What Happened
This week GitHub issued a security advisory that highlighted a surprising property of its verified commit system. Attackers can take a commit that already carries a valid GPG signature, re‑package its contents, and produce a new SHA‑1 hash that still verifies as verified by GitHub’s servers. In other words, the cryptographic proof that a commit is trustworthy can be duplicated under a different hash, effectively allowing a rewritten commit to slip past superficial integrity checks while appearing legitimate.
How Git Commit Signatures Work
Before diving into the technical nuance, it helps to understand the baseline. When a developer signs a commit with a GPG key, Git records a commit signature block that includes the signer’s key ID, the signature itself, and a signature verification flag. The overall commit object also contains a tree identifier and a parent list, which together form the commit’s SHA‑1 hash. This hash is what Git and hosting platforms use to identify the exact state of the repository at that point in time.
Why Re‑hashing Doesn’t Break the Signature
The critical insight is that the signature in Git is not tied directly to the commit SHA‑1. Instead, the signature covers the entire commit object except for the commit header’s committer and signature fields, which are considered mutable placeholders. By recomputing the SHA‑1 of the commit body while preserving the signature block, an attacker can generate a new hash that still satisfies the verification algorithm. GitHub’s verification pipeline checks the signature against the public key and confirms the signature’s integrity, but it does not re‑hash the entire object after verifying the signature. Consequently, a commit that was originally marked verified can be rewritten and still pass the same verification step.
Impact on Organizations
For enterprises that rely on signed commits as part of their audit trail, continuous integration pipelines, or regulatory compliance processes, this capability introduces a subtle but serious risk. A compromised code reviewer could replace an authorized change with a malicious one that looks identical in terms of signature verification, yet exhibits different behavior when merged. Because the new hash appears under the same verified label, automated tools that filter only signed commits may continue to allow the altered code through, potentially introducing backdoors or exfiltrating data without raising alarms.
Practical Prevention Checklist
- Enforce strict signature verification in CI/CD pipelines by requiring a
--gpg-signflag and rejecting any commit that fails GPG validation, even if GitHub marks it as verified. - Rotate GPG signing keys regularly and store them in hardware security modules (HSMs) to limit exposure.
- Audit commit history periodically using tools like
git fsckandgit verify‑committo detect mismatched hashes or unexpected signature changes. - Adopt signed‑tag policies for release branches, ensuring that only tags signed by trusted maintainers are promoted to production.
- Educate developers about the difference between a signed commit and a verified commit, emphasizing that verification does not guarantee immutability of the hash.
- Implement repository‑level webhooks that reject pushes containing commits whose SHA‑1 does not match the expected signature block.
- Log and monitor signature verification events in a SIEM to spot anomalies such as sudden spikes in verified commits with new hashes.
Long‑Term Security Strategy
Beyond immediate mitigations, organizations should embed a layered defense that treats signed commits as one component of a broader trust model. This includes integrating code‑review approvals, static analysis scans, and runtime integrity checks into the deployment pipeline. Additionally, moving toward short‑lived ephemeral keys and employing multi‑factor signing processes can reduce the attack surface. Finally, consider supplementing Git’s native signature verification with external provenance platforms that record immutable provenance metadata, thereby making any post‑commit rewrite detectable at the organizational level.
Conclusion
Understanding that a verified commit can be rewritten into a new hash without breaking its signature is a wake‑up call for modern software delivery teams. By tightening verification gates, rotating keys, and continuously auditing repository histories, businesses can safeguard the integrity of their source‑control lineage, protect auditability, and maintain confidence that every change truly originates from an authorized source. Professional IT management that embraces these advanced security practices not only prevents exploitation of subtle cryptographic edge cases but also builds a resilient foundation for trusted, auditable development workflows.