Duy Nguyen schrieb am 24.11.2014 um 02:23: > On Tue, Nov 18, 2014 at 4:26 AM, Jeff King <peff@xxxxxxxx> wrote: >> Yes, it is only as "safe as SHA-1" in the sense that you have GPG-signed >> only a SHA-1 hash. If somebody can find a collision with a hash you have >> signed, they can substitute the colliding data for the data you signed. > > I wonder if we can have an option to sign all blob content of the tree > associated to a commit, and the content of parent commit(s). It's more > expensive than signing just commit/tag content. But it's also safer > without completely ditching SHA-1. > This amounts to hashing the blob content with whatever hash you told your gpg to use (hopefully not sha1 ;) ) and signing that. You're free to do that now and store the signature wherever your toolchain deems fit, say in a note or an annotated tag. But that approach won't sign the history, that is: If you are concerned about the breakability of sha1, then history is "possibly broken" no matter how you sign a commit object whose "parent" entry is based on the sha1 of its parent object. Cheers Michael -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html