[Whonix-devel] How safe are signed git tags? Only as safe as SHA-1 or somehow safer?

Duy Nguyen pclouds at gmail.com
Mon Nov 24 02:23:27 CET 2014

On Tue, Nov 18, 2014 at 4:26 AM, Jeff King <peff at peff.net> wrote:
> Yes, it is only as "safe as SHA-1" in the sense that you have GPG-signed
> only a SHA-1 hash. If somebody can find a collision with a hash you have
> signed, they can substitute the colliding data for the data you signed.

I wonder if we can have an option to sign all blob content of the tree
associated to a commit, and the content of parent commit(s). It's more
expensive than signing just commit/tag content. But it's also safer
without completely ditching SHA-1.

More information about the Whonix-devel mailing list