Back to Home

Git bundle and SHA-256 for code transfer

The article describes a method of fixing source code transfer using Git bundle and SHA-256. The process includes creating a repository dump, calculating the hash, and integrating it into a signed act. This ensures provability in disputes for developers and customers.

Precise code fixation: bundle + SHA-256 in acts
Advertisement 728x90

Securing Source Code Transfers with Git Bundle and SHA-256

When transferring exclusive rights to software, agreements often simply state "the result has been transferred" without detailing the contents. This creates risks for disputes: the client may claim missing features, while the developer asserts otherwise. Git bundle and SHA-256 hashing solve this problem by packaging the repository into a single file with a verifiable identifier.

Creating a Git Bundle: A Complete Repository Dump

Git bundle packages the entire repository—objects, branches, tags, history—into a single binary file. This is a self-contained artifact, independent of external storage.

Command to create:

Google AdInline article slot
# Full backup of the entire repository (all branches, all tags)
git bundle create project.bundle --all

The project.bundle file can be cloned as usual:

git clone project.bundle restored-project

Advantages over copying .git:

  • A single file for storage, transfer, and signing.
  • Complete commit history, authors, and dates.
  • Independence from Git hosting services.

Bundle captures the state at creation time, excluding any subsequent changes to the original repository.

Google AdInline article slot

Checksum: A Unique Identifier

Any file can be hashed to produce an immutable fingerprint. SHA-256 is preferred: it's collision-resistant, unlike MD5/SHA-1.

Commands for Linux/macOS:

shasum -a 256 project.bundle

For Windows:

Google AdInline article slot
certutil -hashfile project.bundle SHA256

The result is a 64-character string, e.g., a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e. Even changing a single bit alters the hash completely.

Integration into Legal Documents

In the agreement, specify:

The work result is transferred as the file project.bundle, checksum (SHA-256): a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e

Sign it with an electronic signature via electronic document management systems, government services (e.g., Gosuslugi with Goskey), or a certification authority. The signature should include a timestamp and visualization in PDF.

The electronic signature not only secures the agreement but also embeds the hash, linking the document to the specific bundle.

Verification in Disputes: Technical Validation

In case of disagreements:

  • An expert calculates the SHA-256 of the received project.bundle.
  • Compares it with the hash from the agreement.
  • Clones the bundle and analyzes the repository: commits, files, functions.
# Restoration for examination
git clone project.bundle restored-project
cd restored-project
git log --oneline -10  # Recent commits
git show HEAD:src/main.py  # Specific file

If the hash matches, the code is authentic. A mismatch indicates tampering.

Automating the Process

Script for routine use:

#!/bin/bash
REPO_NAME=project
git bundle create ${REPO_NAME}.bundle --all
HASH=$(shasum -a 256 ${REPO_NAME}.bundle | cut -d' ' -f1)
echo "SHA-256: $HASH"
# Insert $HASH into the agreement and sign

Add a step to CI/CD on release. AI agents can generate agreements with hashes automatically.

Key Points

  • Bundle captures the full Git repository: history, branches, tags—without loss.
  • SHA-256 ensures cryptographic integrity: collisions are practically impossible.
  • Electronic signature with hash makes the agreement technically provable in court.
  • The process takes <5 minutes: three commands + signing.
  • Dispute risks are minimized: tampering with the bundle is instantly detectable.

— Editorial Team

Advertisement 728x90

Read Next