Add SHA-256 support for git commit hashes

[onnimonni]

Select Topic Area

Product Feedback

Body

Hey,

When is Github enabling support for git repositories with sha256 commits aka --object-format=sha256?

I'm writing this In the light of recent malicious takeover of https://github.com/tj-actions/changed-files. See more in HN.

The best practice to securely using 3rd party actions in GitHub Actions is to:

Pin actions to a full length commit SHA

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

source: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

I'm afraid that creating SHA-1 collisions will become more and more affordable and wish to start using sha256 commits sooner than later.

Here's the blog post from Google from 2017 where they demostrated this issue in action.

Steps to reproduce the issue

Currently this is supported in git but not in GitHub:

$ git --version
git version 2.47.0
$ mkdir sha256-git-test && cd sha256-git-test
$ git init . --object-format=sha256
$ echo "test" > "test"
$ git add test
$ git commit -m "test"
$ gh repo create --push --public -s . sha256-git-test
✓ Created repository onnimonni/sha256-git-test on GitHub
  https://github.com/onnimonni/sha256-git-test
✓ Added remote https://github.com/onnimonni/sha256-git-test.git
fatal: the receiving end does not support this repository's hash algorithm
failed to run git: exit status 128

Also see more about the the topic in Stack overflow.

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐

[onnimonni]

I wasn't aware of the already existing SHA-1 collision support created by Github. It's very interesting read and AFAIK it seems that using SHA-1 collisions is not possible:
https://github.blog/news-insights/company-news/sha-1-collision-detection-on-cf-workers-proxy-9e9.pages.dev/

[onnimonni]

Is anyone aware of a git hook script I could use to analyse .github/workflows/*.yml files and replace git tags like "v4" with the current git commit hashes and adding a comment containing the version?

I think this would make it much safer to use 3rd party GitHub Actions.

So automating this process:

-  - uses: actions/checkout@v4;
+  - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4;

[edgarrmondragon]

I've used gha-update before.

[onnimonni]

This is a bit ugly but works as well: https://gist.github.com/onnimonni/3462f958c7d235417863651974514525

[Andrej730]

Any ideas if git config extensions.compatObjectFormat sha1 in theory should allow pushing sha256 commits to sha1 repo to allow some transition period?

[wiktor-k]

I've tested that right now. That option needs to be enabled before anything is created (or one gets a really ugly error) but the push to GitHub still fails:

$ git push [email protected]:wiktor-k/test-256-repo.git
fatal: the receiving end does not support this repository's hash algorithm
$ cat .git/config 
[extensions]
	objectformat = sha256
	compatObjectFormat = sha1
[core]
	repositoryformatversion = 1
	filemode = true
	bare = false
	logallrefupdates = true
[remote "origin"]
	url = [email protected]:wiktor/test-256-repo.git
	url = ssh://[email protected]/wiktor/test-256-repo.git
	fetch = +refs/heads/*:refs/remotes/origin/*
[branch "main"]
	remote = origin
	merge = refs/heads/main

[wiktor-k]

FWIW I did a couple of tests and it seems SHA-256 is supported on both Gitlab and Codeberg. Of course it needs to be enabled when initializing the repo but from my PoV it's GitHub that's lagging on this important feature...