1Git hash function transition 2============================ 3 4Objective 5--------- 6Migrate Git from SHA-1 to a stronger hash function. 7 8Background 9---------- 10At its core, the Git version control system is a content addressable 11filesystem. It uses the SHA-1 hash function to name content. For 12example, files, directories, and revisions are referred to by hash 13values unlike in other traditional version control systems where files 14or versions are referred to via sequential numbers. The use of a hash 15function to address its content delivers a few advantages: 16 17* Integrity checking is easy. Bit flips, for example, are easily 18 detected, as the hash of corrupted content does not match its name. 19* Lookup of objects is fast. 20 21Using a cryptographically secure hash function brings additional 22advantages: 23 24* Object names can be signed and third parties can trust the hash to 25 address the signed object and all objects it references. 26* Communication using Git protocol and out of band communication 27 methods have a short reliable string that can be used to reliably 28 address stored content. 29 30Over time some flaws in SHA-1 have been discovered by security 31researchers. On 23 February 2017 the SHAttered attack 32(https://shattered.io) demonstrated a practical SHA-1 hash collision. 33 34Git v2.13.0 and later subsequently moved to a hardened SHA-1 35implementation by default, which isn't vulnerable to the SHAttered 36attack. 37 38Thus Git has in effect already migrated to a new hash that isn't SHA-1 39and doesn't share its vulnerabilities, its new hash function just 40happens to produce exactly the same output for all known inputs, 41except two PDFs published by the SHAttered researchers, and the new 42implementation (written by those researchers) claims to detect future 43cryptanalytic collision attacks. 44 45Regardless, it's considered prudent to move past any variant of SHA-1 46to a new hash. There's no guarantee that future attacks on SHA-1 won't 47be published in the future, and those attacks may not have viable 48mitigations. 49 50If SHA-1 and its variants were to be truly broken, Git's hash function 51could not be considered cryptographically secure any more. This would 52impact the communication of hash values because we could not trust 53that a given hash value represented the known good version of content 54that the speaker intended. 55 56SHA-1 still possesses the other properties such as fast object lookup 57and safe error checking, but other hash functions are equally suitable 58that are believed to be cryptographically secure. 59 60Goals 61----- 621. The transition to SHA-256 can be done one local repository at a time. 63 a. Requiring no action by any other party. 64 b. A SHA-256 repository can communicate with SHA-1 Git servers 65 (push/fetch). 66 c. Users can use SHA-1 and SHA-256 identifiers for objects 67 interchangeably (see "Object names on the command line", below). 68 d. New signed objects make use of a stronger hash function than 69 SHA-1 for their security guarantees. 702. Allow a complete transition away from SHA-1. 71 a. Local metadata for SHA-1 compatibility can be removed from a 72 repository if compatibility with SHA-1 is no longer needed. 733. Maintainability throughout the process. 74 a. The object format is kept simple and consistent. 75 b. Creation of a generalized repository conversion tool. 76 77Non-Goals 78--------- 791. Add SHA-256 support to Git protocol. This is valuable and the 80 logical next step but it is out of scope for this initial design. 812. Transparently improving the security of existing SHA-1 signed 82 objects. 833. Intermixing objects using multiple hash functions in a single 84 repository. 854. Taking the opportunity to fix other bugs in Git's formats and 86 protocols. 875. Shallow clones and fetches into a SHA-256 repository. (This will 88 change when we add SHA-256 support to Git protocol.) 896. Skip fetching some submodules of a project into a SHA-256 90 repository. (This also depends on SHA-256 support in Git 91 protocol.) 92 93Overview 94-------- 95We introduce a new repository format extension. Repositories with this 96extension enabled use SHA-256 instead of SHA-1 to name their objects. 97This affects both object names and object content --- both the names 98of objects and all references to other objects within an object are 99switched to the new hash function. 100 101SHA-256 repositories cannot be read by older versions of Git. 102 103Alongside the packfile, a SHA-256 repository stores a bidirectional 104mapping between SHA-256 and SHA-1 object names. The mapping is generated 105locally and can be verified using "git fsck". Object lookups use this 106mapping to allow naming objects using either their SHA-1 and SHA-256 names 107interchangeably. 108 109"git cat-file" and "git hash-object" gain options to display an object 110in its sha1 form and write an object given its sha1 form. This 111requires all objects referenced by that object to be present in the 112object database so that they can be named using the appropriate name 113(using the bidirectional hash mapping). 114 115Fetches from a SHA-1 based server convert the fetched objects into 116SHA-256 form and record the mapping in the bidirectional mapping table 117(see below for details). Pushes to a SHA-1 based server convert the 118objects being pushed into sha1 form so the server does not have to be 119aware of the hash function the client is using. 120 121Detailed Design 122--------------- 123Repository format extension 124~~~~~~~~~~~~~~~~~~~~~~~~~~~ 125A SHA-256 repository uses repository format version `1` (see 126Documentation/technical/repository-version.txt) with extensions 127`objectFormat` and `compatObjectFormat`: 128 129 [core] 130 repositoryFormatVersion = 1 131 [extensions] 132 objectFormat = sha256 133 compatObjectFormat = sha1 134 135The combination of setting `core.repositoryFormatVersion=1` and 136populating `extensions.*` ensures that all versions of Git later than 137`v0.99.9l` will die instead of trying to operate on the SHA-256 138repository, instead producing an error message. 139 140 # Between v0.99.9l and v2.7.0 141 $ git status 142 fatal: Expected git repo version <= 0, found 1 143 # After v2.7.0 144 $ git status 145 fatal: unknown repository extensions found: 146 objectformat 147 compatobjectformat 148 149See the "Transition plan" section below for more details on these 150repository extensions. 151 152Object names 153~~~~~~~~~~~~ 154Objects can be named by their 40 hexadecimal digit sha1-name or 64 155hexadecimal digit sha256-name, plus names derived from those (see 156gitrevisions(7)). 157 158The sha1-name of an object is the SHA-1 of the concatenation of its 159type, length, a nul byte, and the object's sha1-content. This is the 160traditional <sha1> used in Git to name objects. 161 162The sha256-name of an object is the SHA-256 of the concatenation of its 163type, length, a nul byte, and the object's sha256-content. 164 165Object format 166~~~~~~~~~~~~~ 167The content as a byte sequence of a tag, commit, or tree object named 168by sha1 and sha256 differ because an object named by sha256-name refers to 169other objects by their sha256-names and an object named by sha1-name 170refers to other objects by their sha1-names. 171 172The sha256-content of an object is the same as its sha1-content, except 173that objects referenced by the object are named using their sha256-names 174instead of sha1-names. Because a blob object does not refer to any 175other object, its sha1-content and sha256-content are the same. 176 177The format allows round-trip conversion between sha256-content and 178sha1-content. 179 180Object storage 181~~~~~~~~~~~~~~ 182Loose objects use zlib compression and packed objects use the packed 183format described in Documentation/technical/pack-format.txt, just like 184today. The content that is compressed and stored uses sha256-content 185instead of sha1-content. 186 187Pack index 188~~~~~~~~~~ 189Pack index (.idx) files use a new v3 format that supports multiple 190hash functions. They have the following format (all integers are in 191network byte order): 192 193- A header appears at the beginning and consists of the following: 194 - The 4-byte pack index signature: '\377t0c' 195 - 4-byte version number: 3 196 - 4-byte length of the header section, including the signature and 197 version number 198 - 4-byte number of objects contained in the pack 199 - 4-byte number of object formats in this pack index: 2 200 - For each object format: 201 - 4-byte format identifier (e.g., 'sha1' for SHA-1) 202 - 4-byte length in bytes of shortened object names. This is the 203 shortest possible length needed to make names in the shortened 204 object name table unambiguous. 205 - 4-byte integer, recording where tables relating to this format 206 are stored in this index file, as an offset from the beginning. 207 - 4-byte offset to the trailer from the beginning of this file. 208 - Zero or more additional key/value pairs (4-byte key, 4-byte 209 value). Only one key is supported: 'PSRC'. See the "Loose objects 210 and unreachable objects" section for supported values and how this 211 is used. All other keys are reserved. Readers must ignore 212 unrecognized keys. 213- Zero or more NUL bytes. This can optionally be used to improve the 214 alignment of the full object name table below. 215- Tables for the first object format: 216 - A sorted table of shortened object names. These are prefixes of 217 the names of all objects in this pack file, packed together 218 without offset values to reduce the cache footprint of the binary 219 search for a specific object name. 220 221 - A table of full object names in pack order. This allows resolving 222 a reference to "the nth object in the pack file" (from a 223 reachability bitmap or from the next table of another object 224 format) to its object name. 225 226 - A table of 4-byte values mapping object name order to pack order. 227 For an object in the table of sorted shortened object names, the 228 value at the corresponding index in this table is the index in the 229 previous table for that same object. 230 231 This can be used to look up the object in reachability bitmaps or 232 to look up its name in another object format. 233 234 - A table of 4-byte CRC32 values of the packed object data, in the 235 order that the objects appear in the pack file. This is to allow 236 compressed data to be copied directly from pack to pack during 237 repacking without undetected data corruption. 238 239 - A table of 4-byte offset values. For an object in the table of 240 sorted shortened object names, the value at the corresponding 241 index in this table indicates where that object can be found in 242 the pack file. These are usually 31-bit pack file offsets, but 243 large offsets are encoded as an index into the next table with the 244 most significant bit set. 245 246 - A table of 8-byte offset entries (empty for pack files less than 247 2 GiB). Pack files are organized with heavily used objects toward 248 the front, so most object references should not need to refer to 249 this table. 250- Zero or more NUL bytes. 251- Tables for the second object format, with the same layout as above, 252 up to and not including the table of CRC32 values. 253- Zero or more NUL bytes. 254- The trailer consists of the following: 255 - A copy of the 20-byte SHA-256 checksum at the end of the 256 corresponding packfile. 257 258 - 20-byte SHA-256 checksum of all of the above. 259 260Loose object index 261~~~~~~~~~~~~~~~~~~ 262A new file $GIT_OBJECT_DIR/loose-object-idx contains information about 263all loose objects. Its format is 264 265 # loose-object-idx 266 (sha256-name SP sha1-name LF)* 267 268where the object names are in hexadecimal format. The file is not 269sorted. 270 271The loose object index is protected against concurrent writes by a 272lock file $GIT_OBJECT_DIR/loose-object-idx.lock. To add a new loose 273object: 274 2751. Write the loose object to a temporary file, like today. 2762. Open loose-object-idx.lock with O_CREAT | O_EXCL to acquire the lock. 2773. Rename the loose object into place. 2784. Open loose-object-idx with O_APPEND and write the new object 2795. Unlink loose-object-idx.lock to release the lock. 280 281To remove entries (e.g. in "git pack-refs" or "git-prune"): 282 2831. Open loose-object-idx.lock with O_CREAT | O_EXCL to acquire the 284 lock. 2852. Write the new content to loose-object-idx.lock. 2863. Unlink any loose objects being removed. 2874. Rename to replace loose-object-idx, releasing the lock. 288 289Translation table 290~~~~~~~~~~~~~~~~~ 291The index files support a bidirectional mapping between sha1-names 292and sha256-names. The lookup proceeds similarly to ordinary object 293lookups. For example, to convert a sha1-name to a sha256-name: 294 295 1. Look for the object in idx files. If a match is present in the 296 idx's sorted list of truncated sha1-names, then: 297 a. Read the corresponding entry in the sha1-name order to pack 298 name order mapping. 299 b. Read the corresponding entry in the full sha1-name table to 300 verify we found the right object. If it is, then 301 c. Read the corresponding entry in the full sha256-name table. 302 That is the object's sha256-name. 303 2. Check for a loose object. Read lines from loose-object-idx until 304 we find a match. 305 306Step (1) takes the same amount of time as an ordinary object lookup: 307O(number of packs * log(objects per pack)). Step (2) takes O(number of 308loose objects) time. To maintain good performance it will be necessary 309to keep the number of loose objects low. See the "Loose objects and 310unreachable objects" section below for more details. 311 312Since all operations that make new objects (e.g., "git commit") add 313the new objects to the corresponding index, this mapping is possible 314for all objects in the object store. 315 316Reading an object's sha1-content 317~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 318The sha1-content of an object can be read by converting all sha256-names 319its sha256-content references to sha1-names using the translation table. 320 321Fetch 322~~~~~ 323Fetching from a SHA-1 based server requires translating between SHA-1 324and SHA-256 based representations on the fly. 325 326SHA-1s named in the ref advertisement that are present on the client 327can be translated to SHA-256 and looked up as local objects using the 328translation table. 329 330Negotiation proceeds as today. Any "have"s generated locally are 331converted to SHA-1 before being sent to the server, and SHA-1s 332mentioned by the server are converted to SHA-256 when looking them up 333locally. 334 335After negotiation, the server sends a packfile containing the 336requested objects. We convert the packfile to SHA-256 format using 337the following steps: 338 3391. index-pack: inflate each object in the packfile and compute its 340 SHA-1. Objects can contain deltas in OBJ_REF_DELTA format against 341 objects the client has locally. These objects can be looked up 342 using the translation table and their sha1-content read as 343 described above to resolve the deltas. 3442. topological sort: starting at the "want"s from the negotiation 345 phase, walk through objects in the pack and emit a list of them, 346 excluding blobs, in reverse topologically sorted order, with each 347 object coming later in the list than all objects it references. 348 (This list only contains objects reachable from the "wants". If the 349 pack from the server contained additional extraneous objects, then 350 they will be discarded.) 3513. convert to sha256: open a new (sha256) packfile. Read the topologically 352 sorted list just generated. For each object, inflate its 353 sha1-content, convert to sha256-content, and write it to the sha256 354 pack. Record the new sha1<->sha256 mapping entry for use in the idx. 3554. sort: reorder entries in the new pack to match the order of objects 356 in the pack the server generated and include blobs. Write a sha256 idx 357 file 3585. clean up: remove the SHA-1 based pack file, index, and 359 topologically sorted list obtained from the server in steps 1 360 and 2. 361 362Step 3 requires every object referenced by the new object to be in the 363translation table. This is why the topological sort step is necessary. 364 365As an optimization, step 1 could write a file describing what non-blob 366objects each object it has inflated from the packfile references. This 367makes the topological sort in step 2 possible without inflating the 368objects in the packfile for a second time. The objects need to be 369inflated again in step 3, for a total of two inflations. 370 371Step 4 is probably necessary for good read-time performance. "git 372pack-objects" on the server optimizes the pack file for good data 373locality (see Documentation/technical/pack-heuristics.txt). 374 375Details of this process are likely to change. It will take some 376experimenting to get this to perform well. 377 378Push 379~~~~ 380Push is simpler than fetch because the objects referenced by the 381pushed objects are already in the translation table. The sha1-content 382of each object being pushed can be read as described in the "Reading 383an object's sha1-content" section to generate the pack written by git 384send-pack. 385 386Signed Commits 387~~~~~~~~~~~~~~ 388We add a new field "gpgsig-sha256" to the commit object format to allow 389signing commits without relying on SHA-1. It is similar to the 390existing "gpgsig" field. Its signed payload is the sha256-content of the 391commit object with any "gpgsig" and "gpgsig-sha256" fields removed. 392 393This means commits can be signed 3941. using SHA-1 only, as in existing signed commit objects 3952. using both SHA-1 and SHA-256, by using both gpgsig-sha256 and gpgsig 396 fields. 3973. using only SHA-256, by only using the gpgsig-sha256 field. 398 399Old versions of "git verify-commit" can verify the gpgsig signature in 400cases (1) and (2) without modifications and view case (3) as an 401ordinary unsigned commit. 402 403Signed Tags 404~~~~~~~~~~~ 405We add a new field "gpgsig-sha256" to the tag object format to allow 406signing tags without relying on SHA-1. Its signed payload is the 407sha256-content of the tag with its gpgsig-sha256 field and "-----BEGIN PGP 408SIGNATURE-----" delimited in-body signature removed. 409 410This means tags can be signed 4111. using SHA-1 only, as in existing signed tag objects 4122. using both SHA-1 and SHA-256, by using gpgsig-sha256 and an in-body 413 signature. 4143. using only SHA-256, by only using the gpgsig-sha256 field. 415 416Mergetag embedding 417~~~~~~~~~~~~~~~~~~ 418The mergetag field in the sha1-content of a commit contains the 419sha1-content of a tag that was merged by that commit. 420 421The mergetag field in the sha256-content of the same commit contains the 422sha256-content of the same tag. 423 424Submodules 425~~~~~~~~~~ 426To convert recorded submodule pointers, you need to have the converted 427submodule repository in place. The translation table of the submodule 428can be used to look up the new hash. 429 430Loose objects and unreachable objects 431~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 432Fast lookups in the loose-object-idx require that the number of loose 433objects not grow too high. 434 435"git gc --auto" currently waits for there to be 6700 loose objects 436present before consolidating them into a packfile. We will need to 437measure to find a more appropriate threshold for it to use. 438 439"git gc --auto" currently waits for there to be 50 packs present 440before combining packfiles. Packing loose objects more aggressively 441may cause the number of pack files to grow too quickly. This can be 442mitigated by using a strategy similar to Martin Fick's exponential 443rolling garbage collection script: 444https://gerrit-review.googlesource.com/c/gerrit/+/35215 445 446"git gc" currently expels any unreachable objects it encounters in 447pack files to loose objects in an attempt to prevent a race when 448pruning them (in case another process is simultaneously writing a new 449object that refers to the about-to-be-deleted object). This leads to 450an explosion in the number of loose objects present and disk space 451usage due to the objects in delta form being replaced with independent 452loose objects. Worse, the race is still present for loose objects. 453 454Instead, "git gc" will need to move unreachable objects to a new 455packfile marked as UNREACHABLE_GARBAGE (using the PSRC field; see 456below). To avoid the race when writing new objects referring to an 457about-to-be-deleted object, code paths that write new objects will 458need to copy any objects from UNREACHABLE_GARBAGE packs that they 459refer to new, non-UNREACHABLE_GARBAGE packs (or loose objects). 460UNREACHABLE_GARBAGE are then safe to delete if their creation time (as 461indicated by the file's mtime) is long enough ago. 462 463To avoid a proliferation of UNREACHABLE_GARBAGE packs, they can be 464combined under certain circumstances. If "gc.garbageTtl" is set to 465greater than one day, then packs created within a single calendar day, 466UTC, can be coalesced together. The resulting packfile would have an 467mtime before midnight on that day, so this makes the effective maximum 468ttl the garbageTtl + 1 day. If "gc.garbageTtl" is less than one day, 469then we divide the calendar day into intervals one-third of that ttl 470in duration. Packs created within the same interval can be coalesced 471together. The resulting packfile would have an mtime before the end of 472the interval, so this makes the effective maximum ttl equal to the 473garbageTtl * 4/3. 474 475This rule comes from Thirumala Reddy Mutchukota's JGit change 476https://git.eclipse.org/r/90465. 477 478The UNREACHABLE_GARBAGE setting goes in the PSRC field of the pack 479index. More generally, that field indicates where a pack came from: 480 481 - 1 (PACK_SOURCE_RECEIVE) for a pack received over the network 482 - 2 (PACK_SOURCE_AUTO) for a pack created by a lightweight 483 "gc --auto" operation 484 - 3 (PACK_SOURCE_GC) for a pack created by a full gc 485 - 4 (PACK_SOURCE_UNREACHABLE_GARBAGE) for potential garbage 486 discovered by gc 487 - 5 (PACK_SOURCE_INSERT) for locally created objects that were 488 written directly to a pack file, e.g. from "git add ." 489 490This information can be useful for debugging and for "gc --auto" to 491make appropriate choices about which packs to coalesce. 492 493Caveats 494------- 495Invalid objects 496~~~~~~~~~~~~~~~ 497The conversion from sha1-content to sha256-content retains any 498brokenness in the original object (e.g., tree entry modes encoded with 499leading 0, tree objects whose paths are not sorted correctly, and 500commit objects without an author or committer). This is a deliberate 501feature of the design to allow the conversion to round-trip. 502 503More profoundly broken objects (e.g., a commit with a truncated "tree" 504header line) cannot be converted but were not usable by current Git 505anyway. 506 507Shallow clone and submodules 508~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 509Because it requires all referenced objects to be available in the 510locally generated translation table, this design does not support 511shallow clone or unfetched submodules. Protocol improvements might 512allow lifting this restriction. 513 514Alternates 515~~~~~~~~~~ 516For the same reason, a sha256 repository cannot borrow objects from a 517sha1 repository using objects/info/alternates or 518$GIT_ALTERNATE_OBJECT_REPOSITORIES. 519 520git notes 521~~~~~~~~~ 522The "git notes" tool annotates objects using their sha1-name as key. 523This design does not describe a way to migrate notes trees to use 524sha256-names. That migration is expected to happen separately (for 525example using a file at the root of the notes tree to describe which 526hash it uses). 527 528Server-side cost 529~~~~~~~~~~~~~~~~ 530Until Git protocol gains SHA-256 support, using SHA-256 based storage 531on public-facing Git servers is strongly discouraged. Once Git 532protocol gains SHA-256 support, SHA-256 based servers are likely not 533to support SHA-1 compatibility, to avoid what may be a very expensive 534hash reencode during clone and to encourage peers to modernize. 535 536The design described here allows fetches by SHA-1 clients of a 537personal SHA-256 repository because it's not much more difficult than 538allowing pushes from that repository. This support needs to be guarded 539by a configuration option --- servers like git.kernel.org that serve a 540large number of clients would not be expected to bear that cost. 541 542Meaning of signatures 543~~~~~~~~~~~~~~~~~~~~~ 544The signed payload for signed commits and tags does not explicitly 545name the hash used to identify objects. If some day Git adopts a new 546hash function with the same length as the current SHA-1 (40 547hexadecimal digit) or SHA-256 (64 hexadecimal digit) objects then the 548intent behind the PGP signed payload in an object signature is 549unclear: 550 551 object e7e07d5a4fcc2a203d9873968ad3e6bd4d7419d7 552 type commit 553 tag v2.12.0 554 tagger Junio C Hamano <gitster@pobox.com> 1487962205 -0800 555 556 Git 2.12 557 558Does this mean Git v2.12.0 is the commit with sha1-name 559e7e07d5a4fcc2a203d9873968ad3e6bd4d7419d7 or the commit with 560new-40-digit-hash-name e7e07d5a4fcc2a203d9873968ad3e6bd4d7419d7? 561 562Fortunately SHA-256 and SHA-1 have different lengths. If Git starts 563using another hash with the same length to name objects, then it will 564need to change the format of signed payloads using that hash to 565address this issue. 566 567Object names on the command line 568~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 569To support the transition (see Transition plan below), this design 570supports four different modes of operation: 571 572 1. ("dark launch") Treat object names input by the user as SHA-1 and 573 convert any object names written to output to SHA-1, but store 574 objects using SHA-256. This allows users to test the code with no 575 visible behavior change except for performance. This allows 576 allows running even tests that assume the SHA-1 hash function, to 577 sanity-check the behavior of the new mode. 578 579 2. ("early transition") Allow both SHA-1 and SHA-256 object names in 580 input. Any object names written to output use SHA-1. This allows 581 users to continue to make use of SHA-1 to communicate with peers 582 (e.g. by email) that have not migrated yet and prepares for mode 3. 583 584 3. ("late transition") Allow both SHA-1 and SHA-256 object names in 585 input. Any object names written to output use SHA-256. In this 586 mode, users are using a more secure object naming method by 587 default. The disruption is minimal as long as most of their peers 588 are in mode 2 or mode 3. 589 590 4. ("post-transition") Treat object names input by the user as 591 SHA-256 and write output using SHA-256. This is safer than mode 3 592 because there is less risk that input is incorrectly interpreted 593 using the wrong hash function. 594 595The mode is specified in configuration. 596 597The user can also explicitly specify which format to use for a 598particular revision specifier and for output, overriding the mode. For 599example: 600 601git --output-format=sha1 log abac87a^{sha1}..f787cac^{sha256} 602 603Choice of Hash 604-------------- 605In early 2005, around the time that Git was written, Xiaoyun Wang, 606Yiqun Lisa Yin, and Hongbo Yu announced an attack finding SHA-1 607collisions in 2^69 operations. In August they published details. 608Luckily, no practical demonstrations of a collision in full SHA-1 were 609published until 10 years later, in 2017. 610 611Git v2.13.0 and later subsequently moved to a hardened SHA-1 612implementation by default that mitigates the SHAttered attack, but 613SHA-1 is still believed to be weak. 614 615The hash to replace this hardened SHA-1 should be stronger than SHA-1 616was: we would like it to be trustworthy and useful in practice for at 617least 10 years. 618 619Some other relevant properties: 620 6211. A 256-bit hash (long enough to match common security practice; not 622 excessively long to hurt performance and disk usage). 623 6242. High quality implementations should be widely available (e.g., in 625 OpenSSL and Apple CommonCrypto). 626 6273. The hash function's properties should match Git's needs (e.g. Git 628 requires collision and 2nd preimage resistance and does not require 629 length extension resistance). 630 6314. As a tiebreaker, the hash should be fast to compute (fortunately 632 many contenders are faster than SHA-1). 633 634We choose SHA-256. 635 636Transition plan 637--------------- 638Some initial steps can be implemented independently of one another: 639- adding a hash function API (vtable) 640- teaching fsck to tolerate the gpgsig-sha256 field 641- excluding gpgsig-* from the fields copied by "git commit --amend" 642- annotating tests that depend on SHA-1 values with a SHA1 test 643 prerequisite 644- using "struct object_id", GIT_MAX_RAWSZ, and GIT_MAX_HEXSZ 645 consistently instead of "unsigned char *" and the hardcoded 646 constants 20 and 40. 647- introducing index v3 648- adding support for the PSRC field and safer object pruning 649 650 651The first user-visible change is the introduction of the objectFormat 652extension (without compatObjectFormat). This requires: 653- implementing the loose-object-idx 654- teaching fsck about this mode of operation 655- using the hash function API (vtable) when computing object names 656- signing objects and verifying signatures 657- rejecting attempts to fetch from or push to an incompatible 658 repository 659 660Next comes introduction of compatObjectFormat: 661- translating object names between object formats 662- translating object content between object formats 663- generating and verifying signatures in the compat format 664- adding appropriate index entries when adding a new object to the 665 object store 666- --output-format option 667- ^{sha1} and ^{sha256} revision notation 668- configuration to specify default input and output format (see 669 "Object names on the command line" above) 670 671The next step is supporting fetches and pushes to SHA-1 repositories: 672- allow pushes to a repository using the compat format 673- generate a topologically sorted list of the SHA-1 names of fetched 674 objects 675- convert the fetched packfile to sha256 format and generate an idx 676 file 677- re-sort to match the order of objects in the fetched packfile 678 679The infrastructure supporting fetch also allows converting an existing 680repository. In converted repositories and new clones, end users can 681gain support for the new hash function without any visible change in 682behavior (see "dark launch" in the "Object names on the command line" 683section). In particular this allows users to verify SHA-256 signatures 684on objects in the repository, and it should ensure the transition code 685is stable in production in preparation for using it more widely. 686 687Over time projects would encourage their users to adopt the "early 688transition" and then "late transition" modes to take advantage of the 689new, more futureproof SHA-256 object names. 690 691When objectFormat and compatObjectFormat are both set, commands 692generating signatures would generate both SHA-1 and SHA-256 signatures 693by default to support both new and old users. 694 695In projects using SHA-256 heavily, users could be encouraged to adopt 696the "post-transition" mode to avoid accidentally making implicit use 697of SHA-1 object names. 698 699Once a critical mass of users have upgraded to a version of Git that 700can verify SHA-256 signatures and have converted their existing 701repositories to support verifying them, we can add support for a 702setting to generate only SHA-256 signatures. This is expected to be at 703least a year later. 704 705That is also a good moment to advertise the ability to convert 706repositories to use SHA-256 only, stripping out all SHA-1 related 707metadata. This improves performance by eliminating translation 708overhead and security by avoiding the possibility of accidentally 709relying on the safety of SHA-1. 710 711Updating Git's protocols to allow a server to specify which hash 712functions it supports is also an important part of this transition. It 713is not discussed in detail in this document but this transition plan 714assumes it happens. :) 715 716Alternatives considered 717----------------------- 718Upgrading everyone working on a particular project on a flag day 719~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 720Projects like the Linux kernel are large and complex enough that 721flipping the switch for all projects based on the repository at once 722is infeasible. 723 724Not only would all developers and server operators supporting 725developers have to switch on the same flag day, but supporting tooling 726(continuous integration, code review, bug trackers, etc) would have to 727be adapted as well. This also makes it difficult to get early feedback 728from some project participants testing before it is time for mass 729adoption. 730 731Using hash functions in parallel 732~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 733(e.g. https://public-inbox.org/git/22708.8913.864049.452252@chiark.greenend.org.uk/ ) 734Objects newly created would be addressed by the new hash, but inside 735such an object (e.g. commit) it is still possible to address objects 736using the old hash function. 737* You cannot trust its history (needed for bisectability) in the 738 future without further work 739* Maintenance burden as the number of supported hash functions grows 740 (they will never go away, so they accumulate). In this proposal, by 741 comparison, converted objects lose all references to SHA-1. 742 743Signed objects with multiple hashes 744~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 745Instead of introducing the gpgsig-sha256 field in commit and tag objects 746for sha256-content based signatures, an earlier version of this design 747added "hash sha256 <sha256-name>" fields to strengthen the existing 748sha1-content based signatures. 749 750In other words, a single signature was used to attest to the object 751content using both hash functions. This had some advantages: 752* Using one signature instead of two speeds up the signing process. 753* Having one signed payload with both hashes allows the signer to 754 attest to the sha1-name and sha256-name referring to the same object. 755* All users consume the same signature. Broken signatures are likely 756 to be detected quickly using current versions of git. 757 758However, it also came with disadvantages: 759* Verifying a signed object requires access to the sha1-names of all 760 objects it references, even after the transition is complete and 761 translation table is no longer needed for anything else. To support 762 this, the design added fields such as "hash sha1 tree <sha1-name>" 763 and "hash sha1 parent <sha1-name>" to the sha256-content of a signed 764 commit, complicating the conversion process. 765* Allowing signed objects without a sha1 (for after the transition is 766 complete) complicated the design further, requiring a "nohash sha1" 767 field to suppress including "hash sha1" fields in the sha256-content 768 and signed payload. 769 770Lazily populated translation table 771~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 772Some of the work of building the translation table could be deferred to 773push time, but that would significantly complicate and slow down pushes. 774Calculating the sha1-name at object creation time at the same time it is 775being streamed to disk and having its sha256-name calculated should be 776an acceptable cost. 777 778Document History 779---------------- 780 7812017-03-03 782bmwill@google.com, jonathantanmy@google.com, jrnieder@gmail.com, 783sbeller@google.com 784 785Initial version sent to 786http://public-inbox.org/git/20170304011251.GA26789@aiede.mtv.corp.google.com 787 7882017-03-03 jrnieder@gmail.com 789Incorporated suggestions from jonathantanmy and sbeller: 790* describe purpose of signed objects with each hash type 791* redefine signed object verification using object content under the 792 first hash function 793 7942017-03-06 jrnieder@gmail.com 795* Use SHA3-256 instead of SHA2 (thanks, Linus and brian m. carlson).[1][2] 796* Make sha3-based signatures a separate field, avoiding the need for 797 "hash" and "nohash" fields (thanks to peff[3]). 798* Add a sorting phase to fetch (thanks to Junio for noticing the need 799 for this). 800* Omit blobs from the topological sort during fetch (thanks to peff). 801* Discuss alternates, git notes, and git servers in the caveats 802 section (thanks to Junio Hamano, brian m. carlson[4], and Shawn 803 Pearce). 804* Clarify language throughout (thanks to various commenters, 805 especially Junio). 806 8072017-09-27 jrnieder@gmail.com, sbeller@google.com 808* use placeholder NewHash instead of SHA3-256 809* describe criteria for picking a hash function. 810* include a transition plan (thanks especially to Brandon Williams 811 for fleshing these ideas out) 812* define the translation table (thanks, Shawn Pearce[5], Jonathan 813 Tan, and Masaya Suzuki) 814* avoid loose object overhead by packing more aggressively in 815 "git gc --auto" 816 817Later history: 818 819 See the history of this file in git.git for the history of subsequent 820 edits. This document history is no longer being maintained as it 821 would now be superfluous to the commit log 822 823[1] http://public-inbox.org/git/CA+55aFzJtejiCjV0e43+9oR3QuJK2PiFiLQemytoLpyJWe6P9w@mail.gmail.com/ 824[2] http://public-inbox.org/git/CA+55aFz+gkAsDZ24zmePQuEs1XPS9BP_s8O7Q4wQ7LV7X5-oDA@mail.gmail.com/ 825[3] http://public-inbox.org/git/20170306084353.nrns455dvkdsfgo5@sigill.intra.peff.net/ 826[4] http://public-inbox.org/git/20170304224936.rqqtkdvfjgyezsht@genre.crustytoothpaste.net 827[5] https://public-inbox.org/git/CAJo=hJtoX9=AyLHHpUJS7fueV9ciZ_MNpnEPHUz8Whui6g9F0A@mail.gmail.com/