Of course there is at least one VCS that does not rely on hashing for security, and instead relies on gpg signatures.
Uh, what? GPG signatures themselves rely on hash functions. From the GPG manual:
A document's digital signature is the result of applying a hash function to the document.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds