A study has demonstrated that Git commit signatures can be manipulated to produce distinct commits with identical content and valid signatures. This "hash chain malleability" poses risks to various systems relying on the integrity of commit hashes, such as dependency management and reproducible builds.
Recent research reveals a vulnerability in Git's commit signing mechanism, which is presumed to ensure that each commit hash uniquely identifies signed content. This paper unveils how this assumption can be violated, allowing for the generation of new commits that appear legitimate despite being altered.
The study identifies three primary methods through which hash chain malleability can occur:
1. **Algebraic Inversion**: This involves altering the signature in ECDSA resulting in a valid but different commit hash.
2. **Structural Insertion**: This method allows an attacker to insert an unhashed OpenPGP subpacket into RSA and EdDSA signatures, leading to valid alterations.
3. **Non-canonical Encoding**: This manipulates the length encoding in DER format within CMS envelopes, affecting S/MIME signatures.
These vulnerabilities have significant implications for systems that rely on the immutability of commit hashes. For instance, dependency management systems, such as Nixpkgs and Go modules, and platforms like GitHub Actions could be affected, undermining the reliability of records that treat commit hashes as definitive indicators of content.
The researchers provide proof-of-concept tooling that automates the highlighted malleation methods. This tool demonstrates the feasibility of these attacks in a practical context, raising alarm about the current trust model employed by Git and related systems.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
A study has demonstrated that Git commit signatures can be manipulated to produce distinct commits with identical content and valid signatures. This "hash chain malleability" poses risks to various systems relying on the integrity of commit hashes, such as dependency management and reproducible builds.