Skip to content

Instantly share code, notes, and snippets.

@ChristopherA
Last active May 15, 2024 06:22
Show Gist options
  • Save ChristopherA/65da131fea445f58b9075d4e8c85ed80 to your computer and use it in GitHub Desktop.
Save ChristopherA/65da131fea445f58b9075d4e8c85ed80 to your computer and use it in GitHub Desktop.
Support for Git Commits using SHA-256

Support for Git Commits using SHA-256

Git started supporting SHA-256 based commit hashes in version 2.29, officially released on October 19, 2020.

This version included the --object-format=sha256 option for the git init command.

This feature is part of Git's ongoing efforts to enhance security and address potential vulnerabilities related to the use of SHA-1 hash algorithm.

Use of SHA-1 in Git Commits

SHA-1 has been found to be vulnerable to collision attacks, which could undermine the security integrity of the commit hashes used by Git. While the use of SHA-1 for the first "inception" commit does not provide robust security against such attacks, it is important to note that the security of a Git repository as a whole typically increases with each additional commit. This is because each commit hash incorporates the hash of the previous commit, forming a chain. As a result, altering any single commit would require recalculating the hashes of all subsequent commits, which compounds the computational difficulty of an attack, thereby enhancing security over time.

However, users should be aware of these vulnerabilities, especially for critical security-related repositories. It is advisable to consider mechanisms that add additional layers of security could provide better assurance of the integrity and authorship of changes.

Git Hosting Services and SHA-256

So far, I've identified no Git hosting services that work with SHA-256 based repositories:

GitHub

sha256-on-github-test % 
git init --object-format=sha256
echo "# sha256-on-github-test" >> README.md
git init
git add README.md
git commit -m "First commit, testing a sha-256 based git repo with GitHub"
git branch -M main
git remote add origin https://github.com/ChristopherA/sha256-on-github-test.git
git push -u origin main
fatal: the receiving end does not support this repository's hash algorithm
fatal: the remote end hung up unexpectedly
error: failed to push some refs to 'https://github.com/ChristopherA/sha256-on-github-test.git'
%
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment