Menu
Does the current version of git (2.30.0) already use SHA256 to calculate commit hashes by default? If not, how can SHA-256 be enabled for a new git repository and how can be checked whether a certain git repository uses SHA-256 or SHA-1 for its commit hashes?
822
Requiring no action by any other party. A SHA-256 repository can communicate with SHA-1 Git servers (push/fetch). Users can use SHA-1 and SHA-256 identifiers for objects interchangeably (see "Object names on the command line", below).
As is well-known, Git has been using SHA-1 to calculate a hash for each commit: For example, files, directories, and revisions are referred to by hash values unlike in other traditional version control systems where files or versions are referred to via sequential numbers.
Git uses SHA-1-generated hashes to identify revisions and protect code against corruption.
It is essentially possible to create two GIT repositories with the same head commit hash and different contents, say a benign source code and a backdoored one. An attacker could potentially selectively serve either repository to targeted users.
Whether to use SHA-1 or SHA-256 is a per-repository setting in recent versions of Git. The plan is eventually to make it possible to store data in a repository in SHA-256 and access the objects with either the SHA-1 name or the SHA-256 name. SHA-1 remains the default.
Do note that the SHA-256 mode is experimental and could theoretically change but there are no plans to do so. The Git developers are making every effort to not break compatibility with existing SHA-256 repositories.
To create a new repository with SHA-256, use the --object-format option to git init. If you want to know which algorithm a local repository uses, run git rev-parse --show-object-format, which will output either sha1 or sha256. To see the hash of a remote repository, you can use git ls-remote and verify the length of the hashes printed.
Do note that no major forges support SHA-256 and therefore such repositories cannot be uploaded to them.
200
According to the man page for git-init for version 2.30.0, the sha-256 support is still considered experimental:
--object-format=<format
Specify the given object format (hash algorithm) for the
repository. The valid values are sha1 and (if enabled) sha256.
sha1 is the default.
THIS OPTION IS EXPERIMENTAL! SHA-256 support is experimental and
still in an early stage. A SHA-256 repository will in general not
be able to share work with "regular" SHA-1 repositories. It should
be assumed that, e.g., Git internal file formats in relation to
SHA-256 repositories may change in backwards-incompatible ways.
Only use --object-format=sha256 for testing purposes.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
