1 |
On Sun, Sep 14, 2014 at 11:25:33PM +0000, hasufell wrote: |
2 |
> So can we get this clear now. |
3 |
> |
4 |
> Robin said |
5 |
> |
6 |
> > The Git commit-signing design explicitly signs the entire commit, |
7 |
> > including blob contents, to avoid this security problem. |
8 |
> |
9 |
> Is this correct or not? |
10 |
|
11 |
That is false. The commit signature explicitly signs the commit, |
12 |
which includes the root tree hash. That is the only connection |
13 |
between the signature and the tree contents. |
14 |
|
15 |
Cheers, |
16 |
Trevor |
17 |
|
18 |
-- |
19 |
This email may be signed or encrypted with GnuPG (http://www.gnupg.org). |
20 |
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy |