signing source code with gpg
Peter S. May
me at psmay.com
Wed Mar 14 18:02:23 CET 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
There are certainly some hacks you could try out, but they would be
somewhat error-prone. The easiest and most secure way to go about this
would probably be to --detach-sign instead of doing a cleartext signature.
If you require a cleartext signature, reconsider your design.
If you still require a cleartext signature, _reconsider your design_.
If you _still_ require a cleartext signature, here's something that
would clearsign a (slightly modified) Java file and still compile:
echo "/*" > startcomment.tmp
echo "*/" > endcomment.tmp
cat endcomment.tmp HelloWorld.java startcomment.tmp | \
gpg --not-dash-escaped --no-escape-from-lines --clearsign | \
cat startcomment.tmp - endcomment.tmp > HelloWorld.signed.java
The signed part itself is not valid Java, but the result of the message
after signing is. If you were to actually use this, anyone who verifies
your code will be required to make sure nothing substantive occurs
before or after the signed part (i.e., nothing before the start line
except /* and nothing after the end line except */); it would be easy to
sneak in some bad code. Additionally, your verifiers would need GnuPG
to verify since the NotDashEscaped extension is included. Between these
two factors it's really just way better to --detach-sign the code.
HTH
PSM
Nathan Smith wrote:
> Does anyone know if there's a solution to signing source code (using gpg), in
> a way which will still allow the source code to function. For example for a
> Java file if the GPG signature code be placed within the comments embedded
> within the Java source (ie /* */ ), of within XML comments (ie <!-- --> )
> for an XML file. We are trying to impliment a source signing policy at our
> company, where a developers source code is signed before it is checked into
> our source control system. But of course, the source must still be able to
> compile, and signing must not effect the functionality of the source.
> Thanks.. Nate
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFF+CqVei6R+3iF2vwRCu8eAJ4syVjBDxg/QHlSUiUAF/oI6gpwfgCeKbhl
v3wwib/RPRWchIT7BUEn7Xk=
=RJd8
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list