[Darkstryder]

To me this can be done with a simple collision attack (assuming you can fiddle with some bytes inside the manifet file while freezing everything else in advance), which can be found under a second for MD5 with a laptop, and a few hundred thousands dollars of cloud resources for SHA1.

[Retr0id]

No, that takes a preimage attack, which doesn't exist (yet? I'm not too optimistic, personally).

It could maaaaaaaybe be done using multiple collisions that exploit the structure of a DEFLATE-compressed stream, so that you can control the extracted zip contents on a byte-by-byte basis - but I haven't figured that out just yet. Watch this space!

[Darkstryder]

I don’t understand how this is a pre-image attack, as the manifest file only references itself (and not the zip file) and you can fiddle with the manifest file to your liking. To me this is the same theoretical problem as this self-referencing PNG file.

[Retr0id]

How do you fiddle with the manifest without changing the MD5?

[Darkstryder]

You do want to change the MD5 of the manifest. This is what makes it a collision attack instead of a preimage attack.

[Retr0id]

Change it to what? A specific pre-determined value? That's a preimage.

[Darkstryder]

This is indeed a preimage attack if the manifest content (besides its own self-referenced hash) is fixed. However this is not the case in practice: to pull off this trick you could just append some random bytes at the end of the manifest, disguised as ASCII art or something like that. The manifest would still be human readable and correct, but this would become a collision attack.

Again, to me this is the exact same problem as this self-referential PNG file, which is a very cool trick but which can be (demonstrably) computed with limited compute resources.