I thought git itself provides authentication and integrity? In fact, if someone modifies the history of a branch that will raise all sorts of red flags the next time a legitimate user pushes.
Not modifying stuff on disk outside git, but using substituted keys to masquerade as a legitimate user and contribute evil code. It leaves an audit trail, but means you need to audit all contributes even those ostensibly from project owners.
Not really. If you make a new commit on top of the history, then nobody will notice unless you sign every commit (which i don't think is common practice).
Only modifying (existing) history will cause git to complain.