undefined | Better HN

0 pointskazinator9y ago0 comments

But, in any case, that's in the cryptographic realm.

Git hashes aren't digital signatures for cryptographic authenticity.

0 comments

hkdennis2k9y ago

They are.

The git tag and signing verify logic assume the sha-1 hashes for integrity.

kazinatorOP9y ago

Hashing for integrity and authenticity are different things.

For instance, a mere four byte CRC-32 can reasonably assure integrity in some situations, like when used on sufficiently small payload frames; yet it is not useful as a digest for certifying authenticity.

SHA-1 is suitable for integrity.

belovedeagle9y ago

That it may be, but in git, SHA-1 is also used for authenticity. "Signing a commit" only authenticates one commit, and is considered to authenticate the state of the repository only insofar as it authenticates the SHA-1 references contained in the topmost commit.

j / k navigate · click thread line to collapse