GitHub 'Verified' Commits Can Be Rewritten Into New Hashes Without Breaking Signatures
Summary
New research reveals that GitHub's 'Verified' commit feature can be bypassed. It's possible to create a new commit with the same content, author, and date, and a valid signature, which GitHub will still label as verified, even though the commit hash is different.
IFF Assessment
FOE
This vulnerability allows for malicious actors to potentially tamper with signed commits without detection, undermining the integrity of code reviews and version control.
Defender Context
Defenders should be aware that Git commit signing and verification mechanisms, particularly within platforms like GitHub, may not provide the absolute assurance of integrity previously assumed. This could impact supply chain security and the ability to trust code history.