joeyh at
Also, note that signed git tags are only a signature of the sha1, so cannot be used to detect a collision attack.
Checking git commit signatures can detect a collision attack. Of course, that checking is also not enabled by default, and there's not yet a config to change that.
Checking git commit signatures can detect a collision attack. Of course, that checking is also not enabled by default, and there's not yet a config to change that.