DigiNews

Tech Watch by Johan Denoyer

← Back to articles

Git Hash Chain Malleability

Quality: 8/10 Relevance: 9/10

Summary

A recent arXiv paper demonstrates that Git commit signing does not guarantee hash immutability; attackers can create distinct commits with identical trees and signatures, producing a 'Verified' badge while altering the hash. The work outlines three malleation routes and discusses consequences for hash-based pinning, reproducible builds, and content-addressable systems, highlighting potential security implications for SCM workflows.

🚀 Service construit par Johan Denoyer