A Carnegie Mellon preprint shows that an attacker without the signing key can turn any signed commit into a second, content-identical commit that still earns a "Verified" badge and a different hash. The author says Git and GitHub have not fixed it.
My understanding is that you’d end up with two divergent histories and you can’t tell which one is the original. I don’t know how it could be abused off top of my head, but generally speaking people tend to find ways to abuse these kinds of things.
My understanding is that you’d end up with two divergent histories and you can’t tell which one is the original. I don’t know how it could be abused off top of my head, but generally speaking people tend to find ways to abuse these kinds of things.