E-Ink News Daily

Back to list

New Research: A "Verified" GitHub Commit Is NOT Unique

New research reveals that 'Verified' GitHub commits are not unique due to signature malleability in GPG schemes, allowing attackers to generate distinct commits with identical semantics and valid signatures without the private key. This 'hash chain malleability' breaks the assumption that a commit hash uniquely identifies signed content, potentially undermining supply-chain security tools that rely on these hashes for pinning and incident response. The vulnerability affects ECDSA, RSA, and EdDSA signatures used by GitHub.

Background

Git relies on cryptographic hashes to uniquely identify commits, and many security tools assume that a verified commit hash guarantees the integrity and uniqueness of the signed content. This research challenges that foundational assumption by demonstrating how signature formats allow for multiple valid byte-level representations of the same logical commit.

Source
Lobsters
Published
Jul 8, 2026 at 05:14 AM
Score
9.0 / 10