When discussing migrating to a new hashing function, I tried to learn about the subtleties of the different things that can be gpg-signed in Git. What is the difference between signed commits and tags? (Not from a technical perspective, but for the end user) Both of them certify that a given tree is the desired content for your repository, but git-tag seems to be designed for conveying a trusted state to collaborators, whereas git-commit is primarily designed to just record a state. So in which case would I want to use a signed commit? (which then overlaps with signed pushes) A signed push can certify that a given payload (consisting of multiple commits on possibly multiple branches) was transmitted to a remote, which can be recorded by the remote as e.g. a proof of work. The man page of git-commit doesn't discuss gpg signing at all, git-tag has some discussion on how to properly use tags. Maybe there we could have a discussion on when not to use tags, but rather signed commits? Off list I was told gpg-signed commits are a "checkbox feature", i.e. no real world workflow would actually use it. (That's a bold statement, someone has to use it as there was enough interest to implement it, no?) Thanks, Stefan