An attack would be if I build a two documents with the same hash and get someone to sign one of them.
That is not possible using this attack. This is just a collision atttack, not a preimage attack.
It would be a good practise anyway, that if you routinely sign files other people produce, to add your own blob of randomness as an extra hidden comment to the document you sign.
I don't think people will trust you anymore if you start adding your own data to the documents you sign.
I'm confused, doesn't "collision attack" mean being able to create two (or more) documents with an identical hash? (As opposed to preimage attacks which involve creating documents that have a given hash).
So why would that prevent the attack billpg described?
That is not possible using this attack. This is just a collision atttack, not a preimage attack.
It would be a good practise anyway, that if you routinely sign files other people produce, to add your own blob of randomness as an extra hidden comment to the document you sign.
I don't think people will trust you anymore if you start adding your own data to the documents you sign.