SHA-1 and changeset signatures

Benoit Boissinot bboissin at
Fri Aug 26 17:57:21 CDT 2005

On 8/27/05, Chad Netzer <cnetzer at> wrote:
> On Fri, 2005-08-26 at 15:16 -0700, Eric Hopper wrote:
> > The attack is real.  I've personally downloaded two different .ps files
> > that were completely different documents, but had the same hash.  They
> > stuffed in the necessary arbitrary stuff in a 30-60 some odd bytes of
> > comment in each .ps file.
> If those .ps files are not sensitive (ie. containing personal data,
> etc.), I'd certainly love to see them.  Are you saying they had the same
> md5sum, or the same sha1sum (or something else)?  If the comment data
> was not gibberish, and it was a sha1sum, you may be describing a
> pre-image attack on a well-regarded cryptographic hash function; quite a
> powerful statement indeed.
> Seriously, let me know if I could examine those files; if so, could
> please you email them to me?  Many thanks in advance.
> Chad
it is on the links that was posted:



More information about the Mercurial mailing list