A half-year ago, I found a bug in an internal GitHub API that let me trick the internal API into signing commits as any user. So I could create a commit signed by a user I don’t control: Before I explain how I did that, first some context on how Git commit signing works: Git commit internals Git commits are stored in a custom text-based format that looks like: tree 55ca6286e3e4f4fba5d0448333fa99fc5a404a73 parent 7676f1f3b526f05b530a3566211dab5a5225af9a author loops <[email protected]> 1678388328 -0500 ...