1 |
> A signed commit is a signing of the git metadata; tree hash |
2 |
> (literally, the state of the tree), committer, author, message, and |
3 |
> parent sha1. Each git commit includes it's parent sha1 in it; this |
4 |
> gives a locked history for a given commit sha1 (unless someone |
5 |
> preimages sha1). What matters is that the leaf node, the final point |
6 |
> in the graph, is signed- that's a dev sign off on effectively that |
7 |
> they created that particular locked history. Realistically signing of |
8 |
> each node is preferable, but the leaf is the minimal required. |
9 |
|
10 |
No. What is signed is the "new data" plus the parent hash(es). |
11 |
|
12 |
No such thing as a "tree hash". |
13 |
|
14 |
-- |
15 |
Andreas K. Huettel |
16 |
Gentoo Linux developer |
17 |
kde, sci, arm, tex, printing |