Diamond Member ThaHaka 0 Posted July 8 Diamond Member Share Posted July 8 This is the hidden content, please Sign In or Sign Up New research shows that a signed Git commit's hash is not the one-of-a-kind name that much of the software world assumes it to be. Given any signed commit, someone without the signing key can mint a second commit with the same files, author, and date, and a valid signature, GitHub still stamps "Verified." Everything a reviewer would check matches. The commit's hash does not. That matters This is the hidden content, please Sign In or Sign Up 0 Quote Link to comment https://hopzone.eu/forums/topic/320775-h4ckn3wsgithub-verified-commits-can-be-rewritten-into-new-hashes-without-breaking-signatures/ Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.