GitHub 'Verified' Commits Can Be Rewritten Into New Hashes Without Breaking Signatures
Research reveals that GitHub "Verified" commit badges can be retained while altering the commit hash through signature malleability, allowing attackers to bypass hash-based blocklists. The vulnerability stems from GitHub’s failure to normalize signatures before verification, enabling ECDSA, RSA/EdDSA, and S/MIME signatures to be rewritten into distinct but valid forms. This creates "hash chain malleability," where a single logical commit can exist under multiple unique hashes, undermining dedupl
Analysis
TL;DR
- Research reveals that GitHub "Verified" commit badges can be retained while altering the commit hash through signature malleability, allowing attackers to bypass hash-based blocklists.
- The vulnerability stems from GitHub’s failure to normalize signatures before verification, enabling ECDSA, RSA/EdDSA, and S/MIME signatures to be rewritten into distinct but valid forms.
- This creates "hash chain malleability," where a single logical commit can exist under multiple unique hashes, undermining deduplication, provenance logging, and reproducible builds.
- The issue is not a cryptographic collision but a protocol-level flaw in how forges handle signature encoding, requiring forge-side normalization rather than client-side fixes.
- While pinning to specific commit hashes remains effective for fetching correct code, it fails to prevent the introduction of maliciously re-encoded versions of the same content under new hashes.
Why It Matters
This finding challenges the fundamental assumption that a verified commit hash serves as a unique, immutable identifier for software content, exposing critical gaps in software supply chain security. For AI practitioners and developers relying on automated dependency management or reproducible build systems, this vulnerability allows attackers to inject seemingly legitimate, signed code that evades hash-based detection mechanisms. It necessitates a shift in trust models, emphasizing that signature validity does not guarantee content uniqueness, thereby impacting how security tools and CI/CD pipelines validate dependencies.
Technical Details
- Signature Malleability Exploits: Attackers can modify signature bytes without invalidating them: flipping the
svalue in ECDSA keys, adding ignored fields in RSA/EdDSA unhashed sections, or rewriting DER length fields in S/MIME structures. - Lack of Normalization: GitHub accepts non-canonical signature encodings (e.g., high-S ECDSA values, non-standard S/MIME lengths) that strict local tools like
gpgorgpgsmwould reject, leading to divergent verification results between local and remote environments. - Hash Chain Rewriting: Since Git commits reference parent hashes, altering a commit’s hash forces a rewrite of the entire descendant chain. The research provides a tool to automate this process, maintaining consistency while generating new, valid hashes.
- Verification Bypass: Systems that rely solely on commit hashes for blocking or deduplication fail because the same content can be pushed with a new hash that retains the "Verified" badge, effectively bypassing existing security controls.
- No Cryptographic Break: The attack does not involve breaking SHA-1/SHA-256 or finding collisions; it exploits the fact that multiple valid signature representations can map to different input bytes for the hash function.
Industry Insight
- Forge Responsibility: Software forges like GitHub must implement strict signature normalization before verification and hash generation to ensure that a commit’s hash is truly unique to its content and signature state.
- Defense in Depth: Developers and security teams should not rely exclusively on commit hashes for provenance; integrating file-level hashing (e.g., Nix-style fixed-output derivations) or attestation standards provides a necessary backup against hash malleability.
- Audit Existing Pipelines: Organizations using hash-based allowlists or blocklists for dependency management should audit their tools to ensure they account for signature normalization, as current implementations may be vulnerable to bypass via malleated commits.
Disclaimer: The above content is generated by AI and is for reference only.