Asheesh Laroia <ashe...@asheesh.org> writes: > Yes, I do! I've pinged a friend at GitHub and CC:d the people who have > participated in this thread so far. Let's see how that conversation goes.
Just as an FYI, signing a git tag produces a slightly weaker security guarantee than signing a tarball. Specifically, an attacker who is capable of a second-preimage attack on SHA-1 can forge git commits which will still verify if signed. No one has publically been able to produce even a collision in SHA-1 yet, though most people suspect it is either already in the capability of state-level attackers or will be in the next few years. Second-preimage is harder than just producing collisions, but it is still something that's good to be aware of. Sincerely, -- Harlan Lieberman-Berg ~hlieberman
