As a scientist I would like to keep some official record of the time I check something into my Git repository. This in order to later back up claims of who invented what first during for instance patent disputes.
At the moment I from time to time add a tag to my repository like so:
git tag -s -m "`date`" 2012-08-20
and push the tags to the central server:
git push --tags
Pulling up a tag shows the date I signed it with my key:
git tag -v 2012-08-20
object 2d6f6035270e8e44c035431e99be8da3fccee095
type commit
tag 2012-08-20
tagger My Full Name <name@institution> 1345466433 +0200
Mon Aug 20 14:40:33 CEST 2012
gpg: Signature made Mon Aug 20 14:40:37 2012 CEST using RSA key ID somekey
gpg: Good signature from "My Full Name <name@institution>"
gpg: aka "My Full Name <personal-email>"
My question is how secure these dates are? Is it possible tamper with them later on?
EDIT: to clarify a but further, I wish to be able to prove that it would be very unlikely that I tampered with the tags later on.
What Git guarantees is: If the date (or the rest of the tag, or the commits attached to it etc.) are altered, the SHA1 of the tag will change.
However, to make this useful, you must somehow prove what the original SHA1 tag was, and that you already had it at the claimed date of invention.
Otherwise, to fraudulently claim that you invented something in January 1980, you could just rewind your computer's date to 1980 and create the repository with the necessary commits, tags and all - git would not know, as it can only believe what the system clock tells it.
So if you want to prove that you invented/wrote something prior to some date in the past, git (alone) cannot help you, nor can any form of signing alone. What you need is Trusted timestamping. There are various different schemes, but all require one or more third parties that essentially vouch for the correctness of the timestamp.