[erdeszt]

Commit hashes are not a security feature but you can sign your commits with gpg.

[wongarsu]

Some projects sign their release commits and tags, some even their merge commits, but I have never seen a project which actually signs every commit.

The reasoning is always that you are actually signing the whole commit chain because your commit is liked to every previous one by the commit hashes.

[erdeszt]

True but I was just mentioning the possibility not the best practices for using it.