[Whonix-devel] How safe are signed git tags? Only as safe as SHA-1 or somehow safer?

Michael J Gruber git at drmicha.warpmail.net
Mon Nov 24 11:15:34 CET 2014

Duy Nguyen schrieb am 24.11.2014 um 02:23:
> On Tue, Nov 18, 2014 at 4:26 AM, Jeff King <peff at peff.net> wrote:
>> Yes, it is only as "safe as SHA-1" in the sense that you have GPG-signed
>> only a SHA-1 hash. If somebody can find a collision with a hash you have
>> signed, they can substitute the colliding data for the data you signed.
> I wonder if we can have an option to sign all blob content of the tree
> associated to a commit, and the content of parent commit(s). It's more
> expensive than signing just commit/tag content. But it's also safer
> without completely ditching SHA-1.

This amounts to hashing the blob content with whatever hash you told
your gpg to use (hopefully not sha1 ;) ) and signing that.

You're free to do that now and store the signature wherever your
toolchain deems fit, say in a note or an annotated tag. But that
approach won't sign the history, that is: If you are concerned about the
breakability of sha1, then history is "possibly broken" no matter how
you sign a commit object whose "parent" entry is based on the sha1 of
its parent object.


More information about the Whonix-devel mailing list