TiliBrief
S&P5,572.85 +0.8% NASDAQ18,352.76 +1.2% DOW39,375.87 +0.5%
Cyber

GitHub 'Verified' Commits Can Be Rewritten Into New Hashes Without Breaking Signatures

GitHub 'Verified' Commits Can Be Rewritten Into New Hashes Without Breaking Signatures

New research shows that a signed Git commit's hash is not the one-of-a-kind name that much of the software world assumes it to be. Given any signed commit, someone without the signing key can mint a second commit with the same files, author, and date, and a valid signature, GitHub still stamps "Verified." Everything a reviewer would check matches. The commit's hash does not. That matters

Read full article on The Hacker News →