SHA-1 and changeset signatures

Eric Hopper hopper at omnifarious.org
Fri Aug 26 11:59:27 CDT 2005


On Fri, Aug 26, 2005 at 09:39:54AM -0700, Eric Hopper wrote:
> One thing I would really like to see with Mercurial is the ability to
> verify changesets come from the person they say they come from.  One way
> to do this is to sign the hash for the changeset.  And to some extent,
> this can be handled outside Mercurial though having a piece of changeset
> meta-data explicitly earmarked for storing such signatures would be
> nice.

Oops, I read the FAQ and hgeditor script, and I feel a bit stupid now.
:-/

And I see that some thinking has gone into SHA-1, but I don't see
anything in the changeset ID that tells you which hash was used to
generate it.

Generating SHA-1 collisions isn't impractical.  I believe there's a
website that will generate them for you.  And I can see a couple of ways
that could really hurt a repository.

First, someone could maliciously generate two changes that hash the same
and cause all kinds of untold difficulties as the unique ids become no
longer unique.  This is especially true since Mercurial can store binary
files.

Secondly someone could use this as a means of slipping in code past a
review process by having two bits of code that generate the same change
hash and getting one reviewed and the other accepted as a change in the
repository.

Anyway, I'll stop ranting about this now as it's now clear it's been at
least thought about.

Have fun (if at all possible),
-- 
"It does me no injury for my neighbor to say there are twenty gods or no God.
It neither picks my pocket nor breaks my leg."  --- Thomas Jefferson
"Go to Heaven for the climate, Hell for the company."  -- Mark Twain
-- Eric Hopper (hopper at omnifarious.org  http://www.omnifarious.org/~hopper) --
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.selenic.com/pipermail/mercurial/attachments/20050826/f6fcf022/attachment.pgp


More information about the Mercurial mailing list