GitHub 'Verified' Commits Can Be Rewritten Into New Hashes Without Breaking Signatures

Read full story on The Hacker News
Share
GitHub 'Verified' Commits Can Be Rewritten Into New Hashes Without Breaking Signatures
AI disclosure

Summary

New research shows that a signed Git commit's hash is not the one-of-a-kind name that much of the software world assumes it to be. Given any signed commit, someone without the signing key can mint a second commit with the same files, author, and date, and a valid signature, GitHub still stamps "Verified." Everything a reviewer would check matches. The commit's hash does not. That matters

Original reporting

Open original source

Related coverage

Read full article on The Hacker News

Get the AFBytes Brief

Major stories, AI-assisted analysis, and what to watch next. Free, monthly, unsubscribe anytime.