signing web pages (simple way?)

RJ Marquette rj@rmarq.pair.com
Tue Jun 19 02:26:01 2001 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 18 Jun 2001, Evan Prodromou wrote:


> You know, there are a number of mechanisms for signing HTML with

> OpenPGP signatures, but each one has niggling little problems.


I wrote a program a few years back for Windows that used PGP 2.6.x
versions.  It took your webpage as input, added --> and <!--
to the beginning and end of the file (respectively), signed the file, then
added <!-- and --> to the beginning and end of the file.

Voila.  Signed page, invisible to viewer.  I think I even wrote a bash
script to do it with gpg under Linux, but the solution is trivial, and
could be reproduced by anyone familiar with copy and cat commands.
(Solution below.)

And, it worked fine.  For Netscape users (under Windows), you'd view the
source, hit Control-A then Control-C (Select all, copy), then use PGP Tray
to verify the clipboard.

I should start signing pages again.  It was a nice touch (though I doubt
anyone ever actually verified the signatures).

The DOS program that worked under Windows is still available on my
website, but I don't have a link to it anywhere on the pages, so you'll
have to use this direct link: http://rmarq.pair.com/pgp/pgpsign.zip.  I
don't think the source is included, because the program was more of a
quick and dirty solution.

One gripe people had that I didn't overcome is that you had to enter your
passphrase for each page you signed.  I didn't want to get into the
security implications required when you start remembering passphrases, so
I felt it was better to just let PGP handle it.

Since it's short, here's the script.  (FYI, it was a LOT harder to write
in Pascal under DOS than it was in bash, but the Pascal version would
automatically clear an old signature before re-signing it, so I guess
it's not quite the same.)

- ------

#!/bin/sh
# gpgsign script.  Use gpgsign inputfilename outputfilename
# input CAN'T be the same as output
#
echo "-->" > temp.txt
cat $1 >> temp.txt
echo "<!-- PGP Comment" >> temp.txt
gpg --clearsign temp.txt

echo "<!-- PGP Comment" > temp2.txt
cat temp.txt.asc >> temp2.txt
echo "-->" >> temp2.txt

mv temp2.txt $2
rm temp.txt temp.txt.asc

- ------

No warranties or liabilities...if you zap the only copy of your home page
with this little doodad, too bad.  Insert other standard software
disclaimers.

RJ  <G>  :)

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
RJ Marquette rj(at)rmarq.pair.com RSA:448B035F DSS:CB45C555
My PGP and Skating pages: http://rmarq.pair.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: pgpenvelope - http://www.uiuc.edu/ph/www/ftobin/resources.html

iD8DBQE7Lpth0DB5TMtFxVURAmOvAJ95VsE9oCoYqDxoORAqwmGttxaGcwCePSUV
GsgV9eSJY+53B//KSn0Wa3Q=
=3e7d
-----END PGP SIGNATURE-----