[deepsun]

But how do you verify?

Let's say you see a green checkmark on GitHub that confirms the commit was really made by GitHub user @totally_legit_government_absolutely_not_hacker.

Unless you already have their public GPG key in your private keychain, and you marked it as "trusted" previously, there's not really much more info to that.

UPDATE: besides, the government is like a million people, some of them are malicious actors.

[zbentley]

Setting aside malicious government employees, the authN part of this seems like something for which technical solutions exist. Governments could operate PKI trusts and link their employees’ development credentials (in the US, this would be a PIV card or something like it) to that certificate chain. Commits, or committer identity, could be signed via that chain. The dual security of “physical/secure individual credential signing via an available-on-internal-government-network-only authority”, with a public authority available for validation, seems like it would be so secure as to be … close enough for government work.

[deepsun]

Yep, that would work. I just noted that current GitHub green checkmark doesn't really guarantee anything for the DirectFile repo.