Security · 2h ago
GitHub 'Verified' Commits Can Be Forged Without Breaking Signatures
Researchers found that signed Git commits can be rewritten to produce a different hash while preserving a valid signature, causing GitHub to still label them as 'Verified'. The attack works without access to the signing key, undermining trust in commit integrity. This affects any software project relying on verified commits for security audits or supply chain verification.
Meridian48 take
The finding exposes a fundamental flaw in Git's commit verification model, but the practical exploit requires specific conditions—still, it's a wake-up call for the industry to rethink commit signing standards.
Read the full reporting
GitHub 'Verified' Commits Can Be Rewritten Into New Hashes Without Breaking Signatures →
The Hacker News
git-securitycommit-forgery