📆 October 22, 2023 | ⏱️ 2 minute read | 🏷️ journal updates

Journal Update 25

What’s New

For those who are not in the know, Git used to use SHA-1 for file and commit identity and integrity checking. SHA-1 is a weak cryptographic hash function that shouldn’t be used anymore. Git has since switched to using SHA-1dc by default, a hardened version of SHA-1, but there’s still a desire to transition away from any SHA-1 variant to the properly secure SHA-256. The transition plan was created in 2017. Six years later, some work has gone towards the transition, but it’s incomplete and could remain that way for years to come.

Git itself and an increasing number of software forges support SHA-256, but there’s no compatibility between SHA-1dc and SHA-256 repos yet. This had been bugging me since SHA-1dc likely has lower longevity than SHA-256 and it being broken would render my signify signatures meaningless, and the full transition could still be years off. So I set out to transition my repos (not forked ones) to SHA-256 myself. For everybody else, I recommend just waiting for the official solution.

In the end, I succeeded using a small script I hacked together and some manual rebasing. An alternative solution I considered was creating new SHA-256 Git repos based on the latest commit of my old SHA-1 repos. This solution would’ve been much quicker, easier, and less error-prone than what I did, but it also would’ve doubled the number of Git repos I have and created a messy situation where the commit history is split across two separate incompatible repos.

In conclusion, I’m happy with the results and I’ll make sure every new Git repository I create uses SHA-256 to avoid this situation in the future.

Future Plans

As for future plans, I’m still slowly working on getting rid of the promoted page and adding more tags.