This commit is contained in:
Joey Hess 2017-02-24 20:03:36 -04:00
parent 6b52fcbb7e
commit 622b3fface
No known key found for this signature in database
GPG key ID: C910D9222512E3C7
2 changed files with 25 additions and 1 deletions

View file

@ -0,0 +1,13 @@
Yesterday I said that a git-annex repository using signed commits and SHA2
backend would be secure from SHA1 collision attacks. Then I noticed that
there were two ways to embed the necessary collision generation data inside
git-annex key names. I've fixed both of them today, and cannot find any
other ways to embed collision generation data in between a signed commit
and the annexed files.
I also have a design for a way to configure git-annex to expect to see only
keys using secure hash backends, which will make it easier to work with
repositories that want to use signed commits and SHA2. Planning to implement
that tomorrow.
[[todo/sha1_collision_embedding_in_git-annex_keys]] has the details.