The Hacker NewsThursday · July 9, 2026FREE

GitHub 'Verified' Commits Can Be Rewritten Into New Hashes Without Breaking Signatures

githubsecuritysupply-chaingit

Security researchers have identified a flaw in GitHub's commit verification system where a 'verified' commit's cryptographic signature remains valid even after the commit content is rewritten to produce a new hash. This undermines the integrity guarantee that verified commits are supposed to provide. The attack exploits the fact that Git commit signatures are applied to the commit object, but the verification process does not cryptographically bind the signature to the exact commit content in a way that prevents hash rewriting. As a result, an attacker can modify the commit message, tree, or parent hash without invalidating the signature. This could allow malicious code to be introduced into a repository while maintaining the appearance of a verified, trusted commit. The researchers demonstrated the attack on GitHub's platform, showing that the 'Verified' badge persists after the rewrite. The vulnerability affects all repositories that rely on GitHub's commit signature verification for trust, including those using GPG, S/MIME, or SSH signatures. GitHub has been notified but has not yet released a fix.

// why it matters

Verified commits can no longer be trusted as immutable proof of content integrity.

Sources

Primary · The Hacker News
▸ Read original at thehackernews.com

Like this? Get the next digest.