GitHub ‘Verified’ Commits Can Be Rewritten Into New Hashes Without Breaking Signatures

New research shows that a signed Git commit’s hash is not the one-of-a-kind name that much of the software world assumes it to be. Given any signed commit, someone without the signing key can mint a second commit with the same files, author, and date, and a valid signature, GitHub still stamps “Verified.”

Everything a reviewer would check matches. The commit’s hash does not. That matters

Source: The Hacker News

Leave a Reply

Your email address will not be published. Required fields are marked *

Explore More

Why Won’t Europe Build AI Data Centers in Iceland?

Why Won’t Europe Build AI Data Centers in Iceland? Source: Hacker News

Android Developer Verification: Threat masquerading as protection

Android Developer Verification: Threat masquerading as protection Source: Hacker News

A way to exclude sensitive files issue still open for OpenAI Codex

A way to exclude sensitive files issue still open for OpenAI Codex Source: Hacker News