@IntCyberDigest: BREAKING: New research shows you can copy any signed GitHub commit into a second one that looks identical, without the …
Summary
New research from Carnegie Mellon shows that it's possible to create a distinct signed commit that appears identical to any existing signed commit, with a valid signature and GitHub 'Verified' badge, undermining the uniqueness of commit hashes as cryptographic fingerprints.
View Cached Full Text
Cached at: 07/07/26, 09:38 PM
BREAKING: New research shows you can copy any signed GitHub commit into a second one that looks identical, without the author’s secret key, creating a distinct commit with an identical tree, identical metadata, a valid signature, and a “Verified” badge from GitHub.
On GitHub, a green “Verified” badge is supposed to mean two things: a trusted author signed it, and its ID is a one-of-a-kind fingerprint for that exact code. A new Carnegie Mellon preprint from Jacob Ginesin says the second promise, the unique fingerprint, does not hold.
Why it matters: security teams and package systems (behind tools like Go, Nix, and GitHub Actions) trust that ID as a unique handle for code. Block or pin the “bad” version, and an attacker can re-issue the same signed code under a fresh, still-verified ID that slips past. The author says Git and GitHub have not fixed it.
PoC: https://github.com/JakeGinesin/git-chain-malleator…
JakeGinesin/git-chain-malleator
Source: https://github.com/JakeGinesin/git-chain-malleator
Git Hash Chain Malleability
Malleate the hash chains in your Git repositories using the malleable signatures on Git commits!
This repo provides a Nix flake wrapping interactive-malleator.py and setup-ghost.py with per-algorithm test cases. Each test sets up a $GNUPGHOME (or self-signed X.509), produces a signed commit, runs the malleator, and asserts the expected invariants.
layout
.
├── flake.nix
├── scripts/
│ ├── interactive-malleator.py # GPG: ECDSA / RSA / EdDSA
│ └── setup-ghost.py # S/MIME: CMS DER length re-encoding
└── tests/
├── lib.sh # shared: gpg setup, key gen, signed repo
├── test-ecdsa.sh # NIST P-256 -> algebraic s -> n − s
├── test-rsa.sh # RSA-2048 -> structural Tag 60
├── test-eddsa.sh # ed25519 -> structural Tag 60
├── test-smime.sh # CMS/X.509 -> DER length re-encoding
└── run-all.sh
usage
nix develop # dev shell (python3, git, gnupg, openssl)
bash tests/run-all.sh # run all the tests
bash tests/test-ecdsa.sh # single algorithm
bash tests/test-rsa.sh
bash tests/test-eddsa.sh
bash tests/test-smime.sh
# interactively malleate GPG-signed commits in your repo!
python3 scripts/interactive-malleator.py \
--repo /path/to/your/repo
nix flake check only sees files tracked by git, so git add . before running it.
expected results
| algorithm | malleation | local git verify-commit | github verified badge |
|---|---|---|---|
| ECDSA | algebraic (s → n − s) | PASS | PASS |
| RSA | structural (Tag 60) | PASS | PASS |
| EdDSA | structural (Tag 60) | PASS | PASS |
| S/MIME | DER length re-encoding | FAIL (via gpgsm) | PASS |
Each test asserts the local-side row of that table plus:
- malleated hash != original hash
- tree hash preserved (content-identical)
- for S/MIME: byte-diff confined to the
gpgsigheader
notes for maintainers
- Nixpkgs / any hash-pinning system: trust in
hash(commit)as a unique handle is likely unreliable; the same signed content produces N validVerifiedhashes git-verify-commitcallers: strict local verification catches structural malleation (RSA/EdDSA/S-MIME) but not ECDSA algebraic malleation. Pin to hash-based deduplication downstream of verification, not upstream.- CI/CD, Go proxy, Docker refs: same concern: commit hash is not a content-addressable primary key under a compromised signer or a malicious mirror.
Similar Articles
New Research: A "Verified" GitHub Commit Is NOT Unique
A new preprint by Jacob Ginesin reveals that verified GitHub commits can be manipulated to produce multiple valid signatures with different hashes, undermining the assumption of uniqueness and affecting supply-chain security.
Git Hash Chain Malleability
A research paper reveals that Git commit hashes can be malleated to produce a second valid commit with a different hash but identical content and valid signature, undermining trust in commit hash integrity and supply-chain security.
Megalodon: Mass GitHub Repo Backdooring via CI Workflows
A security research reveals a technique named Megalodon for mass backdooring of GitHub repositories by exploiting CI workflows.
GitLost: We Tricked GitHub's AI Agent into Leaking Private Repos
Noma Labs discovered a critical prompt injection vulnerability in GitHub's Agentic Workflows, allowing unauthenticated attackers to exfiltrate data from private repositories by posting a crafted GitHub issue in a public repository of the same organization.
I found 10k GitHub repositories distributing Trojan malware
A security researcher discovered over 10,000 GitHub repositories distributing Trojan malware by copying legitimate repositories and periodically updating readme files with malicious zip archives. The author developed a detection pattern and shared details on how the malware evades detection.