Tagged articles

commit hash

2 articles · Page 1 of 1
Black & White Path
Black & White Path
Jul 15, 2026 · Information Security

GitHub Verified Badge Is Malleable: Identical Code, Multiple Valid Commit Hashes

A Carnegie Mellon PhD student uncovered a fundamental flaw in GitHub's "Verified" badge that lets an attacker, without the signing key, generate a second commit with the same tree, timestamp and a valid signature but a different hash, compromising any system that treats the commit hash as an immutable identifier.

GitGitHubVerified badge
0 likes · 8 min read
GitHub Verified Badge Is Malleable: Identical Code, Multiple Valid Commit Hashes