It is widely considered good practice to sign commits. But leveraging those signatures is hard. Sequoia git is a system to authenticate changes to a VCS repository. A project embeds a signing policy in their git repository, which says who is allowed to add commits, make releases, and modify the policy. sq-git log can then authenticate a range of commits using the embedded policy. Sequoia git distinguishes itself from projects like sigstore in that all of the information required to authenticate commits is available locally, and no third-party authorities are required. In this talk, I'll present sequoia git's design, explain how it enforces a policy, and how to use it in your project.