A critical vulnerability in Git's commit verification system has been uncovered by security researchers, revealing that GitHub's "Verified" commits may not be as trustworthy as previously believed. The discovery challenges a fundamental assumption about the integrity of signed commits, potentially exposing software supply chains to sophisticated attacks while maintaining the appearance of legitimacy.

According to the research, an attacker without access to the original signing key can create a second commit with identical content, author information, and timestamps while generating a completely different hash. What makes this particularly alarming is that GitHub continues to mark these manipulated commits with the "Verified" badge, creating a false sense of security for reviewers who rely on this verification. The visible elements that reviewers typically check—the files, author, date, and verification status—all appear legitimate, while the underlying hash has been altered without detection.

This finding has significant implications for security teams and the broader software development ecosystem. Git commit hashes have long been considered immutable identifiers that uniquely represent specific code changes. This assumption forms the foundation of trust in version control systems and is critical for maintaining software supply chain integrity. The ability to create separate commits with different hashes but identical verified metadata undermines this trust.

Security teams should recognize that this vulnerability creates a potential pathway for supply chain attacks. Malicious actors could theoretically inject code into repositories while maintaining verification badges, bypassing traditional security controls that