SHA-1 and changeset signatures

Eric Hopper hopper at
Fri Aug 26 17:16:51 CDT 2005

On Fri, Aug 26, 2005 at 02:40:38PM -0700, Matt Mackall wrote:
> I don't think this is correct.
> The attack finds two completely arbitrary texts, X and Y, that hash to
> the same value, with absolutely no control over the content of X or Y.
> In other words, the end result is two meaningless blobs X and Y.

The texts do not have to be arbitrary.  Parts of both texts do have to
be arbitrary, but not the entire text.  And in several common binary
filetypes (.pdf and .jpg come to mind), there are ways to insert globs
of garbage that will be completely ignored by the viewer.

Also, another possible exploit is one that just DoS's Mercurial by
having two changesets with the same hash.

The attack is real.  I've personally downloaded two different .ps files
that were completely different documents, but had the same hash.  They
stuffed in the necessary arbitrary stuff in a 30-60 some odd bytes of
comment in each .ps file.

Have fun (if at all possible),
"It does me no injury for my neighbor to say there are twenty gods or no God.
It neither picks my pocket nor breaks my leg."  --- Thomas Jefferson
"Go to Heaven for the climate, Hell for the company."  -- Mark Twain
-- Eric Hopper (hopper at --
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the Mercurial mailing list