GitHub recently announced a nuance that has sparked discussion across the developer community: a commit that is marked as Verified can be rewritten into a new SHA‑1 hash without invalidating its cryptographic signature. While the headline may sound like a theoretical curiosity, the practical impact on enterprise codebases is significant. This post dissects the phenomenon, explains the underlying mechanics, and provides a concrete checklist for IT and security teams to safeguard their repositories.

What Are Verified Commits?

When a commit is signed with a GPG key and the signature is verified by GitHub, the platform displays a green checkmark indicating that the author identity has been cryptographically proven. This badge is meant to assure reviewers that the commit truly originates from the claimed author and that its contents have not been altered after signing.

How Git Signatures Work

Git signatures are not stored as a separate file; they are embedded within the commit object itself. The signature covers the entire commit payload – including the tree hash, parent commit hash, author date, and commit message. During verification, Git recomputes the hash of the commit and checks it against the signed data. If the verification succeeds, GitHub marks the commit as Verified.

Why Rewriting a Commit Changes Its Hash

Every commit in Git is identified by a unique SHA‑1 (or SHA‑256) hash that is derived from its entire content. If any part of the commit – such as the message, the author line, or the tree – is altered, the resulting hash will be different. Consequently, a rewritten commit will have a new hash, breaking the assumption that the original signature still applies.

The Unexpected Possibility: Re‑signing After Rewrite

What the recent news reveals is that a malicious actor can take a previously verified commit, modify its contents, generate a brand‑new hash, and then produce a fresh GPG signature for that new hash using the original author’s key (or a compromised key). Because the signature is re‑created after the rewrite, the resulting commit can still be displayed as Verified on GitHub, even though the underlying code may have changed drastically.

  • Attackers can exploit this to inject backdoors while preserving the visual trust indicator.
  • The process requires control over the signing key or the ability to force a key compromise.
  • Because the signature is re‑verified only after the rewrite, traditional audit logs that rely on hash matching may miss the substitution.

Implications for Organizational Security

For enterprises that enforce code‑review policies based on the Verified badge, this development introduces a subtle attack surface. An adversary who gains limited write access to a repository could rewrite historic commits, re‑sign them, and push the altered history to the remote. If downstream services only check the badge, they may accept the modified commits as legitimate, potentially propagating malicious changes across dependencies.

Practical Steps to Detect and Prevent Abuse

Proactive detection and prevention require a combination of technical controls and process discipline. Below is a concise checklist that can be adopted by IT administrators and security champions.

  • Audit commit signatures regularly: Use tools like git verify-commit and git rev-list --show-signature to confirm that each signed commit still matches its stored signature after any fetch or pull operation.
  • Enforce signed-commit policies: Configure Git servers to reject pushes that do not contain a valid GPG signature for every new commit.
  • Record signature verification timestamps: Store the verification result alongside the commit metadata in an immutable audit log (e.g., an external blockchain or write-once ledger).
  • Monitor hash anomalies: Set up alerts for commits whose hash changes after a known-good signature is observed, especially in protected branches.
  • Restrict force-push privileges: Limit git push --force to a small set of trusted administrators and require multi-factor authentication for such operations.

Recommended Tooling and Practices

Beyond the checklist, organizations should invest in tooling that makes verification an integral part of the CI/CD pipeline.

  • CI verification hooks: Integrate gpgverify or git status --porcelain checks into every pull-request build to automatically reject unsigned or re-signed commits.
  • Immutable tagging: Tag releases with signed, immutable tags that cannot be altered without creating a new tag object, thereby anchoring a known-good hash.
  • Key rotation and revocation: Implement a formal key-management lifecycle, including automatic expiration and revocation notifications, to limit the window of key compromise.
  • Third-party signing services: Consider using hardware security modules (HSMs) or cloud-based signing services that enforce strict access controls and audit trails.

Monitoring and Incident Response

Even with strong preventive controls, vigilance must extend into detection and response.

  • Log aggregation: Forward all git push events, including signature verification results, to a centralized SIEM where anomalous hash changes can be correlated with user activity.
  • Post-incident forensics: When a suspicious commit is identified, replay the commit’s history, verify the original signature, and compare the original hash with the rewritable hash to understand the scope of alteration.
  • Communication protocol: Establish a clear escalation path for “Verified” badge anomalies, ensuring that security teams are notified before any downstream impact occurs.

In summary, the ability to rewrite verified commits into new hashes while preserving a valid signature is a subtle but potent risk for modern software delivery pipelines. By understanding the cryptographic foundations, enforcing strict signing policies, and embedding continuous verification into operational processes, organizations can retain the trustworthiness of their repositories while mitigating the threat of covert code injection.

Professional IT management not only protects against such covert manipulations but also reinforces confidence among stakeholders, partners, and customers. Leveraging advanced security practices transforms a potential vulnerability into a demonstration of robust governance and operational excellence.

Need Expert IT Advice?

Talk to TH247 today about how we can help your small business with professional IT solutions, custom support, and managed infrastructure.