
GitHub Verified Badge Can Appear on Multiple Hashes for Same Signed Commit
A new disclosure reveals that a GitHub “Verified” badge does not guarantee that a commit hash uniquely identifies signed content, undermining a core assumption behind hash-based security controls across the software supply chain. ‘ Jacob Ginesin demonstrates that an attacker without the signing key and without breaking SHA-2 can produce a second, byte-distinct commit with […]
The post GitHub Verified Badge Can Appear on Multiple Hashes for Same Signed Commit appeared first on Cyber Security News.