Tag
A new preprint by Jacob Ginesin reveals that verified GitHub commits can be manipulated to produce multiple valid signatures with different hashes, undermining the assumption of uniqueness and affecting supply-chain security.