I think you are missing the point. One of the pluses behind originally
using SHA-1 and the signed tags is that the system as a whole is
cryptographically secure. You can verify from the public key of
whoever made the tag that yes, this really is the source and history
they tagged.
I am not really sure I follow this.... how can you 'verify from the
public key of whoever made the tag' that the SHA-1 hash is correct!?
SHA-1 does not have anything do with any externally provided keys or
have I managed to get something confused here?
Best regards,
Jurko Gospodnetić
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
