| 1 |
On Sun, Sep 14, 2014 at 11:25:33PM +0000, hasufell wrote: |
| 2 |
> So can we get this clear now. |
| 3 |
> |
| 4 |
> Robin said |
| 5 |
> |
| 6 |
> > The Git commit-signing design explicitly signs the entire commit, |
| 7 |
> > including blob contents, to avoid this security problem. |
| 8 |
> |
| 9 |
> Is this correct or not? |
| 10 |
|
| 11 |
That is false. The commit signature explicitly signs the commit, |
| 12 |
which includes the root tree hash. That is the only connection |
| 13 |
between the signature and the tree contents. |
| 14 |
|
| 15 |
Cheers, |
| 16 |
Trevor |
| 17 |
|
| 18 |
-- |
| 19 |
This email may be signed or encrypted with GnuPG (http://www.gnupg.org). |
| 20 |
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy |
Archives