Patrick Schleizer <patrick-mailinglists@xxxxxxxxxx> writes: > When using git submodules, is there value in iterating about the git > submodules running "git verfiy-commit HEAD" or would that be already > covered by the git submodule verification? That depends on what you are referring to with the "git submodule verification" and more importantly what threat you are guarding against. "git -C <submodule-dir> verify-commit HEAD" may make sure that the contents of that commit object is GPG signed by whoever you trust--is that what you want to make sure? Or do you want all commits in the submodule history to be similarly signed because the tree of the superproject can switch to some other commit there?