The Bottom Line: Git commit signatures do not protect against hash collisions, as the same signed content can produce multiple different commit hashes with valid signatures.
Research shows that signed Git commits are not uniquely identifiable by their hash values: An attacker can, without access to the private key, create a second commit with identical files, author, and timestamp that is also displayed as “Verified” on GitHub – only the hash value differs.
The security model of Git and GitHub is based on the assumption that each commit is identified by a unique cryptographic hash. Research findings now suggest that this assumption is flawed: An attacker can generate a second commit for every signed commit that contains the same files, author information, and timestamp and will also be marked with the green “Verified” badge by GitHub – only the hash value is different.
For code review and security audits, this is relevant because reviewers typically check the following control points: signed status, author, date, and file contents. All of these attributes match when an attacker creates such a duplicate commit. The different hash often goes unnoticed, even though it is the actual repository integrity marker.
The implication for CISOs is significant: Supply-chain security measures that rely on Git signatures and commit hashes as a control element could be bypassed by this technique. Code scanning tools and audit trails that track or validate commits by their hashes could be misconfigured if they do not explicitly verify the uniqueness and immutability of the hash itself.
One concrete protective measure is not to regard commit hashes as sufficient, but instead to implement additional verification mechanisms such as signatures at the Merkle tree level or external attestation systems. At the same time, developer policies should make clear that the “Verified” badge alone does not protect against this form of attack.
Source: thehackernews.com · Published 8 July 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.