joeyh at 2015-10-08T14:41:58Z

Basic git hygiene at this point probably includes only merging git commits from others that are gpg signed (as well as gpg signing as many commits yourself as you can without going mad at the password prompts).

Unfortunately, tooling doesn't make this easy, and some things like git format-patch are actively unhelpful by not preserving gpg signatures.

Mike Linksvayer, Efraim Flashner, Elena ``of Valhalla'', Gergely Nagy and 1 others likes this.

Also, note that signed git tags are only a signature of the sha1, so cannot be used to detect a collision attack.

Checking git commit signatures can detect a collision attack. Of course, that checking is also not enabled by default, and there's not yet a config to change that.

joeyh at 2015-10-08T16:41:58Z