Mark Sapiro writes:
where linus argues that "Signing each commit is totally stupid." and that you should sign tags but not commits.
I agree with Linus that signing all commits is probably unnecessary because of the SHA1 chain, but I disagree with signing only tags. I think that the theoretical sweet spot is signing merge commits (or branch head in case of a fast-forward) at push time.
But pragmatically that's too annoying (requires user decision AFAIK, easy to omit, etc), so autosigning every commit FTW IMHO.