Not having fully read everything, would this be acceptable: - The DSC contains a copy of the original signature, and the hash that was signed. Possibly an url to the repo at that time. - there exists some tool that can extract the information from the DSC, verify the git signature, and that it generates a tar with the same content?
Kurt
