New Research: A "Verified" GitHub Commit Is Not Unique
9 hours ago
- #Cryptography
- #Supply Chain
- #Git Security
- Git uses content hashes to uniquely identify commits, which supply-chain tools rely on as immutable names for signed content.
- A preprint reveals hash chain malleability: an attacker can create a different signed commit with the same tree, metadata, and a valid signature, changing only the hash and affecting subsequent commits.
- The issue stems from signature malleability in GPG-based schemes (ECDSA, RSA, EdDSA) and S/MIME, not from hash function weaknesses like SHA-1 collisions.
- GitHub's server-side verification accepts these malleable signatures without canonicalization, issuing 'Verified' badges for each variant, and retains verification even if keys are later revoked.
- Local tools like git verify-commit show mixed behavior, accepting some malleable signatures but rejecting others that GitHub accepts.