signing --load extensions ?

Werner Koch wk at
Tue Sep 22 17:47:41 CEST 1998

Walter Koch <w.koch at> writes:

> does it make sense to sign the loadable extension code? 
> Otherwise it would be easy to put an trojan extension named e.g. 
> "tiger" instead of the true one into the extension "path"?

No.  You would also have to sign /lib/libc*, the gnupg executables
and of course the kernel (and the Xserver and ....).  

To avoid trojan horses, the program should be installed with owner root
and the sysadmin should install tripwire to detect changed code.


More information about the Gnupg-devel mailing list