GitHub commit Verification logic flaw and bypass
A flaw in GitHub's commit verification process has been identified, allowing for potential spoofing of commit authors. The issue arises from the fact that the verification only checks the committer's key, not the author's identity. This design decision creates a significant trust gap, as the UI misleadingly displays a 'Verified' badge next to the author's name without proper validation.
- ▪GitHub's commit verification can be spoofed if users do not opt into Vigilant Mode and use a registered GPG key.
- ▪The verification process only checks the committer's key, not the author's identity, leading to potential misrepresentation.
- ▪GitHub is aware of the author-committer mismatch issue but has made the defense opt-in and off by default.
Opening excerpt (first ~120 words) tap to expand
I know Git is not designed to use in the way GitHub is operating under and the spoofying had been an old issue that had been brought up throughout the years. With Shai Hulud and AI Agent, this time is abit more serious as the commit verification can be spoofed as well if you did not op in Vigilant Mode AND with a registered GPG key.I understand there are limitations to platform and the Git itself, but design decision and design flaw are totally different things. With the very frustrating bug bounty report dismissal and the ironic branding of commit verification as a mitigation method by the MSRC, I had waited long enough to post it here.GitHub clearly have the chance to do verification associating with the platform auth token and the user registered email but they chosen not to.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Ycombinator.