importantSYS.SOURCE: The Hacker News• 2026-07-08T17:21:24+05:30
GitHub Verified Commits Vulnerability Allows Hash Malleability Without Breaking Signatures
#GitHub Security#Git Commit Hash#Signature Malleability#Open Source Security#DevSecOps
A security vulnerability allows rewriting GitHub 'Verified' commits with new hashes without breaking signatures, undermining systems that rely on commit hash uniqueness for provenance and deduplication. The flaw stems from signature malleability and lack of canonicalization in how forges like GitHub verify signed commits.
New research shows that a signed Git commit's hash is not the one-of-a-kind name that much of the software world assumes it to be. Given any signed commit, someone without the signing key can mint a second commit with the same files, author, and date, and a valid signature, GitHub still stamps "Verified."
Everything a reviewer would check matches. The commit's hash does not. That matters
*** END OF TRANSMISSION ***