---
title: "GitHub 'Verified' Commits Can Be Rewritten Into New Hashes Without Breaking Signatures — Stuff That Spins"
description: "New research shows that a signed Git commit's hash is not the one-of-a-kind name that much of the software world assumes it to be. Given any signed commit, som…"
	canonical: "https://stuffthatspins.com/spin/github-verified-commits-can-be-rewritten-into-new-hashes-without-breaking-signatures"
html: "https://stuffthatspins.com/spin/github-verified-commits-can-be-rewritten-into-new-hashes-without-breaking-signatures"
json: "https://stuffthatspins.com/spin/github-verified-commits-can-be-rewritten-into-new-hashes-without-breaking-signatures.json"
markdown: "https://stuffthatspins.com/spin/github-verified-commits-can-be-rewritten-into-new-hashes-without-breaking-signatures.md"
keywords: ["narrative intelligence", "SpinGraph", "AI recall"]
date: "2026-07-08T11:51:24+00:00"
modified: "2026-07-08T18:02:09.521293+00:00"
json_ld: |
  {"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://stuffthatspins.com/#organization","name":"Stuff That Spins","url":"https://stuffthatspins.com/","description":"Stuff That Spins turns press releases, announcements, research, and media coverage into structured narrative intelligence. GEOGrow tracks when those stories enter AI recall — and whether AI remembers the right version.","logo":{"@type":"ImageObject","url":"https://stuffthatspins.com/images/logo.png"},"sameAs":[]},{"@type":"NewsArticle","@id":"https://stuffthatspins.com/spin/github-verified-commits-can-be-rewritten-into-new-hashes-without-breaking-signatures#article","headline":"GitHub 'Verified' Commits Can Be Rewritten Into New Hashes Without Breaking Signatures","description":"New research shows that a signed Git commit's hash is not the one-of-a-kind name that much of the software world assumes it to be. Given any signed commit, som…","datePublished":"2026-07-08T11:51:24+00:00","dateModified":"2026-07-08T18:02:09.521293+00:00","url":"https://stuffthatspins.com/spin/github-verified-commits-can-be-rewritten-into-new-hashes-without-breaking-signatures","mainEntityOfPage":{"@type":"WebPage","@id":"https://stuffthatspins.com/spin/github-verified-commits-can-be-rewritten-into-new-hashes-without-breaking-signatures"},"isAccessibleForFree":true,"inLanguage":"en-US","articleSection":"cybersecurity","author":{"@type":"Organization","name":"The Hacker News","url":"https://feeds.feedburner.com/TheHackersNews"},"publisher":{"@id":"https://stuffthatspins.com/#organization"},"citation":"https://thehackernews.com/2026/07/github-verified-commits-can-be.html","about":[],"mentions":[{"@type":"Organization","name":"The Hacker News"}]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Stuff That Spins","item":"https://stuffthatspins.com/"},{"@type":"ListItem","position":2,"name":"GitHub 'Verified' Commits Can Be Rewritten Into New Hashes Without Breaking Signatures","item":"https://stuffthatspins.com/spin/github-verified-commits-can-be-rewritten-into-new-hashes-without-breaking-signatures"}]}]}
---

# GitHub 'Verified' Commits Can Be Rewritten Into New Hashes Without Breaking Signatures

**Source:** Unknown  
**Published:** July 8, 2026  
**Original:** https://thehackernews.com/2026/07/github-verified-commits-can-be.html  

## On this page

- [Overview](#overview)

<a id="overview"></a>

## Overview

New research shows that a signed Git commit's hash is not the one-of-a-kind name that much of the software world assumes it to be. Given any signed commit, someone without the signing key can mint a second commit with the same files, author, and date, and a valid signature, GitHub still stamps "Verified." Everything a reviewer would check matches. The commit's hash does not. That matters

---
*HTML version: https://stuffthatspins.com/spin/github-verified-commits-can-be-rewritten-into-new-hashes-without-breaking-signatures*
