Clearsign of HTML-pages

RJ Marquette rj-lists at rjmarq.org
Thu Oct 9 20:44:06 CEST 2003


On Thu, 9 Oct 2003, Ben Finney wrote:

> HTML documents are atomic; the whole thing is a single entity.  A
> separate signature can be made, as a separate file, but not embedded
> into the document itself.

Not true.  I wrote a script years ago that does just that.  It's available
at http://rjmarq.org/pgp/pgpsign.zip, but note that it's written for
Windows, relies on pgp 2.6, and doesn't really work that well.  I don't
believe the source is included in that package because...well, it was
ugly.  ;)

The algorithm is very simple:

1. Start with the HTML file you want to sign.
2. Add "-->" at the start of the file.
3. Add "<!--" at the end of the file.
4. Clear sign the file.
5. Add "<!--" at the start of the new file.
6. Add "-->" at the end of the file.

And then the page can be checked by viewing and verifying the source.

The solution in Linux and other Unix-style OS's is trivial using a shell
script.  I did it in about five minutes one time.

For Windows, I'd actually written a Pascal program to do it (because I
didn't have a C compiler), but it's not difficult to do.  You can set it
up as an action on the right-click menu to have it happen automatically.

What I ran into was this:  when I stopped doing it on the PGP Interactions
page, no one said a word.  So, if no one is bothering to verify them, why
should I worry about it?

RJ  <G>  :)

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
RJ Marquette  RSA:448B035F DSS:CB45C555
http://rjmarq.org



More information about the Gnupg-users mailing list