Using a signed tarball is ideally better than a git tag (it's an extra level of author attestation).
In this case signed tarball would not help at all. And git-tag
would prevent this attack.
-- Miroslav Suchy, RHCA Red Hat, Manager, Packit and CPT, #brno, #fedora-buildsys