GitHub verified commits vulnerable to hash malleability
๐ New research shows that a signed Git commit's hash can be changed without altering files, author, or date, and GitHub still marks the resulting commit as Verified. An attacker can re-push identical content under a fresh, validly signed hash, defeating blocklists, deduplication, and provenance systems that trust commit hashes as unique names. The issue stems from signature malleability across ECDSA, RSA/EdDSA, and S/MIME schemes and the forge-side practice of not normalizing signatures before recording verification.
