On Thu, Aug 04, 2016 at 06:55:34PM +0200, Andy Wingo wrote: > On Thu 04 Aug 2016 18:44, Leo Famulari <l...@famulari.name> writes: > > > How would the rest of us distinguish between > > > > 1) a range of your commits with a signed HEAD > > 2) a range of your commits with a signed HEAD that you pushed after I > > pushed a commit created with `git commit --author="Andy Wingo" > > I'm not sure what the threat model here is, and surely this is mostly > because I am ignorant :) Would you mind elaborating a bit more?
I admit, the example is really contrived. My point is that, as far as I know, there is no way to know who exactly is behind an unsigned Git commit. The "Author" and "Commit" information seen in `git log --format=full` is trivially forged, for example by altering the [user] field of your Git configuration file.
