Re-sign previous commits without changing commit hash and preserving tags

Question

I have several repository on GitHub that I have been committing to with signed commits using GnuPG. I lost my Private and Public Keys for the GPG Signing, so I created a new key pair, but made the mistake of overriding my previous Public Key, rather than adding a new Public Key to GitHub.

I tried running the following commands in Git Bash, but this changed the commit hashes, which broke my tags.

git filter-branch --commit-filter '
        if [ "$GIT_COMMITTER_EMAIL" = "MY EMAIL" ];
        then
                GIT_COMMITTER_NAME="MY NAME";
                GIT_AUTHOR_NAME="MY NAME";
                GIT_COMMITTER_EMAIL="MY EMAIL";
                GIT_AUTHOR_EMAIL="MY EMAIL";
                git commit-tree -S "$@";
        else
                git commit-tree "$@";
        fi' HEAD

git push --force

git for-each-ref --format="%(refname)" refs/original/ | xargs -n 1 git update-ref -d

I ended up doing reset from the reflog to undo these changes.

I mainly want to ensure that this is not a manual job over multiple repositories and multiple commits/tags. So I am happy with any solution that can fix the signing of previous commits while still linking to tags.

Answer 1

There is no way to modify a commit in any way, including changing the signature, without modifying the commit hash. The entire commit object, including signature, is hashed to compute the object ID.

This means that you either need to rewrite tags (with --tag-name-filter) as well as commits or just accept that the old commits have the old signature key and the new commits will have a new signature key. Personally, I would just do the latter.