc677e5cdd0"},"objects":[{"relativeId":0,"descriptorDigest":"sha1:1406a1a9c75a332fc50cb8519a9a7f9f2531480e","objectDigest":"sha1:15146b9bf4f1f5f9bf176a398d8c4f0321c63064"}]} +{"version":1,"header":{"digest":"sha256:635fa0a14a8ef0c0351ed3e985799ed1d4f75ce973dea3cc76c99710795cc3f1"},"objects":[{"relativeId":0,"descriptorDigest":"sha256:3634ad01db0dd5482ecf685267b53d6201690438ca27c3d7ea91c971a1f41f92","objectDigest":"sha256:004dfc8da678c309de28b5386a1e9efd57f536b150c40d29b31506aa0fb17ec2"}]}
pkg/integrity/testdata/TestGetImageMetadata/Object2.golden+1 −1 modified@@ -1 +1 @@ -{"version":1,"header":{"digest":"sha1:86696357e7806b51baf75fc0bf9b8fc677e5cdd0"},"objects":[{"relativeId":1,"descriptorDigest":"sha1:076d6ec6e32a6237d838ba20c825c6caa4c78544","objectDigest":"sha1:fd526afdbdea7c87d81c33314b0e0dbdfa5ba79f"}]} +{"version":1,"header":{"digest":"sha256:635fa0a14a8ef0c0351ed3e985799ed1d4f75ce973dea3cc76c99710795cc3f1"},"objects":[{"relativeId":1,"descriptorDigest":"sha256:04b5f87c9692a54f80d10fb6af00c779763aeca29d610348854bd97cd8bf66fd","objectDigest":"sha256:9f9c4e5e131934969b4ac8f495691c70b8c6c8e3f489c2c9ab5f1af82bce0604"}]}
pkg/integrity/testdata/TestGetImageMetadata/SHA1.golden+0 −1 removed@@ -1 +0,0 @@ -{"version":1,"header":{"digest":"sha1:86696357e7806b51baf75fc0bf9b8fc677e5cdd0"},"objects":[{"relativeId":0,"descriptorDigest":"sha1:1406a1a9c75a332fc50cb8519a9a7f9f2531480e","objectDigest":"sha1:15146b9bf4f1f5f9bf176a398d8c4f0321c63064"},{"relativeId":1,"descriptorDigest":"sha1:076d6ec6e32a6237d838ba20c825c6caa4c78544","objectDigest":"sha1:fd526afdbdea7c87d81c33314b0e0dbdfa5ba79f"}]}
pkg/integrity/testdata/TestGetObjectMetadata/RelativeID.golden+1 −1 modified@@ -1 +1 @@ -{"relativeId":1,"descriptorDigest":"sha1:f3681c97de35ea124cd2e3687ed62988c7138f3a","objectDigest":"sha1:5bf1fd927dfb8679496a2e6cf00cbe50c1c87145"} +{"relativeId":1,"descriptorDigest":"sha256:a1e6ca1d0cce1fbd71b186ac7a5c5a805c833ecc419a78d017558e79c0862790","objectDigest":"sha256:8b7df143d91c716ecfa5fc1730022f6b421b05cedee8fd52b1fc65a96030ad52"}
pkg/integrity/testdata/TestGetObjectMetadata/SHA1.golden+0 −1 removed@@ -1 +0,0 @@ -{"relativeId":0,"descriptorDigest":"sha1:042874d3fd63a516c5abe45b221ed8db1e5cfd84","objectDigest":"sha1:5bf1fd927dfb8679496a2e6cf00cbe50c1c87145"}
pkg/integrity/testdata/TestGetObjectMetadata/SHA512_224.golden+1 −0 added@@ -0,0 +1 @@ +{"relativeId":0,"descriptorDigest":"sha512_224:ba5b52f4337756f9efb0c7d35f16e0365ba5845b0dd9df5e9edfce3a","objectDigest":"sha512_224:b1d15ae18bb05265b44e9e0137f08078f53f5b239a78c49c2cfc2c9c"}
pkg/integrity/testdata/TestGetObjectMetadata/SHA512_256.golden+1 −0 added@@ -0,0 +1 @@ +{"relativeId":0,"descriptorDigest":"sha512_256:aef151cf86aaab28a4e086c9e1f9d19c8f85e4eb794336d909a6844ce7fb52ef","objectDigest":"sha512_256:9a801762c512490303535d35c221e2dc1d24f5094d038041dc4303ba7ac04f0e"}
pkg/integrity/testdata/TestGroupSigner_SignWithEntity/Group1.golden+0 −0 modifiedpkg/integrity/testdata/TestGroupSigner_SignWithEntity/Group2.golden+0 −0 modifiedpkg/integrity/testdata/TestGroupSigner_SignWithEntity/Object1.golden+0 −0 modifiedpkg/integrity/testdata/TestGroupSigner_SignWithEntity/Object2.golden+0 −0 modifiedpkg/integrity/testdata/TestGroupSigner_SignWithEntity/SignatureConfigSHA224.golden+0 −0 addedpkg/integrity/testdata/TestGroupSigner_SignWithEntity/SignatureConfigSHA256.golden+0 −0 modifiedpkg/integrity/testdata/TestGroupSigner_SignWithEntity/SignatureConfigSHA384.golden+0 −0 modifiedpkg/integrity/testdata/TestGroupSigner_SignWithEntity/SignatureConfigSHA512.golden+0 −0 modifiedpkg/integrity/testdata/TestSignAndEncodeJSON/SHA1.golden+0 −15 removed@@ -1,15 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA1 - -{"One":1,"Two":2} ------BEGIN PGP SIGNATURE----- - -wsBzBAEBAgAnBQJZr0CRCZCiDCfuf/e6hBYhBBIEXIwLEATQWN5L7aIMJ+5/97qE -AACQnAf/XWNnfBZfoOffU9YBG4JIGbo1fBuO0NbxlP22zpiS9NM2CViTHmpmqe7K -9d53CXsHrpQB1Oc+h5c5QsWjOl3girXO8du9833lygsFGjK3Q9mc0cfrXoEMOw+N -B0hMq/JxQVOfdBn0Z5YF6Sfkjkifhm36GpNB8I3QmuIu3kd2nIfa6WLo7h4txKFU -0ZPxRZ8IWFTTBEhWwSUrR30cOr5PvQfu0oTZ7xxkeUPudmxNXBad6uunyXyBkhmq -m0fMZyCbPeRc5gvUsAnxSDAKU5Ryj6GIUBpBv7c3AXwfusO4HAaOQi+BZDTjMVBF -AXJc73L0mvJvX9dOEnmd6D7xylclHQ== -=BpCt ------END PGP SIGNATURE----- \ No newline at end of file
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-m5m3-46gj-wch8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-39237ghsaADVISORY
- nvd.nist.gov/vuln/detail/cve-2004-2761ghsaADVISORY
- nvd.nist.gov/vuln/detail/cve-2005-4900ghsaADVISORY
- security.gentoo.org/glsa/202210-19ghsavendor-advisoryWEB
- github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaaghsaWEB
- github.com/sylabs/sif/releases/tag/v2.8.1ghsaWEB
- github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8ghsaWEB
- pkg.go.dev/vuln/GO-2022-1045ghsaWEB
News mentions
0No linked articles in our index yet.