Enable SHA-256 by default in breaking changes mode

Our document on breaking changes indicates that we intend to default to SHA-256 in Git 3.0. Since most people choose the default option, this is an important security upgrade to our defaults. To allow people to test this case, when WITH_BREAKING_CHANGES is set in the configuration, build Git with SHA-256 as the default hash. Update the testsuite to use the build options information to automatically choose the right value. Note that if the command substitution for GIT_TEST_BUILTIN_HASH fails, so does the testsuite—and quite spectacularly at that. Thus, the case where the Git binary is somehow subtly broken will not go undetected. Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
author: brian m. carlson <sandals@crustytoothpaste.net> 2025-07-01 21:22:37 +0000
committer: Junio C Hamano <gitster@pobox.com> 2025-07-01 14:58:26 -0700
commit: c79bb70a2e7d9158ec165ea16ad45371cd6e350d (patch)
tree: d35981c46cb19e0609d073719be6b384ec914b60
parent: 39153c809711885ca2ea5b527e4ff893170f1b6f (diff)
download: git-c79bb70a2e7d9158ec165ea16ad45371cd6e350d.tar.gz
2 files changed, 8 insertions, 2 deletions
diff --git a/hash.h b/hash.h
index 953e840d15..3fcbe9bcba 100644
--- a/hash.h
+++ b/hash.h
@@ -174,8 +174,14 @@ static inline void git_SHA256_Clone(git_SHA256_CTX *dst, const git_SHA256_CTX *s
 #define GIT_HASH_SHA256 2
 /* Number of algorithms supported (including unknown). */
 #define GIT_HASH_NALGOS (GIT_HASH_SHA256 + 1)
+
 /* Default hash algorithm if unspecified. */
-#define GIT_HASH_DEFAULT GIT_HASH_SHA1
+#ifdef WITH_BREAKING_CHANGES
+# define GIT_HASH_DEFAULT GIT_HASH_SHA256
+#else
+# define GIT_HASH_DEFAULT GIT_HASH_SHA1
+#endif
+
 /* Legacy hash algorithm. Implied for older data formats which don't specify. */
 #define GIT_HASH_SHA1_LEGACY GIT_HASH_SHA1
 
diff --git a/t/test-lib.sh b/t/test-lib.sh
index be71890678..315543f293 100644
--- a/t/test-lib.sh
+++ b/t/test-lib.sh
@@ -536,7 +536,7 @@ export GIT_COMMITTER_EMAIL GIT_COMMITTER_NAME
 export GIT_COMMITTER_DATE GIT_AUTHOR_DATE
 export EDITOR
 
-GIT_TEST_BUILTIN_HASH=sha1
+GIT_TEST_BUILTIN_HASH=$("$GIT_BUILD_DIR/git" version --build-options | sed -ne 's/^default-hash: //p')
 GIT_DEFAULT_HASH="${GIT_TEST_DEFAULT_HASH:-$GIT_TEST_BUILTIN_HASH}"
 export GIT_DEFAULT_HASH
 GIT_DEFAULT_REF_FORMAT="${GIT_TEST_DEFAULT_REF_FORMAT:-files}"
author	brian m. carlson <sandals@crustytoothpaste.net>	2025-07-01 21:22:37 +0000
committer	Junio C Hamano <gitster@pobox.com>	2025-07-01 14:58:26 -0700
commit	c79bb70a2e7d9158ec165ea16ad45371cd6e350d (patch)
tree	d35981c46cb19e0609d073719be6b384ec914b60
parent	39153c809711885ca2ea5b527e4ff893170f1b6f (diff)
download	git-c79bb70a2e7d9158ec165ea16ad45371cd6e350d.tar.gz