🟠 High | Source: The Hacker News
Researchers have found that GitHub’s ‘Verified’ badge on signed commits can be spoofed without access to the original signing key. An attacker can create a duplicate commit containing identical files, author details, and timestamp, complete with a valid signature, whilst producing a different commit hash. This undermines a core assumption in software supply chain security: that a verified commit is uniquely trustworthy.
Security Architect’s Take: Do not rely solely on GitHub’s ‘Verified’ badge as a supply chain integrity control. Supplement commit signing policies with hash-pinning in CI/CD pipelines, enforce SLSA provenance attestations, and cross-reference commit hashes in your build manifests against expected values rather than trusting the UI indicator alone.
Original advisory: GitHub ‘Verified’ Commits Can Be Rewritten Into New Hashes Without Breaking Signatures