I'm fairly new to git and it seems surprisingly easy to rewrite past commits.
I'm aware of the signed commits, and if I understand it correctly, it prevents against unauthorized/untrusted write access, including a compromission of the github platform itself.
But what happens if the private key of a single trusted account on github gets compromised ? How can I check that from now on, there are only new commits ?
If history is rewritten, you will not be able to pull over an existing tree (it's a bit more complicated, but in the general case where you're only ever on master, it holds). This is the "fast forward" mode. If history you already have is rewritten, git will fetch the new data, but will complain that it can't fast forward, and leave you with your master branch, and the new commits in origin/master (assuming it's named that way in your tree).
Now, I am not 100% sure this is not gameable, since git does not use cryptographically strong hashes AFAIK. But it'd take some doing, at least.
Note that if the rewriting happens all in (from your point of view) future history (ie, in commits you have never pulled yet), you will not see this.
