1997-06-22 - Sign you source code (was Re: why we need source code (was Re: RC5 crack))

Header Data

From: “William H. Geiger III” <whgiii@amaranth.com>
To: Adam Back <aba@dcs.ex.ac.uk>
Message Hash: 2c65dc651524afc44f53bb53fd152e7cb4ac752cea9bc2d6703ce8b8505ba345
Message ID: <199706221643.LAA06619@mailhub.amaranth.com>
Reply To: <199706220814.JAA06026@server.test.net>
UTC Datetime: 1997-06-22 16:54:00 UTC
Raw Date: Mon, 23 Jun 1997 00:54:00 +0800

Raw message

From: "William H. Geiger III" <whgiii@amaranth.com>
Date: Mon, 23 Jun 1997 00:54:00 +0800
To: Adam Back <aba@dcs.ex.ac.uk>
Subject: Sign you source code (was Re: why we need source code (was Re: RC5 crack))
In-Reply-To: <199706220814.JAA06026@server.test.net>
Message-ID: <199706221643.LAA06619@mailhub.amaranth.com>
MIME-Version: 1.0
Content-Type: text/plain



In <199706220814.JAA06026@server.test.net>, on 06/22/97 
   at 09:14 AM, Adam Back <aba@dcs.ex.ac.uk> said:

>- those running the rc5 crack don't sign their binaries (presumably
>  because they don't use PGP, or don't know what it is or something),
>  who knows what you're downloading, virus, disk formatter, what ever.
>  If you had source code, you could verify it yourself at least, even
>  if there is no signature.

>- This problem with taking too few keys, if you had the source, and they
>  can't be bothered to write instructions, or even brief usage notes,
>  you could at least figure out how to use it from the source

It's a shame that more shareware/freeware authors don't sign their code.

I wrote a small Rexx script that signs all my source code, signs the
binaries, creates the zip archive & signs it then creates a wrapper zip
archive for the archive & the detached signature file.

For C, H & CMD files you can clear sign the text files and still be able
to compile them without revmoving the signatures.

Example Test.C

  main(){
  .
  .
  .
  }

Add the following to the top and bottom of the file:

  */

  main(){
  .
  .
  .
  }

  /*

Now clearsign the file.


  -----BEGIN PGP SIGNED MESSAGE-----
  */

  main(){
  .
  .
  .
  }

  /*
  -----BEGIN PGP SIGNATURE-----
  Version: 2.6.3a
  Charset: cp850
  Comment: Registered_User_E-Secure_v1.1b1_ES000000

  iQCVAwUBM6m/I49Co1n+aLhhAQGI4gQAgdJ8wU8PZezxO+DHFAzLoMmrnPoi7xBV
  4YVGablxDRO16cELE8p2YVaNeZ+dOOLiZYnpZKPoPW2w8Ze7gDxAz5ODJ8ZBd+Ta
  x/3o3jkFGednnlJoEQcpS/R4bmoKy9hMzO7KJpXJB8YiWrbbGfiA3YidGMtYhWUf
  bDPiuD+rqXI=
  =gNYv
  -----END PGP SIGNATURE-----


Now add the following to the top and bottom of the message:

  /*
  -----BEGIN PGP SIGNED MESSAGE-----
  */

  main(){
  .
  .
  .
  }

  /*
  -----BEGIN PGP SIGNATURE-----
  Version: 2.6.3a
  Charset: cp850
  Comment: Registered_User_E-Secure_v1.1b1_ES000000

  iQCVAwUBM6m/I49Co1n+aLhhAQGI4gQAgdJ8wU8PZezxO+DHFAzLoMmrnPoi7xBV
  4YVGablxDRO16cELE8p2YVaNeZ+dOOLiZYnpZKPoPW2w8Ze7gDxAz5ODJ8ZBd+Ta
  x/3o3jkFGednnlJoEQcpS/R4bmoKy9hMzO7KJpXJB8YiWrbbGfiA3YidGMtYhWUf
  bDPiuD+rqXI=
  =gNYv
  -----END PGP SIGNATURE-----
  */

Now the PGP Signature has been commented out of the source code so it will
not interfere with compiling. The end user can verify the signature
without any modifications.

I don't know if this will work with other languages that use different
dilimiters. It all depends if you have the ability to comment out a block
of text or if you need to add a dilimiter to every line.


-- 
---------------------------------------------------------------
William H. Geiger III  http://www.amaranth.com/~whgiii
Geiger Consulting    Cooking With Warp 4.0

Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 2.6.3a at: http://www.amaranth.com/~whgiii/pgpmr2.html                        
---------------------------------------------------------------






Thread