> A signed commit is a signing of the git metadata; tree hash > (literally, the state of the tree), committer, author, message, and > parent sha1. Each git commit includes it's parent sha1 in it; this > gives a locked history for a given commit sha1 (unless someone > preimages sha1). What matters is that the leaf node, the final point > in the graph, is signed- that's a dev sign off on effectively that > they created that particular locked history. Realistically signing of > each node is preferable, but the leaf is the minimal required.
No. What is signed is the "new data" plus the parent hash(es). No such thing as a "tree hash". -- Andreas K. Huettel Gentoo Linux developer kde, sci, arm, tex, printing
signature.asc
Description: This is a digitally signed message part.