Hi Zsolt, On Mon, 18 Jul 2016, Herczeg Zsolt wrote: > >> My point is not to throw out old hashes and break signatures. My point > >> is to convert the data storage, and use mapping to resolve problems > >> with those old hashes and signatures. > > > > If you convert the data storage, then the SHA-1s listed in the commit > > objects will have to be rewritten, and then the GPG signature will not > > match anymore. > > > > Call e.g. `git cat-file commit 44cc742a8ca17b9c279be4cc195a93a6ef7a320e` > > to see the anatomy of a gpg-signed commit object. > > > > Yes and no. That's the reason you need the two-way lookup table. If > you need to verify a commit which was signed as SHA-1, you must use > the lookup table in reverse. That pretends that it is both easy and trustworthy to know when (and how) to recreate the SHA-1-ified version of the commit object. Neither is the case, though. Ciao, Johannes -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html