Menu
Supposing that I have the commit hash but I don't have any access to the git repository, is it possible to get the time when the commit was made?
How can this be done?
According to this answer, the commit hashes contain dates and times when they were done.
Example:
1484e89060b2043be0b71209bacc2254161f1a8f was made on Wed Sep 3 09:30:59 2014 +0300.
910
Hover over the 'xx days ago' label next to the relevant commit under the History tab, pause and wait for the Tooltip to appear.
There are actually two different timestamps recorded by Git for each commit: the author date and the commit date. When the commit is created both the timestamps are set to the current time of the machine where the commit was made.
# open the git config editor $ git config --global --edit # in the alias section, add ... [alias] lastcommit = rev-parse HEAD ... From here on, use git lastcommit to show the last commit's hash.
If you have the hash for a commit, you can use the git show command to display the changes for that single commit. The output is identical to each individual commit when using git log -p .
As mentioned in "Are there any dangers in exposing git sha1 commit hashes?":
There is absolutely no way you can correlate the SHA 1 hash of a git commit to the actual contents of the commit.
Though SHA-1 is nominally one-way, this would theoretically allow an attacker, who wants to guess the contents of an object, to verify whether his guess is correct or not.
This would entail guessing exactly, down to the last bit, including time stamps and other similar things.
So if you don't have access to the full git repo, that seems not possible.
As mentioned in this thread, the only thing you could do with a SHA1 is find a content with the same SHA1:
The term "reverse" is not the right word to use.
What is meant is that you can generate another input for which the SHA1 output matches your other SHA1 output. This is because SHA1 has collisions.So "
foo" could hash to 1 and "bar" could hash to 1 also.
It doesn't mean 1 meansfoo, but it means if your password isfoo,barworks too when hashed and compared against a stored hash.If the original input is not very short, it's extremely unlikely that an input with the same SHA-1 hash could be found.
These attacks work because the passwords are weak and SHA-1 is fast to compute, not due to any weakness of SHA-1 as a cryptographic hash function.
Note: that (finding a content with the same SHA1) is actually what the project bradfitz/gitbrute does (for "fun")
gitbrutebrute-forces a pair of author+committer timestamps such that the resulting git commit has your desired prefix.It will find the most recent time that satisfies your prefix.
I mentioned it in "How would git handle a SHA-1 collision on a blob?"
53
You probably think that the git commit ID is somehow encrypted data containing some information. But the Git commit IDs are hashes:
[...] is the SHA-1 hash — a checksum of the content you’re storing plus a header (from here)
Also from the cryptograpic theory we know that hashes have the Non-invertible property.
So it is not possible to get any information about the commit from the ID alone.
21
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
