GIT sha256 support #6427

New Issue

Closed

opened 2025-11-02 06:55:31 -06:00 by GiteaMirror · 9 comments

GiteaMirror commented 2025-11-02 06:55:31 -06:00

Owner

Copy Link

Originally created by @6543 on GitHub (Dec 2, 2020).

SHA256 support comes in git-2.29, test deployment on codeberg-test does not work. Steps to reproduce:

git init --object-format=sha256
touch test
git add test
git commit -m "test"
git remote add origin git@codeberg.org:reinerh/test.git
git push -u origin main

Error: fatal: Protokollfehler: unerwartetes capabilities^{}

gitea version: 1.14.0+dev-294-g594cc4aa2

Originally created by @6543 on GitHub (Dec 2, 2020). SHA256 support comes in git-2.29, test deployment on codeberg-test does not work. Steps to reproduce: ```sh git init --object-format=sha256 touch test git add test git commit -m "test" git remote add origin git@codeberg.org:reinerh/test.git git push -u origin main ``` Error: `fatal: Protokollfehler: unerwartetes capabilities^{}` gitea version: 1.14.0+dev-294-g594cc4aa2

GiteaMirror added the type/featuretype/proposalproposal/accepted labels 2025-11-02 06:55:31 -06:00

GiteaMirror closed this issue 2025-11-02 06:55:32 -06:00

GiteaMirror commented 2025-11-02 06:55:32 -06:00

Author

Owner

Copy Link

@a1012112796 commented on GitHub (Dec 3, 2020):

Not suggest add it now because it still an experimental feature in git.
The error message is because git sha256 need core > repositoryformatversion=1 and extensions > objectformat = sha256.

@a1012112796 commented on GitHub (Dec 3, 2020): Not suggest add it now because it still an experimental feature in git. The error message is because git sha256 need ``core > repositoryformatversion=1`` and ``extensions > objectformat = sha256``.

GiteaMirror commented 2025-11-02 06:55:32 -06:00

Author

Owner

Copy Link

@Gusted commented on GitHub (Mar 25, 2022):

How do we propose to set the SHA-256 setting for a repo? I assume we don't want to set this global(as this would only make sense for "new" gitea instance). Would it be a simple option on the repo creation to enable the SHA256 format?

@Gusted commented on GitHub (Mar 25, 2022): How do we propose to set the SHA-256 setting for a repo? I assume we don't want to set this global(as this would only make sense for "new" gitea instance). Would it be a simple option on the repo creation to enable the SHA256 format?

GiteaMirror commented 2025-11-02 06:55:33 -06:00

Author

Owner

Copy Link

@lunny commented on GitHub (Mar 26, 2022):

If the repository is initialized in Gitea, we can have option in creating repository page, but if it's a repository pushing to create, we should have another method to detect it.

@lunny commented on GitHub (Mar 26, 2022): If the repository is initialized in Gitea, we can have option in creating repository page, but if it's a repository pushing to create, we should have another method to detect it.

GiteaMirror commented 2025-11-02 06:55:33 -06:00

Author

Owner

Copy Link

@deknos commented on GitHub (Dec 17, 2022):

Hello,
NIST wanna sunset SHA1: https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm

Yes, this will take some time and it is until 2030. Still, people should start it, as there are still no migration possibilities like i don't know, git make-readonly ; git migrate start --to=SHA2-256 ; git migrate clean --away=SHA1 or whatever. Also, this is also only for local git, there's no possibility for this for fetching/pulling already cloned gits.

Also, there may be more hashing algorithms in the future, or some are broken, just migrating to one will perhaps be enough for 10 years, but then we may have this issue again. Please for now, at least test and provide sha256 as an option.

migrating data will take time.

@deknos commented on GitHub (Dec 17, 2022): Hello, NIST wanna sunset SHA1: https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm Yes, this will take some time and it is until 2030. Still, people should start it, as there are still no migration possibilities like i don't know, git make-readonly ; git migrate start --to=SHA2-256 ; git migrate clean --away=SHA1 or whatever. Also, this is also only for local git, there's no possibility for this for fetching/pulling already cloned gits. Also, there may be more hashing algorithms in the future, or some are broken, just migrating to one will perhaps be enough for 10 years, but then we may have this issue again. Please for now, at least test and provide sha256 as an option. migrating data will take time.

GiteaMirror commented 2025-11-02 06:55:33 -06:00

Author

Owner

Copy Link

@Sword-Smith commented on GitHub (Feb 10, 2023):

Hello, NIST wanna sunset SHA1: https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm

Yes, this will take some time and it is until 2030. Still, people should start it, as there are still no migration possibilities like i don't know, git make-readonly ; git migrate start --to=SHA2-256 ; git migrate clean --away=SHA1 or whatever. Also, this is also only for local git, there's no possibility for this for fetching/pulling already cloned gits.

Also, there may be more hashing algorithms in the future, or some are broken, just migrating to one will perhaps be enough for 10 years, but then we may have this issue again. Please for now, at least test and provide sha256 as an option.

migrating data will take time.

I second this. Also even if SHA-1 wasn't broken, it would still only be secure up to 80 bits, which shouldn't be considered safe nowadays. You should aim for 100 bits or preferably 128 bits which SHA-256 will give you.

Not as critical as I thought since the SHA-1 function is being used in a way that guarantees that the length is not affected, so the known SHA-1 attacks would not work. Also: A collision is not that dangerous, you need a second-preimage attack which AFAIK still has 160 bits security the way that SHA-1 is currently being used in git.

@Sword-Smith commented on GitHub (Feb 10, 2023): > Hello, NIST wanna sunset SHA1: https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm > > Yes, this will take some time and it is until 2030. Still, people should start it, as there are still no migration possibilities like i don't know, git make-readonly ; git migrate start --to=SHA2-256 ; git migrate clean --away=SHA1 or whatever. Also, this is also only for local git, there's no possibility for this for fetching/pulling already cloned gits. > > Also, there may be more hashing algorithms in the future, or some are broken, just migrating to one will perhaps be enough for 10 years, but then we may have this issue again. Please for now, at least test and provide sha256 as an option. > > migrating data will take time. I second this. ~~Also even if SHA-1 wasn't broken, it would still only be secure up to 80 bits, which shouldn't be considered safe nowadays. You should aim for 100 bits or preferably 128 bits which SHA-256 will give you.~~ Not as critical as I thought since the SHA-1 function is being used in a way that guarantees that the length is not affected, so the known SHA-1 attacks would not work. Also: A collision is not that dangerous, you need a second-preimage attack which AFAIK still has 160 bits security the way that SHA-1 is currently being used in git.

GiteaMirror commented 2025-11-02 06:55:33 -06:00

Author

Owner

Copy Link

@ptman commented on GitHub (May 16, 2023):

https://medium.com/@v3ai/how-to-use-sha-2-git-repositories-6c2a6ed5d580 - mentions how few git tools support sha256

@ptman commented on GitHub (May 16, 2023): https://medium.com/@v3ai/how-to-use-sha-2-git-repositories-6c2a6ed5d580 - mentions how few git tools support sha256

GiteaMirror commented 2025-11-02 06:55:34 -06:00

Author

Owner

Copy Link

@applemayexist commented on GitHub (Sep 9, 2023):

What's the status of this? Git's documentation in 2.42.0 no longer calls the use of sha256 experimental, and states that no backward-incompatible changes are expected.

@applemayexist commented on GitHub (Sep 9, 2023): What's the status of this? [Git's documentation in 2.42.0](https://git-scm.com/docs/git-init#Documentation/git-init.txt---object-formatltformatgt) no longer calls the use of sha256 experimental, and states that no backward-incompatible changes are expected.

GiteaMirror commented 2025-11-02 06:55:34 -06:00

Author

Owner

Copy Link

@lunny commented on GitHub (Sep 9, 2023):

Follow #23894

@lunny commented on GitHub (Sep 9, 2023): Follow #23894

GiteaMirror commented 2025-11-02 06:55:34 -06:00

Author

Owner

Copy Link

@github-actions[bot] commented on GitHub (Mar 1, 2024):

Automatically locked because of our CONTRIBUTING guidelines

@github-actions[bot] commented on GitHub (Mar 1, 2024): Automatically locked because of our [CONTRIBUTING guidelines](https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md#issue-locking)

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label proposal/accepted type/feature type/proposal

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#6427