Using a signed tarball is ideally better than a git tag (it's an extra
level of author attestation).

In this case signed tarball would not help at all. And git-tag would prevent this attack.

-- 
Miroslav Suchy, RHCA
Red Hat, Manager, Packit and CPT, #brno, #fedora-buildsys