6

Supposing that I have the commit hash but I don't have any access to the git repository, is it possible to get the time when the commit was made?

How can this be done?

According to this answer, the commit hashes contain dates and times when they were done.

Example:

1484e89060b2043be0b71209bacc2254161f1a8f was made on Wed Sep 3 09:30:59 2014 +0300.

Community
  • 1
  • 1
Ionică Bizău
  • 109,027
  • 88
  • 289
  • 474
  • what do you mean no access to git repository? remote? local? – Davin Tryon Sep 03 '14 at 11:13
  • @DavinTryon I don't have read access to the git repository where the commit was made (if I had, I would only do a `git show foo`) – Ionică Bizău Sep 03 '14 at 11:15
  • The answer you quote doesn't quite say it contains the hash -- it says it is generated from data that includes the date (and author, message, patch, etc.). – Drew Noakes Sep 03 '14 at 11:34
  • @DrewNoakes Yes, but I was thinking that the hash can be parsed somehow. For example, Mongo ObjectIDs contain dates and they can be parsed. – Ionică Bizău Sep 03 '14 at 11:37
  • I have edited my answer: the project gitbrute might come close of what you are looking for, but without any guarantee. – VonC Sep 03 '14 at 11:43

3 Answers3

5

As mentioned in "Are there any dangers in exposing git sha1 commit hashes?":

There is absolutely no way you can correlate the SHA 1 hash of a git commit to the actual contents of the commit.

Though SHA-1 is nominally one-way, this would theoretically allow an attacker, who wants to guess the contents of an object, to verify whether his guess is correct or not.
This would entail guessing exactly, down to the last bit, including time stamps and other similar things.

So if you don't have access to the full git repo, that seems not possible.

As mentioned in this thread, the only thing you could do with a SHA1 is find a content with the same SHA1:

The term "reverse" is not the right word to use.
What is meant is that you can generate another input for which the SHA1 output matches your other SHA1 output. This is because SHA1 has collisions.

So "foo" could hash to 1 and "bar" could hash to 1 also.
It doesn't mean 1 means foo, but it means if your password is foo, bar works too when hashed and compared against a stored hash.

If the original input is not very short, it's extremely unlikely that an input with the same SHA-1 hash could be found.
These attacks work because the passwords are weak and SHA-1 is fast to compute, not due to any weakness of SHA-1 as a cryptographic hash function.

Note: that (finding a content with the same SHA1) is actually what the project bradfitz/gitbrute does (for "fun")

gitbrute brute-forces a pair of author+committer timestamps such that the resulting git commit has your desired prefix.

It will find the most recent time that satisfies your prefix.

I mentioned it in "How would git handle a SHA-1 collision on a blob?"

Community
  • 1
  • 1
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • `gitbrute` seems to be a cool project. How can I use it? I already built the file (`go gitbrute.go`). – Ionică Bizău Sep 03 '14 at 12:38
  • @IonicăBizău simply pass your SHA1 – VonC Sep 03 '14 at 12:39
  • `./gitbrute 1484e89060b2043be0b71209bacc2254161f1a8f` doesn't output anything. – Ionică Bizău Sep 03 '14 at 12:42
  • @IonicăBizău `gitbrute -h` will give you the options: `gitbrute -prefix=xxx` (see https://github.com/bradfitz/gitbrute/blob/master/gitbrute.go#L36-L38) – VonC Sep 03 '14 at 12:43
  • I already tried that, but I don't understand the usage. How can I generate [a commit like this](https://github.com/bradfitz/deadbeef/commit/deadbeefa1a98280231197b184c6d7ea4d2a7055) and how is gitbrute useful in finding information about commit, passing its hash? – Ionică Bizău Sep 03 '14 at 12:45
  • @IonicăBizău from what I see (https://github.com/bradfitz/gitbrute/blob/master/gitbrute.go#L53-L58), it must be done in a repo with one commit including a file with the right content and the right author: it then compute the most recent timestamp that would satisfy the SHA1 passed in `-prefix` option. – VonC Sep 03 '14 at 12:56
  • In mathematical terms (j'étale ma science), you would say that the function "f: commit contents -> commit ID" is not *one-to-one* `:)` – jub0bs Sep 04 '14 at 17:42
2

You probably think that the git commit ID is somehow encrypted data containing some information. But the Git commit IDs are hashes:

[...] is the SHA-1 hash — a checksum of the content you’re storing plus a header (from here)

Also from the cryptograpic theory we know that hashes have the Non-invertible property.

So it is not possible to get any information about the commit from the ID alone.

Gabriel Petrovay
  • 20,476
  • 22
  • 97
  • 168
0

Here you go

git log -2 --pretty=tformat:%aD:%H 1484e89060b2043be0b71209bacc2254161f1a8f

%aD gives you the authored Date.

You can add other options like 

%cn: committer name
%an: author name

git log -2 --pretty=tformat:%aD:%cn:%an:%H 1484e89060b2043be0b71209bacc2254161f1a8f

If you wish to use abbreviated Hash, use %h instead of %H

You execute this via git command shell.

Vinay Veluri
  • 6,671
  • 5
  • 32
  • 56