Tag
A research paper reveals that Git commit hashes can be malleated to produce a second valid commit with a different hash but identical content and valid signature, undermining trust in commit hash integrity and supply-chain security.
New research from Carnegie Mellon shows that it's possible to create a distinct signed commit that appears identical to any existing signed commit, with a valid signature and GitHub 'Verified' badge, undermining the uniqueness of commit hashes as cryptographic fingerprints.