• ☆ Yσɠƚԋσʂ ☆@lemmy.mlOP
    link
    fedilink
    arrow-up
    3
    ·
    7 hours ago

    A green “Verified” badge on GitHub is supposed to mean that a trusted author signed it, and its ID is a one of a kind fingerprint for that exact code. Turns out that the second promise of a unique fingerprint does not hold. It matters because security teams and package systems behind tools like Go, Nix, and GitHub Actions trust that ID as a unique handle for code. An attacker can reissue the same signed code under a fresh ID that’s still verified to slip past.

    • kevincox@lemmy.ml
      link
      fedilink
      arrow-up
      3
      ·
      edit-2
      6 hours ago

      I don’t understand. Why does having two commit IDs with the exact same code cause problems.

      A green “Verified” badge on GitHub is supposed to mean that a trusted author signed it

      The author did sign it. It is the exact same code.

      An attacker can reissue the same signed code under a fresh ID that’s still verified to slip past.

      To split past what? At best it seems that they would be able to have a different ID for the exact same code, which seems harmless? Slightly confusing at worst.

      Nix also doesn’t use PGP signatures, it requires a separate hash of the resulting commit (the files with the .git directory stripped by default).

      • ☆ Yσɠƚԋσʂ ☆@lemmy.mlOP
        link
        fedilink
        arrow-up
        3
        ·
        5 hours ago

        Right, it’s not a serious exploit which would allow changing code, but it does allow compromising integrity because changing the id mutates history.

      • jatone@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        6 hours ago

        sounds like the author thinks because their purist definition is violated its a problem vs it actually being a problem. im in the same boat as you. I dont see the issue with the commit hash changing long as the code doesnt change.