
How does signed Git commits work? - MidnightRocket
So git uses the SHA-1 algorithm to ensure integrity. However SHA-1 is no longer considered secure. 
So my question is, what is signed in a signed git commit?<p>I imagine that either the SHA-1 hash of the commit is signed, or the working tree is directly signed, using the preferred hashing algorithm set in my GPG settings.<p>Because if it is just the SHA-1 hash of the commit is signed, then someone could make a collision attack on that hash, and introducing malicious code.
======
billconan
I think google has already demoed collision attack with 2 different pdf files
that generate the same hash. [https://shattered.io/](https://shattered.io/)

A good read on git hash
[https://link.medium.com/9S9R0cE5GV](https://link.medium.com/9S9R0cE5GV)

------
based2
[https://lwn.net/Articles/715716/](https://lwn.net/Articles/715716/)

[https://github.blog/2017-03-20-sha-1-collision-detection-
on-...](https://github.blog/2017-03-20-sha-1-collision-detection-on-github-
com/)

