> A signed commit is a signing of the git metadata; tree hash
> (literally, the state of the tree), committer, author, message, and
> parent sha1. Each git commit includes it's parent sha1 in it; this
> gives a locked history for a given commit sha1 (unless someone
> preimages sha1). What matters is that the leaf node, the final point
> in the graph, is signed- that's a dev sign off on effectively that
> they created that particular locked history. Realistically signing of
> each node is preferable, but the leaf is the minimal required.
No. What is signed is the "new data" plus the parent hash(es).
No such thing as a "tree hash".
Andreas K. Huettel
Gentoo Linux developer
kde, sci, arm, tex, printing