SHA-1 and changeset signatures

Chad Netzer cnetzer at
Fri Aug 26 18:18:41 CDT 2005

On Fri, 2005-08-26 at 15:50 -0700, Eric Hopper wrote:

> I found it, and it's MD5, not SHA-1.

Ah.  Apples and oranges...

> But, SHA-1 is just as vulnerable to this exact kind of attack.

No, it isn't.  At least, it isn't yet known to be.  It has so far only
been shown to be much less vulnerable to MD5, but much more vulnerable
than designed to be.  It is that simple, and it is not useful state the
level of vulnerabily of MD5 as though it is the same as SHA-1.

Is SHA-1 truly vulnerable enough so that wealthy entities can
successfuly attack it?  I don't know.  But if anyone wants to spend the
money to try and put malicious code into a Mercurial repository, I'm
willing to attempt to do the work using legitimate means (ie. hosting a
project, letting it grow to enormous popularity, then inserting
malicious code by a commit) for no more than half the investment. :)
I'll take cash, bank check, or gold bullion.

BTW, I found some of the postscript files you mentioned, after some web
googling.  They are attacks against MD5, not SHA-1, of course.  It is
interesting that MD5 attacks have gotten so far, but I stopped relying
on md5sum a while back.  Eventually, I may have to stop relying on
sha1sum as well...


More information about the Mercurial mailing list