Home/News/GitHub Verified Commits Can Be Rewritten Without Breaking Signatures
The Hacker News2 min read

GitHub Verified Commits Can Be Rewritten Without Breaking Signatures

New research published this week demonstrates a significant vulnerability in GitHub's commit verification system, allowing malicious actors to rewrite signed Git commits without invalidating their "Verified" status. The findings, detailed in a recent analysis, indicate that a signed commit's hash is not as unique or immutable as widely assumed within the software development community.

Researchers have shown that it is possible to create a second, altered commit that contains the exact same files, author information, and timestamp as an original signed commit. Crucially, this new commit can be signed with a different key, yet still pass GitHub's verification checks. This means that a reviewer examining the commit on GitHub would see all the expected details and a "Verified" stamp, despite the underlying content or metadata having been tampered with.

The core of the exploit lies in how Git calculates commit hashes. The hash is derived from the commit's metadata and content. However, the research highlights that certain metadata fields, when manipulated in conjunction with the signing process, can lead to a different hash being generated for a commit that is functionally identical to the original. This discrepancy allows for the creation of a new, valid signature for a rewritten commit, which GitHub then incorrectly flags as verified.

This vulnerability has significant implications for software supply chain security. Developers and organizations rely on the "Verified" status to trust the integrity of code contributions. If this status can be spoofed, it opens the door to potential injection of malicious code or alteration of critical project history without immediate detection through standard verification mechanisms. The research team has not yet disclosed specific technical details of the exploit to allow for remediation.

Original source — read the full reporting at the publisher:

Read on The Hacker News

Read next