I'm not talking about the PGP signatures for the tarballs. I'm talking about the signed *tags* in the git tree: the object you see via e.g. 'git show v3.0.4'. That is part of the git repo and cannot be forged without access to Greg's private key. Now a hostile attacker could add a fake one, but the key would be different, and Greg would be certain to notice.