Documentation / technical / hash-function-transition.txton commit Merge branch 'po/rerere-doc-fmt' (98a8fcc)
   1Git hash function transition
   2============================
   3
   4Objective
   5---------
   6Migrate Git from SHA-1 to a stronger hash function.
   7
   8Background
   9----------
  10At its core, the Git version control system is a content addressable
  11filesystem. It uses the SHA-1 hash function to name content. For
  12example, files, directories, and revisions are referred to by hash
  13values unlike in other traditional version control systems where files
  14or versions are referred to via sequential numbers. The use of a hash
  15function to address its content delivers a few advantages:
  16
  17* Integrity checking is easy. Bit flips, for example, are easily
  18  detected, as the hash of corrupted content does not match its name.
  19* Lookup of objects is fast.
  20
  21Using a cryptographically secure hash function brings additional
  22advantages:
  23
  24* Object names can be signed and third parties can trust the hash to
  25  address the signed object and all objects it references.
  26* Communication using Git protocol and out of band communication
  27  methods have a short reliable string that can be used to reliably
  28  address stored content.
  29
  30Over time some flaws in SHA-1 have been discovered by security
  31researchers. On 23 February 2017 the SHAttered attack
  32(https://shattered.io) demonstrated a practical SHA-1 hash collision.
  33
  34Git v2.13.0 and later subsequently moved to a hardened SHA-1
  35implementation by default, which isn't vulnerable to the SHAttered
  36attack.
  37
  38Thus Git has in effect already migrated to a new hash that isn't SHA-1
  39and doesn't share its vulnerabilities, its new hash function just
  40happens to produce exactly the same output for all known inputs,
  41except two PDFs published by the SHAttered researchers, and the new
  42implementation (written by those researchers) claims to detect future
  43cryptanalytic collision attacks.
  44
  45Regardless, it's considered prudent to move past any variant of SHA-1
  46to a new hash. There's no guarantee that future attacks on SHA-1 won't
  47be published in the future, and those attacks may not have viable
  48mitigations.
  49
  50If SHA-1 and its variants were to be truly broken, Git's hash function
  51could not be considered cryptographically secure any more. This would
  52impact the communication of hash values because we could not trust
  53that a given hash value represented the known good version of content
  54that the speaker intended.
  55
  56SHA-1 still possesses the other properties such as fast object lookup
  57and safe error checking, but other hash functions are equally suitable
  58that are believed to be cryptographically secure.
  59
  60Goals
  61-----
  621. The transition to SHA-256 can be done one local repository at a time.
  63   a. Requiring no action by any other party.
  64   b. A SHA-256 repository can communicate with SHA-1 Git servers
  65      (push/fetch).
  66   c. Users can use SHA-1 and SHA-256 identifiers for objects
  67      interchangeably (see "Object names on the command line", below).
  68   d. New signed objects make use of a stronger hash function than
  69      SHA-1 for their security guarantees.
  702. Allow a complete transition away from SHA-1.
  71   a. Local metadata for SHA-1 compatibility can be removed from a
  72      repository if compatibility with SHA-1 is no longer needed.
  733. Maintainability throughout the process.
  74   a. The object format is kept simple and consistent.
  75   b. Creation of a generalized repository conversion tool.
  76
  77Non-Goals
  78---------
  791. Add SHA-256 support to Git protocol. This is valuable and the
  80   logical next step but it is out of scope for this initial design.
  812. Transparently improving the security of existing SHA-1 signed
  82   objects.
  833. Intermixing objects using multiple hash functions in a single
  84   repository.
  854. Taking the opportunity to fix other bugs in Git's formats and
  86   protocols.
  875. Shallow clones and fetches into a SHA-256 repository. (This will
  88   change when we add SHA-256 support to Git protocol.)
  896. Skip fetching some submodules of a project into a SHA-256
  90   repository. (This also depends on SHA-256 support in Git
  91   protocol.)
  92
  93Overview
  94--------
  95We introduce a new repository format extension. Repositories with this
  96extension enabled use SHA-256 instead of SHA-1 to name their objects.
  97This affects both object names and object content --- both the names
  98of objects and all references to other objects within an object are
  99switched to the new hash function.
 100
 101SHA-256 repositories cannot be read by older versions of Git.
 102
 103Alongside the packfile, a SHA-256 repository stores a bidirectional
 104mapping between SHA-256 and SHA-1 object names. The mapping is generated
 105locally and can be verified using "git fsck". Object lookups use this
 106mapping to allow naming objects using either their SHA-1 and SHA-256 names
 107interchangeably.
 108
 109"git cat-file" and "git hash-object" gain options to display an object
 110in its sha1 form and write an object given its sha1 form. This
 111requires all objects referenced by that object to be present in the
 112object database so that they can be named using the appropriate name
 113(using the bidirectional hash mapping).
 114
 115Fetches from a SHA-1 based server convert the fetched objects into
 116SHA-256 form and record the mapping in the bidirectional mapping table
 117(see below for details). Pushes to a SHA-1 based server convert the
 118objects being pushed into sha1 form so the server does not have to be
 119aware of the hash function the client is using.
 120
 121Detailed Design
 122---------------
 123Repository format extension
 124~~~~~~~~~~~~~~~~~~~~~~~~~~~
 125A SHA-256 repository uses repository format version `1` (see
 126Documentation/technical/repository-version.txt) with extensions
 127`objectFormat` and `compatObjectFormat`:
 128
 129        [core]
 130                repositoryFormatVersion = 1
 131        [extensions]
 132                objectFormat = sha256
 133                compatObjectFormat = sha1
 134
 135The combination of setting `core.repositoryFormatVersion=1` and
 136populating `extensions.*` ensures that all versions of Git later than
 137`v0.99.9l` will die instead of trying to operate on the SHA-256
 138repository, instead producing an error message.
 139
 140        # Between v0.99.9l and v2.7.0
 141        $ git status
 142        fatal: Expected git repo version <= 0, found 1
 143        # After v2.7.0
 144        $ git status
 145        fatal: unknown repository extensions found:
 146                objectformat
 147                compatobjectformat
 148
 149See the "Transition plan" section below for more details on these
 150repository extensions.
 151
 152Object names
 153~~~~~~~~~~~~
 154Objects can be named by their 40 hexadecimal digit sha1-name or 64
 155hexadecimal digit sha256-name, plus names derived from those (see
 156gitrevisions(7)).
 157
 158The sha1-name of an object is the SHA-1 of the concatenation of its
 159type, length, a nul byte, and the object's sha1-content. This is the
 160traditional <sha1> used in Git to name objects.
 161
 162The sha256-name of an object is the SHA-256 of the concatenation of its
 163type, length, a nul byte, and the object's sha256-content.
 164
 165Object format
 166~~~~~~~~~~~~~
 167The content as a byte sequence of a tag, commit, or tree object named
 168by sha1 and sha256 differ because an object named by sha256-name refers to
 169other objects by their sha256-names and an object named by sha1-name
 170refers to other objects by their sha1-names.
 171
 172The sha256-content of an object is the same as its sha1-content, except
 173that objects referenced by the object are named using their sha256-names
 174instead of sha1-names. Because a blob object does not refer to any
 175other object, its sha1-content and sha256-content are the same.
 176
 177The format allows round-trip conversion between sha256-content and
 178sha1-content.
 179
 180Object storage
 181~~~~~~~~~~~~~~
 182Loose objects use zlib compression and packed objects use the packed
 183format described in Documentation/technical/pack-format.txt, just like
 184today. The content that is compressed and stored uses sha256-content
 185instead of sha1-content.
 186
 187Pack index
 188~~~~~~~~~~
 189Pack index (.idx) files use a new v3 format that supports multiple
 190hash functions. They have the following format (all integers are in
 191network byte order):
 192
 193- A header appears at the beginning and consists of the following:
 194  - The 4-byte pack index signature: '\377t0c'
 195  - 4-byte version number: 3
 196  - 4-byte length of the header section, including the signature and
 197    version number
 198  - 4-byte number of objects contained in the pack
 199  - 4-byte number of object formats in this pack index: 2
 200  - For each object format:
 201    - 4-byte format identifier (e.g., 'sha1' for SHA-1)
 202    - 4-byte length in bytes of shortened object names. This is the
 203      shortest possible length needed to make names in the shortened
 204      object name table unambiguous.
 205    - 4-byte integer, recording where tables relating to this format
 206      are stored in this index file, as an offset from the beginning.
 207  - 4-byte offset to the trailer from the beginning of this file.
 208  - Zero or more additional key/value pairs (4-byte key, 4-byte
 209    value). Only one key is supported: 'PSRC'. See the "Loose objects
 210    and unreachable objects" section for supported values and how this
 211    is used.  All other keys are reserved. Readers must ignore
 212    unrecognized keys.
 213- Zero or more NUL bytes. This can optionally be used to improve the
 214  alignment of the full object name table below.
 215- Tables for the first object format:
 216  - A sorted table of shortened object names.  These are prefixes of
 217    the names of all objects in this pack file, packed together
 218    without offset values to reduce the cache footprint of the binary
 219    search for a specific object name.
 220
 221  - A table of full object names in pack order. This allows resolving
 222    a reference to "the nth object in the pack file" (from a
 223    reachability bitmap or from the next table of another object
 224    format) to its object name.
 225
 226  - A table of 4-byte values mapping object name order to pack order.
 227    For an object in the table of sorted shortened object names, the
 228    value at the corresponding index in this table is the index in the
 229    previous table for that same object.
 230
 231    This can be used to look up the object in reachability bitmaps or
 232    to look up its name in another object format.
 233
 234  - A table of 4-byte CRC32 values of the packed object data, in the
 235    order that the objects appear in the pack file. This is to allow
 236    compressed data to be copied directly from pack to pack during
 237    repacking without undetected data corruption.
 238
 239  - A table of 4-byte offset values. For an object in the table of
 240    sorted shortened object names, the value at the corresponding
 241    index in this table indicates where that object can be found in
 242    the pack file. These are usually 31-bit pack file offsets, but
 243    large offsets are encoded as an index into the next table with the
 244    most significant bit set.
 245
 246  - A table of 8-byte offset entries (empty for pack files less than
 247    2 GiB). Pack files are organized with heavily used objects toward
 248    the front, so most object references should not need to refer to
 249    this table.
 250- Zero or more NUL bytes.
 251- Tables for the second object format, with the same layout as above,
 252  up to and not including the table of CRC32 values.
 253- Zero or more NUL bytes.
 254- The trailer consists of the following:
 255  - A copy of the 20-byte SHA-256 checksum at the end of the
 256    corresponding packfile.
 257
 258  - 20-byte SHA-256 checksum of all of the above.
 259
 260Loose object index
 261~~~~~~~~~~~~~~~~~~
 262A new file $GIT_OBJECT_DIR/loose-object-idx contains information about
 263all loose objects. Its format is
 264
 265  # loose-object-idx
 266  (sha256-name SP sha1-name LF)*
 267
 268where the object names are in hexadecimal format. The file is not
 269sorted.
 270
 271The loose object index is protected against concurrent writes by a
 272lock file $GIT_OBJECT_DIR/loose-object-idx.lock. To add a new loose
 273object:
 274
 2751. Write the loose object to a temporary file, like today.
 2762. Open loose-object-idx.lock with O_CREAT | O_EXCL to acquire the lock.
 2773. Rename the loose object into place.
 2784. Open loose-object-idx with O_APPEND and write the new object
 2795. Unlink loose-object-idx.lock to release the lock.
 280
 281To remove entries (e.g. in "git pack-refs" or "git-prune"):
 282
 2831. Open loose-object-idx.lock with O_CREAT | O_EXCL to acquire the
 284   lock.
 2852. Write the new content to loose-object-idx.lock.
 2863. Unlink any loose objects being removed.
 2874. Rename to replace loose-object-idx, releasing the lock.
 288
 289Translation table
 290~~~~~~~~~~~~~~~~~
 291The index files support a bidirectional mapping between sha1-names
 292and sha256-names. The lookup proceeds similarly to ordinary object
 293lookups. For example, to convert a sha1-name to a sha256-name:
 294
 295 1. Look for the object in idx files. If a match is present in the
 296    idx's sorted list of truncated sha1-names, then:
 297    a. Read the corresponding entry in the sha1-name order to pack
 298       name order mapping.
 299    b. Read the corresponding entry in the full sha1-name table to
 300       verify we found the right object. If it is, then
 301    c. Read the corresponding entry in the full sha256-name table.
 302       That is the object's sha256-name.
 303 2. Check for a loose object. Read lines from loose-object-idx until
 304    we find a match.
 305
 306Step (1) takes the same amount of time as an ordinary object lookup:
 307O(number of packs * log(objects per pack)). Step (2) takes O(number of
 308loose objects) time. To maintain good performance it will be necessary
 309to keep the number of loose objects low. See the "Loose objects and
 310unreachable objects" section below for more details.
 311
 312Since all operations that make new objects (e.g., "git commit") add
 313the new objects to the corresponding index, this mapping is possible
 314for all objects in the object store.
 315
 316Reading an object's sha1-content
 317~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 318The sha1-content of an object can be read by converting all sha256-names
 319its sha256-content references to sha1-names using the translation table.
 320
 321Fetch
 322~~~~~
 323Fetching from a SHA-1 based server requires translating between SHA-1
 324and SHA-256 based representations on the fly.
 325
 326SHA-1s named in the ref advertisement that are present on the client
 327can be translated to SHA-256 and looked up as local objects using the
 328translation table.
 329
 330Negotiation proceeds as today. Any "have"s generated locally are
 331converted to SHA-1 before being sent to the server, and SHA-1s
 332mentioned by the server are converted to SHA-256 when looking them up
 333locally.
 334
 335After negotiation, the server sends a packfile containing the
 336requested objects. We convert the packfile to SHA-256 format using
 337the following steps:
 338
 3391. index-pack: inflate each object in the packfile and compute its
 340   SHA-1. Objects can contain deltas in OBJ_REF_DELTA format against
 341   objects the client has locally. These objects can be looked up
 342   using the translation table and their sha1-content read as
 343   described above to resolve the deltas.
 3442. topological sort: starting at the "want"s from the negotiation
 345   phase, walk through objects in the pack and emit a list of them,
 346   excluding blobs, in reverse topologically sorted order, with each
 347   object coming later in the list than all objects it references.
 348   (This list only contains objects reachable from the "wants". If the
 349   pack from the server contained additional extraneous objects, then
 350   they will be discarded.)
 3513. convert to sha256: open a new (sha256) packfile. Read the topologically
 352   sorted list just generated. For each object, inflate its
 353   sha1-content, convert to sha256-content, and write it to the sha256
 354   pack. Record the new sha1<->sha256 mapping entry for use in the idx.
 3554. sort: reorder entries in the new pack to match the order of objects
 356   in the pack the server generated and include blobs. Write a sha256 idx
 357   file
 3585. clean up: remove the SHA-1 based pack file, index, and
 359   topologically sorted list obtained from the server in steps 1
 360   and 2.
 361
 362Step 3 requires every object referenced by the new object to be in the
 363translation table. This is why the topological sort step is necessary.
 364
 365As an optimization, step 1 could write a file describing what non-blob
 366objects each object it has inflated from the packfile references. This
 367makes the topological sort in step 2 possible without inflating the
 368objects in the packfile for a second time. The objects need to be
 369inflated again in step 3, for a total of two inflations.
 370
 371Step 4 is probably necessary for good read-time performance. "git
 372pack-objects" on the server optimizes the pack file for good data
 373locality (see Documentation/technical/pack-heuristics.txt).
 374
 375Details of this process are likely to change. It will take some
 376experimenting to get this to perform well.
 377
 378Push
 379~~~~
 380Push is simpler than fetch because the objects referenced by the
 381pushed objects are already in the translation table. The sha1-content
 382of each object being pushed can be read as described in the "Reading
 383an object's sha1-content" section to generate the pack written by git
 384send-pack.
 385
 386Signed Commits
 387~~~~~~~~~~~~~~
 388We add a new field "gpgsig-sha256" to the commit object format to allow
 389signing commits without relying on SHA-1. It is similar to the
 390existing "gpgsig" field. Its signed payload is the sha256-content of the
 391commit object with any "gpgsig" and "gpgsig-sha256" fields removed.
 392
 393This means commits can be signed
 3941. using SHA-1 only, as in existing signed commit objects
 3952. using both SHA-1 and SHA-256, by using both gpgsig-sha256 and gpgsig
 396   fields.
 3973. using only SHA-256, by only using the gpgsig-sha256 field.
 398
 399Old versions of "git verify-commit" can verify the gpgsig signature in
 400cases (1) and (2) without modifications and view case (3) as an
 401ordinary unsigned commit.
 402
 403Signed Tags
 404~~~~~~~~~~~
 405We add a new field "gpgsig-sha256" to the tag object format to allow
 406signing tags without relying on SHA-1. Its signed payload is the
 407sha256-content of the tag with its gpgsig-sha256 field and "-----BEGIN PGP
 408SIGNATURE-----" delimited in-body signature removed.
 409
 410This means tags can be signed
 4111. using SHA-1 only, as in existing signed tag objects
 4122. using both SHA-1 and SHA-256, by using gpgsig-sha256 and an in-body
 413   signature.
 4143. using only SHA-256, by only using the gpgsig-sha256 field.
 415
 416Mergetag embedding
 417~~~~~~~~~~~~~~~~~~
 418The mergetag field in the sha1-content of a commit contains the
 419sha1-content of a tag that was merged by that commit.
 420
 421The mergetag field in the sha256-content of the same commit contains the
 422sha256-content of the same tag.
 423
 424Submodules
 425~~~~~~~~~~
 426To convert recorded submodule pointers, you need to have the converted
 427submodule repository in place. The translation table of the submodule
 428can be used to look up the new hash.
 429
 430Loose objects and unreachable objects
 431~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 432Fast lookups in the loose-object-idx require that the number of loose
 433objects not grow too high.
 434
 435"git gc --auto" currently waits for there to be 6700 loose objects
 436present before consolidating them into a packfile. We will need to
 437measure to find a more appropriate threshold for it to use.
 438
 439"git gc --auto" currently waits for there to be 50 packs present
 440before combining packfiles. Packing loose objects more aggressively
 441may cause the number of pack files to grow too quickly. This can be
 442mitigated by using a strategy similar to Martin Fick's exponential
 443rolling garbage collection script:
 444https://gerrit-review.googlesource.com/c/gerrit/+/35215
 445
 446"git gc" currently expels any unreachable objects it encounters in
 447pack files to loose objects in an attempt to prevent a race when
 448pruning them (in case another process is simultaneously writing a new
 449object that refers to the about-to-be-deleted object). This leads to
 450an explosion in the number of loose objects present and disk space
 451usage due to the objects in delta form being replaced with independent
 452loose objects.  Worse, the race is still present for loose objects.
 453
 454Instead, "git gc" will need to move unreachable objects to a new
 455packfile marked as UNREACHABLE_GARBAGE (using the PSRC field; see
 456below). To avoid the race when writing new objects referring to an
 457about-to-be-deleted object, code paths that write new objects will
 458need to copy any objects from UNREACHABLE_GARBAGE packs that they
 459refer to to new, non-UNREACHABLE_GARBAGE packs (or loose objects).
 460UNREACHABLE_GARBAGE are then safe to delete if their creation time (as
 461indicated by the file's mtime) is long enough ago.
 462
 463To avoid a proliferation of UNREACHABLE_GARBAGE packs, they can be
 464combined under certain circumstances. If "gc.garbageTtl" is set to
 465greater than one day, then packs created within a single calendar day,
 466UTC, can be coalesced together. The resulting packfile would have an
 467mtime before midnight on that day, so this makes the effective maximum
 468ttl the garbageTtl + 1 day. If "gc.garbageTtl" is less than one day,
 469then we divide the calendar day into intervals one-third of that ttl
 470in duration. Packs created within the same interval can be coalesced
 471together. The resulting packfile would have an mtime before the end of
 472the interval, so this makes the effective maximum ttl equal to the
 473garbageTtl * 4/3.
 474
 475This rule comes from Thirumala Reddy Mutchukota's JGit change
 476https://git.eclipse.org/r/90465.
 477
 478The UNREACHABLE_GARBAGE setting goes in the PSRC field of the pack
 479index. More generally, that field indicates where a pack came from:
 480
 481 - 1 (PACK_SOURCE_RECEIVE) for a pack received over the network
 482 - 2 (PACK_SOURCE_AUTO) for a pack created by a lightweight
 483   "gc --auto" operation
 484 - 3 (PACK_SOURCE_GC) for a pack created by a full gc
 485 - 4 (PACK_SOURCE_UNREACHABLE_GARBAGE) for potential garbage
 486   discovered by gc
 487 - 5 (PACK_SOURCE_INSERT) for locally created objects that were
 488   written directly to a pack file, e.g. from "git add ."
 489
 490This information can be useful for debugging and for "gc --auto" to
 491make appropriate choices about which packs to coalesce.
 492
 493Caveats
 494-------
 495Invalid objects
 496~~~~~~~~~~~~~~~
 497The conversion from sha1-content to sha256-content retains any
 498brokenness in the original object (e.g., tree entry modes encoded with
 499leading 0, tree objects whose paths are not sorted correctly, and
 500commit objects without an author or committer). This is a deliberate
 501feature of the design to allow the conversion to round-trip.
 502
 503More profoundly broken objects (e.g., a commit with a truncated "tree"
 504header line) cannot be converted but were not usable by current Git
 505anyway.
 506
 507Shallow clone and submodules
 508~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 509Because it requires all referenced objects to be available in the
 510locally generated translation table, this design does not support
 511shallow clone or unfetched submodules. Protocol improvements might
 512allow lifting this restriction.
 513
 514Alternates
 515~~~~~~~~~~
 516For the same reason, a sha256 repository cannot borrow objects from a
 517sha1 repository using objects/info/alternates or
 518$GIT_ALTERNATE_OBJECT_REPOSITORIES.
 519
 520git notes
 521~~~~~~~~~
 522The "git notes" tool annotates objects using their sha1-name as key.
 523This design does not describe a way to migrate notes trees to use
 524sha256-names. That migration is expected to happen separately (for
 525example using a file at the root of the notes tree to describe which
 526hash it uses).
 527
 528Server-side cost
 529~~~~~~~~~~~~~~~~
 530Until Git protocol gains SHA-256 support, using SHA-256 based storage
 531on public-facing Git servers is strongly discouraged. Once Git
 532protocol gains SHA-256 support, SHA-256 based servers are likely not
 533to support SHA-1 compatibility, to avoid what may be a very expensive
 534hash reencode during clone and to encourage peers to modernize.
 535
 536The design described here allows fetches by SHA-1 clients of a
 537personal SHA-256 repository because it's not much more difficult than
 538allowing pushes from that repository. This support needs to be guarded
 539by a configuration option --- servers like git.kernel.org that serve a
 540large number of clients would not be expected to bear that cost.
 541
 542Meaning of signatures
 543~~~~~~~~~~~~~~~~~~~~~
 544The signed payload for signed commits and tags does not explicitly
 545name the hash used to identify objects. If some day Git adopts a new
 546hash function with the same length as the current SHA-1 (40
 547hexadecimal digit) or SHA-256 (64 hexadecimal digit) objects then the
 548intent behind the PGP signed payload in an object signature is
 549unclear:
 550
 551        object e7e07d5a4fcc2a203d9873968ad3e6bd4d7419d7
 552        type commit
 553        tag v2.12.0
 554        tagger Junio C Hamano <gitster@pobox.com> 1487962205 -0800
 555
 556        Git 2.12
 557
 558Does this mean Git v2.12.0 is the commit with sha1-name
 559e7e07d5a4fcc2a203d9873968ad3e6bd4d7419d7 or the commit with
 560new-40-digit-hash-name e7e07d5a4fcc2a203d9873968ad3e6bd4d7419d7?
 561
 562Fortunately SHA-256 and SHA-1 have different lengths. If Git starts
 563using another hash with the same length to name objects, then it will
 564need to change the format of signed payloads using that hash to
 565address this issue.
 566
 567Object names on the command line
 568~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 569To support the transition (see Transition plan below), this design
 570supports four different modes of operation:
 571
 572 1. ("dark launch") Treat object names input by the user as SHA-1 and
 573    convert any object names written to output to SHA-1, but store
 574    objects using SHA-256.  This allows users to test the code with no
 575    visible behavior change except for performance.  This allows
 576    allows running even tests that assume the SHA-1 hash function, to
 577    sanity-check the behavior of the new mode.
 578
 579 2. ("early transition") Allow both SHA-1 and SHA-256 object names in
 580    input. Any object names written to output use SHA-1. This allows
 581    users to continue to make use of SHA-1 to communicate with peers
 582    (e.g. by email) that have not migrated yet and prepares for mode 3.
 583
 584 3. ("late transition") Allow both SHA-1 and SHA-256 object names in
 585    input. Any object names written to output use SHA-256. In this
 586    mode, users are using a more secure object naming method by
 587    default.  The disruption is minimal as long as most of their peers
 588    are in mode 2 or mode 3.
 589
 590 4. ("post-transition") Treat object names input by the user as
 591    SHA-256 and write output using SHA-256. This is safer than mode 3
 592    because there is less risk that input is incorrectly interpreted
 593    using the wrong hash function.
 594
 595The mode is specified in configuration.
 596
 597The user can also explicitly specify which format to use for a
 598particular revision specifier and for output, overriding the mode. For
 599example:
 600
 601git --output-format=sha1 log abac87a^{sha1}..f787cac^{sha256}
 602
 603Choice of Hash
 604--------------
 605In early 2005, around the time that Git was written,  Xiaoyun Wang,
 606Yiqun Lisa Yin, and Hongbo Yu announced an attack finding SHA-1
 607collisions in 2^69 operations. In August they published details.
 608Luckily, no practical demonstrations of a collision in full SHA-1 were
 609published until 10 years later, in 2017.
 610
 611Git v2.13.0 and later subsequently moved to a hardened SHA-1
 612implementation by default that mitigates the SHAttered attack, but
 613SHA-1 is still believed to be weak.
 614
 615The hash to replace this hardened SHA-1 should be stronger than SHA-1
 616was: we would like it to be trustworthy and useful in practice for at
 617least 10 years.
 618
 619Some other relevant properties:
 620
 6211. A 256-bit hash (long enough to match common security practice; not
 622   excessively long to hurt performance and disk usage).
 623
 6242. High quality implementations should be widely available (e.g., in
 625   OpenSSL and Apple CommonCrypto).
 626
 6273. The hash function's properties should match Git's needs (e.g. Git
 628   requires collision and 2nd preimage resistance and does not require
 629   length extension resistance).
 630
 6314. As a tiebreaker, the hash should be fast to compute (fortunately
 632   many contenders are faster than SHA-1).
 633
 634We choose SHA-256.
 635
 636Transition plan
 637---------------
 638Some initial steps can be implemented independently of one another:
 639- adding a hash function API (vtable)
 640- teaching fsck to tolerate the gpgsig-sha256 field
 641- excluding gpgsig-* from the fields copied by "git commit --amend"
 642- annotating tests that depend on SHA-1 values with a SHA1 test
 643  prerequisite
 644- using "struct object_id", GIT_MAX_RAWSZ, and GIT_MAX_HEXSZ
 645  consistently instead of "unsigned char *" and the hardcoded
 646  constants 20 and 40.
 647- introducing index v3
 648- adding support for the PSRC field and safer object pruning
 649
 650
 651The first user-visible change is the introduction of the objectFormat
 652extension (without compatObjectFormat). This requires:
 653- implementing the loose-object-idx
 654- teaching fsck about this mode of operation
 655- using the hash function API (vtable) when computing object names
 656- signing objects and verifying signatures
 657- rejecting attempts to fetch from or push to an incompatible
 658  repository
 659
 660Next comes introduction of compatObjectFormat:
 661- translating object names between object formats
 662- translating object content between object formats
 663- generating and verifying signatures in the compat format
 664- adding appropriate index entries when adding a new object to the
 665  object store
 666- --output-format option
 667- ^{sha1} and ^{sha256} revision notation
 668- configuration to specify default input and output format (see
 669  "Object names on the command line" above)
 670
 671The next step is supporting fetches and pushes to SHA-1 repositories:
 672- allow pushes to a repository using the compat format
 673- generate a topologically sorted list of the SHA-1 names of fetched
 674  objects
 675- convert the fetched packfile to sha256 format and generate an idx
 676  file
 677- re-sort to match the order of objects in the fetched packfile
 678
 679The infrastructure supporting fetch also allows converting an existing
 680repository. In converted repositories and new clones, end users can
 681gain support for the new hash function without any visible change in
 682behavior (see "dark launch" in the "Object names on the command line"
 683section). In particular this allows users to verify SHA-256 signatures
 684on objects in the repository, and it should ensure the transition code
 685is stable in production in preparation for using it more widely.
 686
 687Over time projects would encourage their users to adopt the "early
 688transition" and then "late transition" modes to take advantage of the
 689new, more futureproof SHA-256 object names.
 690
 691When objectFormat and compatObjectFormat are both set, commands
 692generating signatures would generate both SHA-1 and SHA-256 signatures
 693by default to support both new and old users.
 694
 695In projects using SHA-256 heavily, users could be encouraged to adopt
 696the "post-transition" mode to avoid accidentally making implicit use
 697of SHA-1 object names.
 698
 699Once a critical mass of users have upgraded to a version of Git that
 700can verify SHA-256 signatures and have converted their existing
 701repositories to support verifying them, we can add support for a
 702setting to generate only SHA-256 signatures. This is expected to be at
 703least a year later.
 704
 705That is also a good moment to advertise the ability to convert
 706repositories to use SHA-256 only, stripping out all SHA-1 related
 707metadata. This improves performance by eliminating translation
 708overhead and security by avoiding the possibility of accidentally
 709relying on the safety of SHA-1.
 710
 711Updating Git's protocols to allow a server to specify which hash
 712functions it supports is also an important part of this transition. It
 713is not discussed in detail in this document but this transition plan
 714assumes it happens. :)
 715
 716Alternatives considered
 717-----------------------
 718Upgrading everyone working on a particular project on a flag day
 719~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 720Projects like the Linux kernel are large and complex enough that
 721flipping the switch for all projects based on the repository at once
 722is infeasible.
 723
 724Not only would all developers and server operators supporting
 725developers have to switch on the same flag day, but supporting tooling
 726(continuous integration, code review, bug trackers, etc) would have to
 727be adapted as well. This also makes it difficult to get early feedback
 728from some project participants testing before it is time for mass
 729adoption.
 730
 731Using hash functions in parallel
 732~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 733(e.g. https://public-inbox.org/git/22708.8913.864049.452252@chiark.greenend.org.uk/ )
 734Objects newly created would be addressed by the new hash, but inside
 735such an object (e.g. commit) it is still possible to address objects
 736using the old hash function.
 737* You cannot trust its history (needed for bisectability) in the
 738  future without further work
 739* Maintenance burden as the number of supported hash functions grows
 740  (they will never go away, so they accumulate). In this proposal, by
 741  comparison, converted objects lose all references to SHA-1.
 742
 743Signed objects with multiple hashes
 744~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 745Instead of introducing the gpgsig-sha256 field in commit and tag objects
 746for sha256-content based signatures, an earlier version of this design
 747added "hash sha256 <sha256-name>" fields to strengthen the existing
 748sha1-content based signatures.
 749
 750In other words, a single signature was used to attest to the object
 751content using both hash functions. This had some advantages:
 752* Using one signature instead of two speeds up the signing process.
 753* Having one signed payload with both hashes allows the signer to
 754  attest to the sha1-name and sha256-name referring to the same object.
 755* All users consume the same signature. Broken signatures are likely
 756  to be detected quickly using current versions of git.
 757
 758However, it also came with disadvantages:
 759* Verifying a signed object requires access to the sha1-names of all
 760  objects it references, even after the transition is complete and
 761  translation table is no longer needed for anything else. To support
 762  this, the design added fields such as "hash sha1 tree <sha1-name>"
 763  and "hash sha1 parent <sha1-name>" to the sha256-content of a signed
 764  commit, complicating the conversion process.
 765* Allowing signed objects without a sha1 (for after the transition is
 766  complete) complicated the design further, requiring a "nohash sha1"
 767  field to suppress including "hash sha1" fields in the sha256-content
 768  and signed payload.
 769
 770Lazily populated translation table
 771~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 772Some of the work of building the translation table could be deferred to
 773push time, but that would significantly complicate and slow down pushes.
 774Calculating the sha1-name at object creation time at the same time it is
 775being streamed to disk and having its sha256-name calculated should be
 776an acceptable cost.
 777
 778Document History
 779----------------
 780
 7812017-03-03
 782bmwill@google.com, jonathantanmy@google.com, jrnieder@gmail.com,
 783sbeller@google.com
 784
 785Initial version sent to
 786http://public-inbox.org/git/20170304011251.GA26789@aiede.mtv.corp.google.com
 787
 7882017-03-03 jrnieder@gmail.com
 789Incorporated suggestions from jonathantanmy and sbeller:
 790* describe purpose of signed objects with each hash type
 791* redefine signed object verification using object content under the
 792  first hash function
 793
 7942017-03-06 jrnieder@gmail.com
 795* Use SHA3-256 instead of SHA2 (thanks, Linus and brian m. carlson).[1][2]
 796* Make sha3-based signatures a separate field, avoiding the need for
 797  "hash" and "nohash" fields (thanks to peff[3]).
 798* Add a sorting phase to fetch (thanks to Junio for noticing the need
 799  for this).
 800* Omit blobs from the topological sort during fetch (thanks to peff).
 801* Discuss alternates, git notes, and git servers in the caveats
 802  section (thanks to Junio Hamano, brian m. carlson[4], and Shawn
 803  Pearce).
 804* Clarify language throughout (thanks to various commenters,
 805  especially Junio).
 806
 8072017-09-27 jrnieder@gmail.com, sbeller@google.com
 808* use placeholder NewHash instead of SHA3-256
 809* describe criteria for picking a hash function.
 810* include a transition plan (thanks especially to Brandon Williams
 811  for fleshing these ideas out)
 812* define the translation table (thanks, Shawn Pearce[5], Jonathan
 813  Tan, and Masaya Suzuki)
 814* avoid loose object overhead by packing more aggressively in
 815  "git gc --auto"
 816
 817Later history:
 818
 819 See the history of this file in git.git for the history of subsequent
 820 edits. This document history is no longer being maintained as it
 821 would now be superfluous to the commit log
 822
 823[1] http://public-inbox.org/git/CA+55aFzJtejiCjV0e43+9oR3QuJK2PiFiLQemytoLpyJWe6P9w@mail.gmail.com/
 824[2] http://public-inbox.org/git/CA+55aFz+gkAsDZ24zmePQuEs1XPS9BP_s8O7Q4wQ7LV7X5-oDA@mail.gmail.com/
 825[3] http://public-inbox.org/git/20170306084353.nrns455dvkdsfgo5@sigill.intra.peff.net/
 826[4] http://public-inbox.org/git/20170304224936.rqqtkdvfjgyezsht@genre.crustytoothpaste.net
 827[5] https://public-inbox.org/git/CAJo=hJtoX9=AyLHHpUJS7fueV9ciZ_MNpnEPHUz8Whui6g9F0A@mail.gmail.com/