Hi Vitaly,
On 9. Jun 2024, at 09:15, Vitaly Zaitsev via devel devel@lists.fedoraproject.org wrote:
On 08/06/2024 00:43, Aoife Moloney wrote:
OpenSSL will no longer trust cryptographic signatures using SHA-1 by default, starting from Fedora 41.
What about Git? AFAIK, AFAIK, Git heavily uses both SHA-1 and SHA-2 to validate objects and commits.
Just to make sure: This proposed change does *not* disallow the use of SHA-1 for hashing (which is what git does).
It only prevents the use of SHA-1 for signing and signature verification. Git’s signature support [1] uses the OpenPGP packet format, which can (and in practice likely does) contain a different hash of the signed content, over which it creates a signature, so even commits with a SHA-1 commit ID can be signed in a fashion that will continue to validate with this change.