You should consider signing git commits & releases. - [onionshare#221 (comment)](https://is.gd/7vU4oK) - It is also displayed on GitHub: https://github.com/blog/2144-gpg-signature-verification - Here is GitHub's help for this: https://help.github.com/articles/generating-a-gpg-key/ - And here is how you can sign releases: https://wiki.debian.org/Creating%20signed%20GitHub%20releases
You should consider signing git commits & releases.