The SHA-1 hashing algorithm at the core of Git is broken. Proven attacks have been demonstrated in practice by SHAttered, and NIST has designated the hashing algorithm to be phased out in the near future.
“We recommend that anyone relying on SHA-1 for security migrate to SHA-2 or SHA-3 as soon as possible,” says NIST computer scientist Chris Celi.
Even though on the wake of the SHAttered attack Git moved to Hardened SHA-1 in Git v2.13.0, which isnt vulnerable to SHAttered, according to Git’s own website
“SHA-1 is still weak.”
“Thus it’s considered prudent to move past any variant of SHA-1 to a new hash. There’s no guarantee that future attacks on SHA-1 won’t be published in the future, and those attacks may not have viable mitigations.”
For these reasons I believe it is important to show how you can use SHA-2 Git right now! If you are using anything above Git 2.29, you already had the ability to make SHA-2 Git repos without even knowing it!
I will now go through the process of installation and usage of SHA-2 Git
First open your terminal and type
git --version(as shown in in the above image). If it outputs anything above git version 2.29, you should be good. If you have an earlier version, or don’t have git at all, go to the official Git downloads page and follow the instructions for your specific machine.
Next we will make a test directory and using mkdir test and will use cd test to go into it.
mkdir test
cd test
This is the MOST IMPORTANT STEP when initializing at your specific repository you need to type
git init --object-format=sha256This will ensure that you will be using SHA-2 and not SHA-1, as Git still defaults to SHA-1.
If it works, you should see something like this. Just to be sure it worked, lets make a commit and use rev parse and git log to check that we are actually using SHA-2 hash (shown in later images, either one is applicable).
After initializing the repository I added a test file called “hi.txt” and added it to the staging area, then attempting to commit it. However, as it was a fresh Git install on a new machine, I needed to configure the global email and name (you may have to do this too). If so, just follow along and try to commit again.
touch hi.txt
git add .
git commit -m "test"#Next lines if you need to set up email and name for Gitgit config --global user.email "email@service.com"
git config --global user.name "Firstname Lastname"
git commit -m "test"
To check the hashing algorithm run
git rev-parse --show-object-formatin the directory you initialized in and you should get an output of sha256 if you did everything right.
You can also just use
git log and check if the commit has a SHA-1 hash or a SHA-2 hash.
For reference the SHA-1 hash of “hi” is
55ca6286e3e4f4fba5d0448333fa99fc5a404a73
and “hi” in SHA-2 looks like
98ea6e4f216f2fb4b69fff9b3a44842c38686ca685f3f55dc48c5d3fb1107be4
Length is the key factor to easily determine if you have a SHA-1 or SHA-2 hash.
Congrats! You just used version control software with a hashing algorithm that isn’t broken and provides enough security to be reasonably sure (checkout 3blue1brown’s video if you want to know more) that it wasnt altered or forged.
Limitations and Future Use
- While Git currently supports SHA-2 repos, many of the main code forges including Github, Gitlab, a̶n̶d̶ o̶t̶h̶e̶r̶s̶ d̶o̶ n̶o̶t̶. UPDATE! sha2git.com now supports the hosting of SHA-2 repos!
- SHA-1 and SHA-2 Git repositories are not compatible or convertible at the moment.
- More work needs to be done in the space of code sharing with secure SHA-2 Git repositories, however it has been deemed non-important at the moment by Gitlab and others.
