Git started supporting SHA-256 based commit hashes in version 2.29, officially released on October 19, 2020.
This version included the --object-format=sha256 option for the git init command.
This feature is part of Git's ongoing efforts to enhance security and address potential vulnerabilities related to the use of SHA-1 hash algorithm.
SHA-1 has been found to be vulnerable to collision attacks, which could undermine the security integrity of the commit hashes used by Git. While the use of SHA-1 for the first "inception" commit does not provide robust security against such attacks, it is important to note that the security of a Git repository as a whole typically increases with each additional commit. This is because each commit hash incorporates the hash of the previous commit, forming a chain. As a result, altering any single commit would require recalculating the hashes of all subsequent commits, which compounds the computational difficulty of an attack, thereby enhancing security over time.
However, users should be aware of these vulnerabilities, especially for critical security-related repositories. It is advisable to consider mechanisms that add additional layers of security could provide better assurance of the integrity and authorship of changes.
So far, I've identified no Git hosting services that work with SHA-256 based repositories:
sha256-on-github-test %
git init --object-format=sha256
echo "# sha256-on-github-test" >> README.md
git init
git add README.md
git commit -m "First commit, testing a sha-256 based git repo with GitHub"
git branch -M main
git remote add origin https://github.com/ChristopherA/sha256-on-github-test.git
git push -u origin main
fatal: the receiving end does not support this repository's hash algorithm
fatal: the remote end hung up unexpectedly
error: failed to push some refs to 'https://github.com/ChristopherA/sha256-on-github-test.git'
%