git does include support for gpg signing of commits and tags, which I think is what the GP was talking about (though wrapping one's head around the cryptographic security of how git does it is a bit difficult).
SHA1 in git isn't really used as a cryptographic security measure, but git's structure does allow for some innate security because, if a colliding SHA1 hash is to show up... git looks at the new object, says "Huh, I already have that one." and just uses a reference to the original object instead. I'm not sure just how much git protects against an attack targeted against a single copy of the repo as, like I mentioned earlier, it's pretty difficult to wrap one's head around git's security due to how everything interacts.
Or at least that's the case for me. Maybe someone else has a quick explanation for how it all fits together.