How does git-evtag fit into this? Does libgit2 even know about them? Offhand it seems like we should ignore them.

See original #5

No ignoring it is not the right thing to do because it rewrites history. The point of signing a GIT commit is to authenticate history to future consumers so the fact that history was 'tampered with deliberately' needs to be preserved in the signature because it is possible to alter the exact semantics/content of the commit.

I think what you need is a way to find out if a commit was replaced, and then sign both the original and the replace commit and do this for each commit in the history that you sign.