Git Hash Chain Malleability Allows Signature Forgery via Data Representation
July 7, 2026
Attackers can produce distinct commits with identical trees and metadata that maintain valid signatures and GitHub Verified badges without breaking SHA2 or accessing private keys. This malleability exploits algebraic inversions in data representations, causing a cascade of modified hashes throughout the entire commit history.
HOW THIS AFFECTS YOU
●
builderYou must audit how your CI/CD pipelines rely on Git commit hashes for security and provenance.
●
policyThis finding undermines the legal and technical certainty of signed code provenance in supply chain security.