@IntCyberDigest: BREAKING: New research shows you can copy any signed GitHub commit into a second one that looks identical, without the …

X AI KOLs Timeline Papers

Summary

New research from Carnegie Mellon shows that it's possible to create a distinct signed commit that appears identical to any existing signed commit, with a valid signature and GitHub 'Verified' badge, undermining the uniqueness of commit hashes as cryptographic fingerprints.

BREAKING: New research shows you can copy any signed GitHub commit into a second one that looks identical, without the author's secret key, creating a distinct commit with an identical tree, identical metadata, a valid signature, and a "Verified" badge from GitHub. On GitHub, a green "Verified" badge is supposed to mean two things: a trusted author signed it, and its ID is a one-of-a-kind fingerprint for that exact code. A new Carnegie Mellon preprint from Jacob Ginesin says the second promise, the unique fingerprint, does not hold. Why it matters: security teams and package systems (behind tools like Go, Nix, and GitHub Actions) trust that ID as a unique handle for code. Block or pin the "bad" version, and an attacker can re-issue the same signed code under a fresh, still-verified ID that slips past. The author says Git and GitHub have not fixed it. PoC: https://github.com/JakeGinesin/git-chain-malleator…
Original Article
View Cached Full Text

Cached at: 07/07/26, 09:38 PM

BREAKING: New research shows you can copy any signed GitHub commit into a second one that looks identical, without the author’s secret key, creating a distinct commit with an identical tree, identical metadata, a valid signature, and a “Verified” badge from GitHub.

On GitHub, a green “Verified” badge is supposed to mean two things: a trusted author signed it, and its ID is a one-of-a-kind fingerprint for that exact code. A new Carnegie Mellon preprint from Jacob Ginesin says the second promise, the unique fingerprint, does not hold.

Why it matters: security teams and package systems (behind tools like Go, Nix, and GitHub Actions) trust that ID as a unique handle for code. Block or pin the “bad” version, and an attacker can re-issue the same signed code under a fresh, still-verified ID that slips past. The author says Git and GitHub have not fixed it.

PoC: https://github.com/JakeGinesin/git-chain-malleator…


JakeGinesin/git-chain-malleator

Source: https://github.com/JakeGinesin/git-chain-malleator

Git Hash Chain Malleability

Malleate the hash chains in your Git repositories using the malleable signatures on Git commits!

This repo provides a Nix flake wrapping interactive-malleator.py and setup-ghost.py with per-algorithm test cases. Each test sets up a $GNUPGHOME (or self-signed X.509), produces a signed commit, runs the malleator, and asserts the expected invariants.

layout

.
├── flake.nix
├── scripts/
│   ├── interactive-malleator.py     # GPG:  ECDSA / RSA / EdDSA
│   └── setup-ghost.py               # S/MIME: CMS DER length re-encoding
└── tests/
    ├── lib.sh                       # shared: gpg setup, key gen, signed repo
    ├── test-ecdsa.sh                # NIST P-256 -> algebraic s -> n − s
    ├── test-rsa.sh                  # RSA-2048   -> structural Tag 60
    ├── test-eddsa.sh                # ed25519    -> structural Tag 60
    ├── test-smime.sh                # CMS/X.509  -> DER length re-encoding
    └── run-all.sh

usage

nix develop                    # dev shell (python3, git, gnupg, openssl)
bash tests/run-all.sh          # run all the tests

bash tests/test-ecdsa.sh       # single algorithm
bash tests/test-rsa.sh
bash tests/test-eddsa.sh
bash tests/test-smime.sh

# interactively malleate GPG-signed commits in your repo! 
python3 scripts/interactive-malleator.py \ 
    --repo /path/to/your/repo  

nix flake check only sees files tracked by git, so git add . before running it.

expected results

algorithmmalleationlocal git verify-commitgithub verified badge
ECDSAalgebraic (s → n − s)PASSPASS
RSAstructural (Tag 60)PASSPASS
EdDSAstructural (Tag 60)PASSPASS
S/MIMEDER length re-encodingFAIL (via gpgsm)PASS

Each test asserts the local-side row of that table plus:

  • malleated hash != original hash
  • tree hash preserved (content-identical)
  • for S/MIME: byte-diff confined to the gpgsig header

notes for maintainers

  • Nixpkgs / any hash-pinning system: trust in hash(commit) as a unique handle is likely unreliable; the same signed content produces N valid Verified hashes
  • git-verify-commit callers: strict local verification catches structural malleation (RSA/EdDSA/S-MIME) but not ECDSA algebraic malleation. Pin to hash-based deduplication downstream of verification, not upstream.
  • CI/CD, Go proxy, Docker refs: same concern: commit hash is not a content-addressable primary key under a compromised signer or a malicious mirror.

Similar Articles

New Research: A "Verified" GitHub Commit Is NOT Unique

Lobsters Hottest

A new preprint by Jacob Ginesin reveals that verified GitHub commits can be manipulated to produce multiple valid signatures with different hashes, undermining the assumption of uniqueness and affecting supply-chain security.

Git Hash Chain Malleability

Hacker News Top

A research paper reveals that Git commit hashes can be malleated to produce a second valid commit with a different hash but identical content and valid signature, undermining trust in commit hash integrity and supply-chain security.

GitLost: We Tricked GitHub's AI Agent into Leaking Private Repos

Hacker News Top

Noma Labs discovered a critical prompt injection vulnerability in GitHub's Agentic Workflows, allowing unauthenticated attackers to exfiltrate data from private repositories by posting a crafted GitHub issue in a public repository of the same organization.

I found 10k GitHub repositories distributing Trojan malware

Hacker News Top

A security researcher discovered over 10,000 GitHub repositories distributing Trojan malware by copying legitimate repositories and periodically updating readme files with malicious zip archives. The author developed a detection pattern and shared details on how the malware evades detection.