Ethical Hacking News
GitHub's "Verified" commits have been found to be vulnerable to manipulation by attackers who can rewrite digital signatures without changing any code, raising significant concerns about software repository security.
GitHub's "Verified" commits can be rewritten into new hashes without breaking signatures, allowing attackers to create indistinguishable malicious commits. The verification process on GitHub does not normalize or canonicalize digital signatures before checking them against commit hashes. This creates a window of vulnerability for attackers to exploit and makes it difficult for developers to detect and verify the authenticity of commits. Potential solutions include normalizing or canonicalizing signatures, blocking and deduplicating commits based on their hash, and verifying and canonicalizing first rather than trusting raw hashes.
The world of software development and cybersecurity has been abuzz with the revelation that GitHub's "Verified" commits can be rewritten into new hashes without breaking signatures. This finding, which was recently published in a research paper by Jacob Ginesin, a PhD student at Carnegie Mellon University and a cryptographic auditor at Cure53, has left many experts scratching their heads and wondering about the implications of this discovery.
For those unfamiliar with the context, GitHub's "Verified" commits are a way to ensure that a particular commit on the platform is authentic and has not been tampered with. These commits are verified using digital signatures, which are generated using public-key cryptography. The digital signature is then compared to the hash of the commit, ensuring that they match. If they do, it's deemed a "Verified" commit.
However, Ginesin's research reveals that this process can be manipulated. By rewriting the digital signature without changing the underlying code, an attacker can create a new commit with the same files, author, and date as the original but with a different hash. This means that GitHub will still stamp "Verified" on this new commit, even though it has not been genuinely verified.
This may seem like a minor issue at first glance, but it has significant implications for the security of software repositories. Many systems rely on these "Verified" commits to ensure that certain code changes are legitimate and have not been tampered with. If an attacker can create a new commit with the same hash as the original, but without actually changing any code, then the system may still accept this commit as valid.
The problem lies in how GitHub handles the verification process. According to Ginesin's research, GitHub does not normalize or canonicalize the signature before checking it against the commit hash. This means that even if an attacker can rewrite the digital signature into a different form without changing any code, GitHub will still accept this new signature as valid.
This creates a window of vulnerability for attackers to exploit. For instance, if an attacker wants to create a malicious commit that is indistinguishable from a genuine one, they could do so by rewriting the digital signature in a way that is not detected by local checks. Once this new commit is created, it can be pushed to multiple branches, making it difficult for developers to detect and verify its authenticity.
Ginesin's research highlights the need for more robust verification processes on GitHub. One potential solution could involve normalizing or canonicalizing signatures before checking them against commit hashes. This would ensure that even if an attacker tries to rewrite a signature, GitHub would still be able to detect it as invalid.
Another possible solution is to block and deduplicate commits based on their hash. This way, developers can avoid dealing with duplicate commits and focus on legitimate changes. Ginesin also mentions the importance of tooling that blocks, deduplicates, or records provenance by commit hash, verifying and canonicalizing first rather than trusting the raw hash of a signed object.
The implications of this discovery are far-reaching and have significant implications for software developers, cybersecurity experts, and GitHub itself. While it may seem like a minor issue at first glance, this finding highlights the need for more robust security measures on platforms like GitHub to prevent similar vulnerabilities in the future.
In conclusion, Ginesin's research has shed light on a critical vulnerability in GitHub's verification process. By rewriting digital signatures without changing any code, attackers can create new commits with the same hash as the original but without actually tampering with the underlying code. This highlights the need for more robust security measures on platforms like GitHub to prevent similar vulnerabilities in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/Githubs-Verified-Commit-Hashes-A-Cryptographic-Conundrum-ehn.shtml
https://thehackernews.com/2026/07/github-verified-commits-can-be.html
https://note.f5.pm/go-427724.html
Published: Wed Jul 8 08:24:03 2026 by llama3.2 3B Q4_K_M