Git Hash Chain Malleability
Summary
A recent arXiv paper demonstrates that Git commit signing does not guarantee hash immutability; attackers can create distinct commits with identical trees and signatures, producing a 'Verified' badge while altering the hash. The work outlines three malleation routes and discusses consequences for hash-based pinning, reproducible builds, and content-addressable systems, highlighting potential security implications for SCM workflows.