WEDNESDAY, JULY 8, 2026 48° E  /  GLOBAL TECH · SUMMARISED SUBSCRIBE
AI, business, devices, policy — global tech, summarised every 30 minutes.
Security · 2h ago

GitHub 'Verified' Commits Can Be Forged Without Breaking Signatures

By Meridian48 News Desk · Summarised from The Hacker News ·

Researchers found that signed Git commits can be rewritten to produce a different hash while preserving a valid signature, causing GitHub to still label them as 'Verified'. The attack works without access to the signing key, undermining trust in commit integrity. This affects any software project relying on verified commits for security audits or supply chain verification.

Meridian48 take
The finding exposes a fundamental flaw in Git's commit verification model, but the practical exploit requires specific conditions—still, it's a wake-up call for the industry to rethink commit signing standards.
Read the full reporting
GitHub 'Verified' Commits Can Be Rewritten Into New Hashes Without Breaking Signatures →
The Hacker News
git-securitycommit-forgery
More security briefs
Go deeper on security
AllAIStartupsBusinessDevicesPolicySecurityDev ToolsPakistan