Remove a GPG signature from a pushed/merged commit?

Question

I'm working on an private project which I don't want to expose my identity, but soon I found out my Git just signed the commit with my personal GPG Key which it can easily expose my identity.

The worse thing is that it has been pushed to the remote, and it's in a pull request that has been merged.

Is there any way that possible to just re-edit the commit to remove the signature from it?

Answer 1

You cannot change the commit you made.

You can make a new commit, that is otherwise exactly identical to the "bad" commit but omits whatever information you want omitted (GPG signature or key or whatever, in this case). This is a different commit but you can use git push --force or similar to tell GitHub yes, I mean to discard the original commit in favor of this new and improved commit.

If you have the appropriate permissions, GitHub will in fact switch the branch over to use the new commit. The one big problem here—well, two big problems, plural—is/are:

• You made that commit available. Who knows how many copies have been made since then?

• When GitHub switch to the new and improved commit, they do not discard the old and lousy commit immediately. They will eventually toss it, but until then, anyone who can find its hash ID will be able to retrieve the commit from GitHub.

You can contact GitHub support to get them to do the commit-discarding sooner, but that won't fix the first bullet point. (The "merged" thing suggests that you might not even have permission to do the git push --force; if so, you will need to get cooperation from those who do have permission.)