[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Sign you source code (was Re: why we need source code (was Re: RC5 crack))
In <[email protected]>, on 06/22/97
at 09:14 AM, Adam Back <[email protected]> said:
>- those running the rc5 crack don't sign their binaries (presumably
> because they don't use PGP, or don't know what it is or something),
> who knows what you're downloading, virus, disk formatter, what ever.
> If you had source code, you could verify it yourself at least, even
> if there is no signature.
>- This problem with taking too few keys, if you had the source, and they
> can't be bothered to write instructions, or even brief usage notes,
> you could at least figure out how to use it from the source
It's a shame that more shareware/freeware authors don't sign their code.
I wrote a small Rexx script that signs all my source code, signs the
binaries, creates the zip archive & signs it then creates a wrapper zip
archive for the archive & the detached signature file.
For C, H & CMD files you can clear sign the text files and still be able
to compile them without revmoving the signatures.
Example Test.C
main(){
.
.
.
}
Add the following to the top and bottom of the file:
*/
main(){
.
.
.
}
/*
Now clearsign the file.
-----BEGIN PGP SIGNED MESSAGE-----
*/
main(){
.
.
.
}
/*
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: cp850
Comment: Registered_User_E-Secure_v1.1b1_ES000000
iQCVAwUBM6m/I49Co1n+aLhhAQGI4gQAgdJ8wU8PZezxO+DHFAzLoMmrnPoi7xBV
4YVGablxDRO16cELE8p2YVaNeZ+dOOLiZYnpZKPoPW2w8Ze7gDxAz5ODJ8ZBd+Ta
x/3o3jkFGednnlJoEQcpS/R4bmoKy9hMzO7KJpXJB8YiWrbbGfiA3YidGMtYhWUf
bDPiuD+rqXI=
=gNYv
-----END PGP SIGNATURE-----
Now add the following to the top and bottom of the message:
/*
-----BEGIN PGP SIGNED MESSAGE-----
*/
main(){
.
.
.
}
/*
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: cp850
Comment: Registered_User_E-Secure_v1.1b1_ES000000
iQCVAwUBM6m/I49Co1n+aLhhAQGI4gQAgdJ8wU8PZezxO+DHFAzLoMmrnPoi7xBV
4YVGablxDRO16cELE8p2YVaNeZ+dOOLiZYnpZKPoPW2w8Ze7gDxAz5ODJ8ZBd+Ta
x/3o3jkFGednnlJoEQcpS/R4bmoKy9hMzO7KJpXJB8YiWrbbGfiA3YidGMtYhWUf
bDPiuD+rqXI=
=gNYv
-----END PGP SIGNATURE-----
*/
Now the PGP Signature has been commented out of the source code so it will
not interfere with compiling. The end user can verify the signature
without any modifications.
I don't know if this will work with other languages that use different
dilimiters. It all depends if you have the ability to comment out a block
of text or if you need to add a dilimiter to every line.
--
---------------------------------------------------------------
William H. Geiger III http://www.amaranth.com/~whgiii
Geiger Consulting Cooking With Warp 4.0
Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 2.6.3a at: http://www.amaranth.com/~whgiii/pgpmr2.html
---------------------------------------------------------------