1. Someone got access allowing them to push commits.
2. Someone got access allowing them to push commits and also got unrestricted access to the trusted PGP key.
In the first case, auto-signing will expose the issue. In the second, not. But in the second case, you're likely screwed in many other ways.
1. Someone got access allowing them to push commits.
2. Someone got access allowing them to push commits and also got unrestricted access to the trusted PGP key.
In the first case, auto-signing will expose the issue. In the second, not. But in the second case, you're likely screwed in many other ways.