National Cyber Warfare Foundation (NCWF)

GitHub 'Verified' Commits Can Be Rewritten Into New Hashes Without Breaking Signatures


0 user ratings
2026-07-08 12:11:26
milo
Attacks
New research shows that a signed Git commit's hash is not the one-of-a-kind name that much of the software world assumes it to be. Given any signed commit, someone without the signing key can mint a second commit with the same files, author, and date, and a valid signature, GitHub still stamps "Verified."

Everything a reviewer would check matches. The commit's hash does not. That matters



Source: TheHackerNews
Source Link: https://thehackernews.com/2026/07/github-verified-commits-can-be.html


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Attacks



Copyright 2012 through 2026 - National Cyber Warfare Foundation - All rights reserved worldwide.