GitHub ‘Verified’ Commits Can Be Rewritten Into New Hashes Without Breaking Signatures

New research shows that a signed Git commit’s hash is not the one-of-a-kind name that much of the software world assumes it to be. Given any signed commit, someone without the signing key can mint a second commit with the same files, author, and date, and a valid signature, GitHub still stamps “Verified.”

Everything a reviewer would check matches. The commit’s hash does not. That matters

Source: The Hacker News

Leave a Reply

Your email address will not be published. Required fields are marked *

Explore More

ThreatsDay: AI Compute Hijacking, Apple Email Flaw, BlueHammer Ransomware + 14 Stories

ThreatsDay: AI Compute Hijacking, Apple Email Flaw, BlueHammer Ransomware + 14 Stories This week’s security news is mostly about weak spots. Browsers, bots, sandboxes, AI systems, and email flows all

Vulkan is now available on NetBSD

Vulkan is now available on NetBSD Source: Hacker News

Attack Update: Top 5 Attack-IPs auf doode.info – 23.06.2026

Watchtower Attack Update. Hier die aktuellen Top 5 Attack-IPs, die auf doode.info klopfen. 89.167.35.212 — 309 requests (recent log) 213.209.159.175 — 263 requests (recent log) 216.244.66.232 — 81 requests (recent