CyberSecurity News
GitHub 'Verified' Commits Can Be Rewritten Into New Hashes Without Breaking Signatures
AI summary
Researchers have discovered that a signed Git commit's unique identifier is not as unique as previously thought. It is possible to create a new commit with the same files, author, and date as an existing signed commit, and still have a valid signature. Despite having a different hash, GitHub will label such a commit as "Verified". This means that everything a reviewer checks will match the original commit, except for the hash. This finding challenges the assumption that a commit's hash is a one-of-a-kind identifier. The difference in hash values has significant implications.
This is an AI-generated brief aggregated by HackerFeeds for convenience and grounded in the source’s own summary; the related CVE, threat-group and country data is from HackerFeeds’ own indexes. The original article is the authoritative source — all rights belong to The Hacker News.

