On Sun, Sep 14, 2014 at 6:56 PM, hasufell <hasuf...@gentoo.org> wrote: > According to Robin, it's not about rebasing, it's about signing all > commits so that messing with the blob (even if it has the same sha-1) > will cause signature verification failure. >
The only thing that gets signed is the commit message, and the only thing that ties the commit message to the code is the sha1 of the top-level tree. If you can attack sha1 either at any tree level or at the blob level you can defeat the signature. That is way better than nothing though - I think it is worth pursuing until somebody comes up with a way to upgrade git to more secure hashes. Most projects don't gpg sign their trees at all, including linux. -- Rich