That's a good point, but if you combine signing with an indelible timestamp, like one of the blockchain services or other trusted legal timestamping services, you'd be in pretty good shape.
I assume you're suggesting something like including such a timestamp in the commit message? If that's the case, that makes a lot of sense to me. It would be cool to have a tool to automate this. Or something like GitTorrent[0] might do the trick if it had wider adoption.
No, for this to work, you'd really need to timestamp either the git tree hash or (preferably) the hash of the GPG signature (or the signature itself).
Most timestamp service hashes are necessarily public (for trust reasons), so an attacker could grab one and go back and include it in his signed commit message.
But if you timestamp your commit hash (which is a cryptographic hash after all -- albeit an increasingly weak one) or timestamp the signed commit, then it can't be forged (since the attacker can't go back in time and use a cryptographically-verifiable timestamp, like the ones indelibly embedded in the blockchain).
Sorry, what I meant was to include a hash of the commit in a public blockchain and then attach this timestamp to the commit. So I think we're on the same page.
