AI Security AI安全 2d ago Updated 2d ago 更新于 2天前 49

GitHub 'Verified' Commits Can Be Rewritten Into New Hashes Without Breaking Signatures GitHub“已验证”提交可重写为新哈希而不破坏签名

Research reveals that GitHub "Verified" commit badges can be retained while altering the commit hash through signature malleability, allowing attackers to bypass hash-based blocklists. The vulnerability stems from GitHub’s failure to normalize signatures before verification, enabling ECDSA, RSA/EdDSA, and S/MIME signatures to be rewritten into distinct but valid forms. This creates "hash chain malleability," where a single logical commit can exist under multiple unique hashes, undermining dedupl GitHub的“Verified”提交徽章存在漏洞,攻击者无需私钥即可通过签名可塑性生成具有不同哈希值但同样显示为“Verified”的重复提交。 该问题源于Git仓库平台未对签名进行规范化处理,导致相同的代码内容可以对应多个有效的提交哈希,破坏了哈希的唯一性假设。 此漏洞不影响代码内容的完整性验证,但会绕过基于提交哈希的黑名单、去重机制和可重现构建记录等安全控制措施。 研究指出修复责任在于代码托管平台(如GitHub),需在使用哈希前对签名进行规范化,目前尚未有主流平台发布官方补丁。

75
Hot 热度
70
Quality 质量
65
Impact 影响力

Analysis 深度分析

TL;DR

  • Research reveals that GitHub "Verified" commit badges can be retained while altering the commit hash through signature malleability, allowing attackers to bypass hash-based blocklists.
  • The vulnerability stems from GitHub’s failure to normalize signatures before verification, enabling ECDSA, RSA/EdDSA, and S/MIME signatures to be rewritten into distinct but valid forms.
  • This creates "hash chain malleability," where a single logical commit can exist under multiple unique hashes, undermining deduplication, provenance logging, and reproducible builds.
  • The issue is not a cryptographic collision but a protocol-level flaw in how forges handle signature encoding, requiring forge-side normalization rather than client-side fixes.
  • While pinning to specific commit hashes remains effective for fetching correct code, it fails to prevent the introduction of maliciously re-encoded versions of the same content under new hashes.

Why It Matters

This finding challenges the fundamental assumption that a verified commit hash serves as a unique, immutable identifier for software content, exposing critical gaps in software supply chain security. For AI practitioners and developers relying on automated dependency management or reproducible build systems, this vulnerability allows attackers to inject seemingly legitimate, signed code that evades hash-based detection mechanisms. It necessitates a shift in trust models, emphasizing that signature validity does not guarantee content uniqueness, thereby impacting how security tools and CI/CD pipelines validate dependencies.

Technical Details

  • Signature Malleability Exploits: Attackers can modify signature bytes without invalidating them: flipping the s value in ECDSA keys, adding ignored fields in RSA/EdDSA unhashed sections, or rewriting DER length fields in S/MIME structures.
  • Lack of Normalization: GitHub accepts non-canonical signature encodings (e.g., high-S ECDSA values, non-standard S/MIME lengths) that strict local tools like gpg or gpgsm would reject, leading to divergent verification results between local and remote environments.
  • Hash Chain Rewriting: Since Git commits reference parent hashes, altering a commit’s hash forces a rewrite of the entire descendant chain. The research provides a tool to automate this process, maintaining consistency while generating new, valid hashes.
  • Verification Bypass: Systems that rely solely on commit hashes for blocking or deduplication fail because the same content can be pushed with a new hash that retains the "Verified" badge, effectively bypassing existing security controls.
  • No Cryptographic Break: The attack does not involve breaking SHA-1/SHA-256 or finding collisions; it exploits the fact that multiple valid signature representations can map to different input bytes for the hash function.

Industry Insight

  • Forge Responsibility: Software forges like GitHub must implement strict signature normalization before verification and hash generation to ensure that a commit’s hash is truly unique to its content and signature state.
  • Defense in Depth: Developers and security teams should not rely exclusively on commit hashes for provenance; integrating file-level hashing (e.g., Nix-style fixed-output derivations) or attestation standards provides a necessary backup against hash malleability.
  • Audit Existing Pipelines: Organizations using hash-based allowlists or blocklists for dependency management should audit their tools to ensure they account for signature normalization, as current implementations may be vulnerable to bypass via malleated commits.

TL;DR

  • GitHub的“Verified”提交徽章存在漏洞,攻击者无需私钥即可通过签名可塑性生成具有不同哈希值但同样显示为“Verified”的重复提交。
  • 该问题源于Git仓库平台未对签名进行规范化处理,导致相同的代码内容可以对应多个有效的提交哈希,破坏了哈希的唯一性假设。
  • 此漏洞不影响代码内容的完整性验证,但会绕过基于提交哈希的黑名单、去重机制和可重现构建记录等安全控制措施。
  • 研究指出修复责任在于代码托管平台(如GitHub),需在使用哈希前对签名进行规范化,目前尚未有主流平台发布官方补丁。

为什么值得看

这项研究揭示了软件供应链安全中一个被忽视的基础假设缺陷:即“已签名提交的哈希是唯一的”。对于依赖哈希进行去重、溯源或访问控制的DevSecOps系统而言,这一漏洞可能导致安全策略失效。它提醒从业者在评估开源组件安全性时,不能仅依赖“Verified”标签,而应关注更底层的哈希规范化机制。

技术解析

  • 核心原理:利用密码学中的“签名可塑性”(Signature Malleability)。Git提交的哈希计算包含签名原始字节,而许多签名算法允许在不改变验证结果的前提下修改签名数据(如ECDSA中翻转s值、RSA/EdDSA中添加未哈希字段、S/MIME中重写长度字段),从而生成新的有效哈希。
  • 攻击向量:研究人员开发了公开工具,针对GitHub支持的三种主要签名方案(ECDSA、RSA/EdDSA、S/MIME)实施攻击。特别是S/MIME方案,GitHub接受了本地严格检查(gpgsm)所拒绝的非标准编码形式。
  • 链式影响:由于Git提交通过父节点哈希链接,篡改一个提交会导致其后续所有提交的哈希发生变化(称为“哈希链可塑性”)。虽然这会使后代失去签名徽章,但攻击者仍可重新签名或创建新的分支结构来维持“Verified”状态。
  • 非碰撞攻击:明确区分于哈希碰撞,这不是破解SHA-1/256,而是同一份内容因签名编码不同产生多个合法哈希。这类似于比特币早期面临的ECDSA对称性问题。

行业启示

  • 平台侧修复优先:代码托管平台必须实施签名规范化策略(Canonicalization),在验证签名和生成哈希前统一签名格式,确保每个唯一内容对应唯一哈希。这是解决此类问题的根本途径。
  • 纵深防御策略:开发者不应过度依赖“Verified”徽章作为内容完整性的唯一证明。对于关键依赖,应采用固定输出派生(如Nix)或多层哈希校验机制,结合文件内容哈希而非仅依赖提交元数据哈希。
  • 安全工具适配:现有的软件组成分析(SCA)、依赖锁定和供应链监控工具需要更新逻辑,在比对或阻断恶意提交时,应先规范化签名再计算哈希,否则可能因哈希变异而漏报或误报。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Open Source 开源 Security 安全 Research 科学研究