GitHub 'Verified' Commits Can Be Rewritten Into New Hashes Without Breaking Signatures
GitHub 'Verified' Commits Can Be Rewritten Into New Hashes Without Breaking Signatures
08 July 2026
New research shows that a signed Git commit's hash is not the one-of-a-kind name that much of the software world assumes it to be. Given any signed commit, someone without the signing key can mint a second commit with the same files, author, and date, and a valid signature, GitHub still stamps "Verified."
Everything a reviewer would check matches. The commit's hash does not. That matters