← Back to team overview

launchpad-dev team mailing list archive

Re: Signing the code of conduct


Jonathan Lange wrote:
> >From https://edge.launchpad.net/codeofconduct/1.1/+sign:
> "If you want to, add extra spaces or blank lines between words in the
> file. (This helps protect against other people trying to forge your
> signature.)"
> What?

IIRC, It's a protection against a
<http://en.wikipedia.org/wiki/Birthday_attack>.  The concern is that the text
you are being asked to sign may have been specifically chosen because it will
hash identically to a malicious document that says e.g. “By GPG-signing this
document I authorise EvilCorp to empty my bank accounts and own my first-born

So by making cosmetic changes to the input you make it (even more) unlikely that
someone can take your signature of the CoC and make a fake signature of another
document you never signed.

For maximum paranoia, make sure to use a cryptographically secure PRNG to
determine the whitespace to add :)


Follow ups