On Tue, Nov 18, 2014 at 4:26 AM, Jeff King <peff@xxxxxxxx> wrote: > Yes, it is only as "safe as SHA-1" in the sense that you have GPG-signed > only a SHA-1 hash. If somebody can find a collision with a hash you have > signed, they can substitute the colliding data for the data you signed. I wonder if we can have an option to sign all blob content of the tree associated to a commit, and the content of parent commit(s). It's more expensive than signing just commit/tag content. But it's also safer without completely ditching SHA-1. -- Duy -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html