Securing Source Code Transfers with Git Bundle and SHA-256
When transferring exclusive rights to software, agreements often simply state "the result has been transferred" without detailing the contents. This creates risks for disputes: the client may claim missing features, while the developer asserts otherwise. Git bundle and SHA-256 hashing solve this problem by packaging the repository into a single file with a verifiable identifier.
Creating a Git Bundle: A Complete Repository Dump
Git bundle packages the entire repository—objects, branches, tags, history—into a single binary file. This is a self-contained artifact, independent of external storage.
Command to create:
# Full backup of the entire repository (all branches, all tags)
git bundle create project.bundle --all
The project.bundle file can be cloned as usual:
git clone project.bundle restored-project
Advantages over copying .git:
- A single file for storage, transfer, and signing.
- Complete commit history, authors, and dates.
- Independence from Git hosting services.
Bundle captures the state at creation time, excluding any subsequent changes to the original repository.
Checksum: A Unique Identifier
Any file can be hashed to produce an immutable fingerprint. SHA-256 is preferred: it's collision-resistant, unlike MD5/SHA-1.
Commands for Linux/macOS:
shasum -a 256 project.bundle
For Windows:
certutil -hashfile project.bundle SHA256
The result is a 64-character string, e.g., a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e. Even changing a single bit alters the hash completely.
Integration into Legal Documents
In the agreement, specify:
The work result is transferred as the file project.bundle, checksum (SHA-256): a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e
Sign it with an electronic signature via electronic document management systems, government services (e.g., Gosuslugi with Goskey), or a certification authority. The signature should include a timestamp and visualization in PDF.
The electronic signature not only secures the agreement but also embeds the hash, linking the document to the specific bundle.
Verification in Disputes: Technical Validation
In case of disagreements:
- An expert calculates the SHA-256 of the received
project.bundle. - Compares it with the hash from the agreement.
- Clones the bundle and analyzes the repository: commits, files, functions.
# Restoration for examination
git clone project.bundle restored-project
cd restored-project
git log --oneline -10 # Recent commits
git show HEAD:src/main.py # Specific file
If the hash matches, the code is authentic. A mismatch indicates tampering.
Automating the Process
Script for routine use:
#!/bin/bash
REPO_NAME=project
git bundle create ${REPO_NAME}.bundle --all
HASH=$(shasum -a 256 ${REPO_NAME}.bundle | cut -d' ' -f1)
echo "SHA-256: $HASH"
# Insert $HASH into the agreement and sign
Add a step to CI/CD on release. AI agents can generate agreements with hashes automatically.
Key Points
- Bundle captures the full Git repository: history, branches, tags—without loss.
- SHA-256 ensures cryptographic integrity: collisions are practically impossible.
- Electronic signature with hash makes the agreement technically provable in court.
- The process takes <5 minutes: three commands + signing.
- Dispute risks are minimized: tampering with the bundle is instantly detectable.
— Editorial Team
No comments yet.