This is an important distinction. Without a preimage attack on sha-1, the only vulnerability is if some part (yet any part) of the git objects reachable from the signed tag or commit is one half of a prepared collision pair.