On Fri, Aug 05, 2016 at 06:50:30PM +0200, Andy Wingo wrote: > Why would you sign a commit if you don't attest to intermediate unsigned > commits?
If I push A-B-C with a signed HEAD immediately after somebody pushes a forged D, won't it look like I vouch for D? How could a 3rd party tell whether D was pushed by me or somebody else? Does your suggested method address this hypothetical situation?