SHA1 has been determined to be an [unsafe hashing algorithm since 2017](https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html). The wider Git community decided to look for a replacement hash function, and chose SHA256. It is currently functional in Git, and is marked experimental only because of lack of interoperability which will allow a repository with mixed object formats (SHA1 and SHA256) to work together. However, supporting SHA256 would be advantageous and eventually necessary for Fedramp. SHA1 has already been retired by NIST, and Fedramp enforces all the latest NIST and CISA guidance which includes https://csrc.nist.gov/projects/hash-functions/nist-policy-on-hash-functions. A 12/31/2030 deadline was set, but encouraged all Federal agencies to use SHA-2 or SHA-3 as soon as possible. SHA-1 is forbidden for generating digital signatures, and anything else requiring collision resistance. Let's plan to support SHA256 asap in GitLab. ### Goal This epic aims to add support for SHA256 repositories in GitLab. As a v1 MVC, we have certain higher level requirements. 1. SHA256 repositories pass Gitaly tests 2. SHA256 repositories pass Rails tests 3. SHA256 repositories pass End-to-End tests ### Links / references https://github.com/git/git/blob/master/Documentation/technical/hash-function-transition.txt