This is something I've discovered back in August 2018. Fix is included in 2.20.0.
Long story short, if you take a commit with good signature, alter its contents and then add an additional untrusted signature, you end up with two signatures: one BAD signature made with trusted key, and GOOD signature made with other key. Git format strings may end up reporting it as %G? = U (untrusted) with %GK/%GS listing the *trusted* key (taken from BAD signature).
This shouldn't affect normal git use or the tools used normally by Gentoo. However, some poorly written verification script may be tricked into believing it got a commit with good signature from trusted key (if it assumes %G? = U is normal, and then verifies correctness via %GK).
@arches, please stabilize.
This issue was resolved and addressed in
GLSA 201904-13 at https://security.gentoo.org/glsa/201904-13
by GLSA coordinator Aaron Bauman (b-man).
re-opened for final arches and cleanup
Just waiting on sh, which is not a stable arch, for cleanup to happen...