GitHub 'Verified' Commits Can Be Rewritten Into New Hashes Without Breaking Signatures

Summary

New research reveals that GitHub's 'Verified' commit feature can be bypassed. It's possible to create a new commit with the same content, author, and date, and a valid signature, which GitHub will still label as verified, even though the commit hash is different.

IFF Assessment

FOE

This vulnerability allows for malicious actors to potentially tamper with signed commits without detection, undermining the integrity of code reviews and version control.

Defender Context

Defenders should be aware that Git commit signing and verification mechanisms, particularly within platforms like GitHub, may not provide the absolute assurance of integrity previously assumed. This could impact supply chain security and the ability to trust code history.

Read Full Story →