SHA-1 and changeset signatures

Eric Hopper hopper at
Fri Aug 26 18:21:45 CDT 2005

On Fri, Aug 26, 2005 at 04:13:00PM -0700, Matt Mackall wrote:
> Ok, at I've found two .ps files
> that meet this description.
> This essentially matches one of the scenarios I described earlier:
> The files are identical except for the hash blocks and contain a
> Postscript program that decides which message to show based on the
> hash. So both versions contain the 'exploit' and the attack is
> contingent upon someone signing it anyway.
> But it does in fact prove me wrong. I would not expect the average
> person to look at the contents of a .ps file, or even to become
> suspicious if they saw binary junk in there they didn't understand.

:-(  Well, thought I was more right than that.  I'm going to have to do
much more careful research on MD5 and SHA-1.

My basic tenant, and the reason I hadn't done more careful research, is
that when an algorithm like that is sublty broken it is very difficult
to think through all the scenarios in which that subtle brokenness can
or can't be exploited, and the algorithm should just be tossed.

That was proven right.  But my ideas on the functioning of SHA-1 and MD5
weren't, though they weren't proven wrong either.  :-(  I just uses
'em.  I don't analyze them for a living.  *sigh*

"It does me no injury for my neighbor to say there are twenty gods or no God.
It neither picks my pocket nor breaks my leg."  --- Thomas Jefferson
"Go to Heaven for the climate, Hell for the company."  -- Mark Twain
-- Eric Hopper (hopper at --
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the Mercurial mailing list