GIT COMMIT SPOOFING IS TRIVIAL (AND HOW TO FIX IT)
I am going to show you how to impersonate the creator of Linux.
Open your terminal. Go to any repository. Type this:
git config user.name "Linus Torvalds"
git config user.email "[email protected]"
git commit --allow-empty -m "I definitely wrote this."
Congratulations. If you push that commit, GitHub (and Git itself) will happily report that Linus Torvalds just contributed to your project. No password required, no hacking involved.
This isn’t a bug; it’s how Git was designed. In the distributed era of 2005, email was identity. In the zero-trust era of 2025, it’s a vulnerability. We saw this reality bite hard with the GitProxy Hidden Commits exploit (CVE-2025-54586) where attackers injected “ghost” commits that bypassed standard review views.
If you are building serious software, you need to prove you are who you say you are.
The Old Way: GPG (The Painful Way)
For years, the answer was GPG (GNU Privacy Guard). It worked, but it was miserable. You had to manage keyrings, deal with expiration dates, and install extra software just to sign a text file. Most developers set it up once, forgot the passphrase, and disabled it when it broke.
The Modern Way: SSH Signing
As of Git 2.34, you can use the same SSH keys you use for pushing code to sign your work. It is native, simple, and you probably already have the keys.
Here is the production-grade setup I use for all my projects.
1. Generate a Dedicated Signing Key
Don’t reuse your authentication key. It’s better security practice to separate identity (auth) from verification (signing).
# Generate a new ed25519 key specifically for signing
ssh-keygen -t ed25519 -C "git-signing-key-2025" -f ~/.ssh/id_git_signing
2. Configure Git
Tell Git to stop looking for GPG and start looking for your SSH key.
# Tell Git to use SSH for signing
git config --global gpg.format ssh
# Point Git to your public key
git config --global user.signingkey ~/.ssh/id_git_signing.pub
# Sign everything by default. Don't think about it.
git config --global commit.gpgsign true
3. Tell GitHub You Are You
This is the step most people miss.
- Copy your public key:
cat ~/.ssh/id_git_signing.pub - Go to GitHub Settings > SSH and GPG Keys.
- Click New SSH Key.
- Crucial Step: Change “Key type” from “Authentication Key” to “Signing Key”.
- Paste your key and save.
Now, whenever you git commit, your local Git cryptographically signs the object. When you push, GitHub checks that signature against the public key you uploaded. If they match, you get that green Verified badge.
The “Final Boss”: Vigilant Mode
Getting the verified badge is nice, but it doesn’t stop the “Linus Torvalds” spoof I showed earlier. It just means your specific commits look special. The unverified ones still look like normal commits.
To actually secure your repo, you need Vigilant Mode.
In GitHub settings, under “SSH and GPG Keys”, verify the “Flag unsigned commits as unverified” option.
This changes the game. Now, that spoofed Linus commit won’t just lack a badge; it will be explicitly marked as Unverified with a scary yellow warning. For a supply chain, this visual indicator is the difference between merging malware and catching it.
Why This Matters
We discussed the importance of identity in my 2025 DevSecOps guide /, but it starts at the workstation. If you can’t trust the author of a commit, you can’t trust the code.
Spoofing isn’t just a party trick. In high-security environments, “insider threats” often look like a legitimate engineer committing code at 2 AM. If that commit isn’t cryptographically signed, you have no proof it was actually them.
If you are still learning the ropes of Git internals, check out my deep dive into Git concepts /. But for today, take five minutes. Generate the key. Config the global. Sign your work.
Your identity is the only thing you really own in this industry. Protect it.