New Research: A 'Verified' GitHub Commit Is NOT Unique
Summary
New research reveals a potential supply-chain risk where a signed Git commit can yield a distinct, verifiable commit with identical content, exposing a weakness in the GitHub verification workflow. The concept, called hash chain malleability, shows that signature malleability across multiple crypto schemes can lead to multiple durable Verified records for the same signed content. The article emphasizes the need for canonicalizing signatures or updating verification practices to mitigate risk in software supply chains.