Hasty Briefsbeta

Bilingual

New Research: A "Verified" GitHub Commit Is Not Unique

8 hours ago
  • #Cryptography
  • #Supply Chain
  • #Git Security
  • Git uses content hashes to uniquely identify commits, which supply-chain tools rely on as immutable names for signed content.
  • A preprint reveals hash chain malleability: an attacker can create a different signed commit with the same tree, metadata, and a valid signature, changing only the hash and affecting subsequent commits.
  • The issue stems from signature malleability in GPG-based schemes (ECDSA, RSA, EdDSA) and S/MIME, not from hash function weaknesses like SHA-1 collisions.
  • GitHub's server-side verification accepts these malleable signatures without canonicalization, issuing 'Verified' badges for each variant, and retains verification even if keys are later revoked.
  • Local tools like git verify-commit show mixed behavior, accepting some malleable signatures but rejecting others that GitHub accepts.