Hi. It seems I couldn't really find any definitive answer one the following: How to cryptographically verify the integrity of a whole git repo (i.e. all it's commits/blobs/etc. in the history? Assume e.g. I have the kernel sources and want to do some bisection. One has also retrieved Linus' and GregKH's key via some trusted path and assumes that SHA1 is more or less still safe enough ;-) 1) Of course there is git verify-tag and verify-commit which are signed with the GPPG, but these alone check, AFAIU, only the respective tag/commit. How to check everything else? Is it enough to git fsck --full? Everything earlier in the history of a verified tag/commit should be cryptographically safe (assuming SHA1 would be still secure enough), right? 2) But this of course won't show me anything which is in the repo but not earlier in the history of the tag/commit I've checked, right?! Is there a way to e.g. have everything dropped which is not verifiable via some signed commit/tag? 3) I'd assume that normal operations like checkout/bisect/etc. notice if some SHA1 sum doesn't match. So once I've verified say kernel v.5.6 tag, I could checkout everything in the history of that and be sure it wasn't modified, right? But of course this wouldn't include e.g. other stable versions, like v5.5.13. Thanks, Chris.
