signing source code with gpg

Joseph Oreste Bruni jbruni at
Wed Mar 14 18:06:03 CET 2007

In this case a detached signature would be your best bet. You would  
check the detached sig in with the source code. When the source is  
checked out, you could then validate that the source has not changed  
since it was signed. Be careful, though, if you use any embedded  
keywords with your revision control system ($Id$, et al). If the  
revision control system changes the content of the files it will  
invalidate the signature.


On Mar 12, 2007, at 7:02 PM, Nathan Smith wrote:

> Does anyone know if there's a solution to signing source code  
> (using gpg), in
> a way which will still allow the source code to function.  For  
> example for a
> Java file if the GPG signature code be placed within the comments  
> embedded
> within the Java source (ie /* */ ), of within XML comments (ie <!--  
> --> )
> for an XML file.  We are trying to impliment a source signing  
> policy at our
> company, where a developers source code is signed before it is  
> checked into
> our source control system. But of course, the source must still be  
> able to
> compile, and signing must not effect the functionality of the source.
> Thanks.. Nate
> -- 
> View this message in context: 
> code-with-gpg-tf3393462.html#a9447180
> Sent from the GnuPG - User mailing list archive at
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2508 bytes
Desc: not available
Url : /pipermail/attachments/20070314/5d25716c/attachment.bin 

More information about the Gnupg-users mailing list