signing source code with gpg
Joseph Oreste Bruni
jbruni at mac.com
Wed Mar 14 18:06:03 CET 2007
In this case a detached signature would be your best bet. You would
check the detached sig in with the source code. When the source is
checked out, you could then validate that the source has not changed
since it was signed. Be careful, though, if you use any embedded
keywords with your revision control system ($Id$, et al). If the
revision control system changes the content of the files it will
invalidate the signature.
-Joe
On Mar 12, 2007, at 7:02 PM, Nathan Smith wrote:
>
> Does anyone know if there's a solution to signing source code
> (using gpg), in
> a way which will still allow the source code to function. For
> example for a
> Java file if the GPG signature code be placed within the comments
> embedded
> within the Java source (ie /* */ ), of within XML comments (ie <!--
> --> )
> for an XML file. We are trying to impliment a source signing
> policy at our
> company, where a developers source code is signed before it is
> checked into
> our source control system. But of course, the source must still be
> able to
> compile, and signing must not effect the functionality of the source.
> Thanks.. Nate
> --
> View this message in context: http://www.nabble.com/signing-source-
> code-with-gpg-tf3393462.html#a9447180
> Sent from the GnuPG - User mailing list archive at Nabble.com.
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2508 bytes
Desc: not available
Url : /pipermail/attachments/20070314/5d25716c/attachment.bin
More information about the Gnupg-users
mailing list