> That is, I was under the impression signing a tag only signs the > references themselves, and then relies on SHA1 referential integrity > beyond that.
No, a signed tag verifies that the whole integrirty of the entire repository, whereas a signed commit only authenticates the differences introduced by a single commit. As long as there are no conflicts, a signed commit can be rebased freely (especially also on top of malicious commits...). Best, Matthias
