GitHub Commit Autopsy

What's verified. What's not. What you can do about it.

Attackers abuse GitHub's commit system to impersonate trusted developers and fabricate activity to cover their tracks. Most commit metadata is trivially spoofable, let's explore what's actually verified and what not to trust.

01 What Can You Trust? Tap or hover to inspect

This imposter commit impersonates Guillermo Rauch (CEO of Vercel). It appears in actions/checkout via cross-fork object sharing, but was never merged—the attacker spoofed his identity. Check any commit →

github.com/actions/checkout/commit/70379aad...
URL is Misleading
This URL suggests the commit is in the repo. But cross-fork object sharing means commits from any fork are accessible via the parent URL—and vice versa.
Check if a commit is a fork commit →
Commit
Guillermo Rauch
Derived from Email
Avatar is pulled from Gravatar using the email hash. Fake the email, control the avatar—even impersonate a well-known developer.
Guillermo Rauch
Trivially Spoofable
Author name is a free-text field. Anyone can claim any identity—including the CEO of Vercel.
git config user.name "Guillermo Rauch"

rauchg@gmail.com
Trivially Spoofable
Email is a free-text field. No verification that you own this address.
git config user.email "rauchg@gmail.com"
Jan 9, 2026
Trivially Spoofable
Timestamps can be set to any value—past or future.
GIT_AUTHOR_DATE="2020-01-01" git commit
Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
User-Controlled
The message is whatever the committer writes. This one mimics a legitimate bug fix with a fake PR reference.
70379aad
Cryptographically Sound
The SHA is a hash of the commit contents. Can't be forged—but it doesn't prove the commit belongs in this repo.
No Signature Present
This commit is unsigned—no "Verified" badge appears. Anyone could have created it claiming any identity.
Normal reasons commits go unsigned:
  • No GPG/SSH key configured
  • Co-authored with AI (Claude, Copilot)
  • Automated bot commits
  • Squash merges lose signatures
From 70379aad1a8b40919ce8b382d3cd7d0315cde1d0 Mon Sep 17 00:00:00 2001
Commit SHA
The SHA-1 hash uniquely identifies this commit and can't be forged. The timestamp here ("Mon Sep 17 00:00:00 2001") is a fixed placeholder git uses in patch format—ignore it. The real date is in the Date: line below.
From: Guillermo Rauch <rauchg@gmail.com>
Spoofable Identity
The From field comes from git config user.name and user.email. Anyone can set these to any value—no verification required.
Date: Fri, 9 Jan 2026 07:42:00 +0000
Spoofable Timestamp
The commit date is set by the committer's local machine. It can be set to any time using GIT_COMMITTER_DATE or --date.
Subject: [PATCH] Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
Spoofable Message
The commit message is free text. Attackers craft messages that look legitimate to blend into the codebase history.
--- action.yml | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-)
{
  "sha": "70379aad1a8b40919ce8b382d3cd7d0315cde1d0",
  "commit": {
    "author"
Spoofable Identity
From git config user.name and user.email. Anyone can set these to any value—no verification required.
: {
      "name": "Guillermo Rauch",
      "email": "rauchg@gmail.com",
      "date": "2026-01-09T07:42:00Z"
    },
    "committer"
Also Spoofable
Same as author—set via git config. Often identical to author, but can differ (e.g., when someone applies a patch).
: {
      "name": "Guillermo Rauch",
      "email": "rauchg@gmail.com",
      "date": "2026-01-09T07:42:00Z"
    },
    "message": "Fix tag handling: preserve annotations...",
    "verification"
Signature Check
GitHub checks for GPG/SSH signatures. verified: false means no valid signature was found—anyone could have made this commit.
: {
      "verified": false,
      "reason": "unsigned",
      "signature": null
    }
  },
  "author"
Misleading Lookup
GitHub matches the commit email to a registered account. This shows the linked account, not who actually made the commit. Attackers use victim emails to trigger this link.
: {
    "login": "rauchg",
    "id": 13041,
    "type": "User"
  },
  "committer"
Same Lookup
Same email-to-account matching. The avatar and profile link you see on GitHub come from this lookup—not from the commit itself.
: {
    "login": "rauchg",
    "id": 13041,
    "type": "User"
  },
  "stats": { "additions": 16, "deletions": 3 },
  "files": [{ "filename": "action.yml", "status": "modified" }]
}

02 Vigilant Mode

Most commits are unsigned. Without vigilant mode, you don't see this—absence of a badge feels like implicit trust.

abc123f Fix parser bug
?
Unverified
This commit is unsigned—no cryptographic proof of who made it. With vigilant mode enabled, unsigned commits are explicitly flagged.
def456a Co-authored commit
?
Partially Verified
The commit is signed and verified, but has a co-author who enabled vigilant mode. The signature only covers the committer—not all contributors.
ghi789b Add feature
Verified
Verified
The commit is signed, the signature was successfully verified, and the committer is the only author who has enabled vigilant mode.

Enable vigilant mode: Settings → SSH and GPG keys → Flag unsigned commits as unverified. GitHub Docs ↗

03 GitHub vs. Local Verification

  • Signature exists
  • Key in GitHub's registry
  • ? Key still valid?
  • ? Key compromised?
  • ? Right person's key?

Trusts GitHub's key management

  • Signature exists
  • Key in YOUR keyring
  • You checked revocation
  • You trust this key
$ git verify-commit abc123f
gpg: Good signature from "Name <email>"

When does this matter? High-security environments, compliance requirements, or when you can't fully trust GitHub as an intermediary.

04 In The Wild

Timezone Manipulation 2024

xz-utils Backdoor

"Jia Tan" manually manipulated git timezone metadata to create a false geographic identity. Analysis revealed physically impossible timezone jumps—UTC+03:00 to UTC+08:00 in 71 minutes—exposing the deception.
Sherman & Bibaud @ Margin Research ↗
Forged Commit Identity 2026

TeamPCP Supply Chain Campaign

Attackers spoofed legitimate maintainer identities via git config, then pushed malicious fork commits that appeared authored by trusted developers. GitHub displayed the victim's avatar and profile.
Full incident timeline ↗

05 Take Action

Check a Commit

Verify if a commit is actually in a repo's branch history

Enable Vigilant Mode

Make unsigned commits explicitly visible

Sign Your Commits

Set up GPG or SSH commit signing

Study TeamPCP

Full timeline of a real supply chain attack