Git Hash Chain Malleability: How Signed Commits Can Be Forged Without Breaking SHA2
Git Hash Chain Malleability

I demonstrate that Git commit signing fails to guarantee unique identification, allowing attackers to create distinct commits with identical content and valid signatures without breaking SHA2. By exploiting flaws in ECDSA, RSA, EdDSA, and S/MIME implementations, one can generate a modified commit that retains a Verified badge on GitHub. This hash chain malleability threatens dependency pinning in Nixpkgs and Go modules, as well as reproducible build systems relying on commit hashes as primary keys.
"Given any signed commit, an attacker without access to the signing key, and without breaking SHA2 can produce a second, distinct commit with an identical tree, identical metadata, a valid signature, and a Verified badge from a Git Forge such as Github, differing only in its commit hash."