Comment 0 for bug 3996

Currently, in order to sign a code of conduct I am asked to download a copy of the document and generate a gpg clearsignature of it. I then upload the clearsignature. Launchpad checks the following:

  1. The document has been signed by a GPG key on file.
  2. The signature is valid.
  3. The SHA1 sum of the original document is the same as the SHA1 sum of the document that I've signed.

The problem is check #3.

If I sign any document that is presented to me than I am opening myself up to the possibility of a birthday attack. Without getting into too many technical details, a birthday attack (in this context) is a method of obtaining two documents that hash to the same value with substantially less difficulty than obtaining a document that hashes to a given value.

Specifically, someone could generate a text document which states "I agree to give all of my money to Alice" and one that looks surprisingly like a valid code of conduct. By then making minor changes to each of the two documents (introduction of white space, changing line wrapping, changes in wording, etc) the attacker can use the principle of a birthday attack to find two documents with the same hash value.

By signing the document as it is presented to me I am now effectively signing both documents (and therefore agreeing to give all of my money to Alice).

For this reason, it is recommended by many security experts that before signing any document that is presented to you to be signed, you make some cosmetic adjustments to it (insertion of white space, etc) in order to change the hash value and prevent yourself from being attacked in this way. This approach is recommended, for example, by Bruce Schneier (Counterpane).

Launchpad should support the verification of signed codes of conduct which have had cosmetic changes made to them. Until the time that such a feature is introduced, everyone would be wise to refuse to sign the code.