Hi Mostly as a proof of concept, I've created two scripts to sign and verify Git checkouts (I'm saying checkouts since it (both for simplicity, and probably trust) is based on the working directory contents, not the tree referred to by the signed commit). Like some other such solutions, this adds secure hashes to the signed tag message. There are two drawbacks and one advantage versus other solutions: - meant for small repositories only (each file in the repository takes up a line in the tag message) - relatively hacky, e.g. newlines in file names may be problematic, doesn't currently use gpg's --status-fd or --with-colons, and doesn't check git config + easily verifiable scripts, checking can even be done manually (hence no need for casual users to (blindly) trust third party code) https://github.com/pflanze/git-sign Christian.