It is good practice to provide a gpg signature for programs you've
released, right ?
I have a few small perl programs at http://www.chaosreigns.com/code/ that
are just a single .pl file... no need for a tarball. ..and perl is
plaintext, so I figured, why not include the signature in the .pl ?
The result: http://www.chaosreigns.com/code/apache2dot/apache2dot.sig.pl
What I did was:
* replace the 1st line (#!/usr/bin/perl) with "=cut"
* put "=head2" on the last line
* gpg --clearsign file.pl
* add the following 2 lines to the top:
#!/usr/bin/perl
=head1
It works. The program functions, and the signature verifies successfully.
Is there a better way to do this ? Should I sign all my single .pl
programs like this ?
I realize this leaves the lines at the beginning of the program, which
could be maliciously modified to do bad things, are not verified. I think
I would mention what they should look like on the last lines before the
signature, and provide a url to my public key.
I wish there was a way to clearsign a message without the "BEGIN PGP
SIGNED MESSAGE" stuff... (verification failed when I tried removing it)
-- like, just consider everything from the first line to be part of the
signed message.
My public key is at http://www.chaosreigns.com/darxus.asc
And somebody really needs to put directions on subscribing to these
lists on http://lists.gnupg.org.
--
http://www.ChaosReigns.com
--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org
released, right ?
I have a few small perl programs at http://www.chaosreigns.com/code/ that
are just a single .pl file... no need for a tarball. ..and perl is
plaintext, so I figured, why not include the signature in the .pl ?
The result: http://www.chaosreigns.com/code/apache2dot/apache2dot.sig.pl
What I did was:
* replace the 1st line (#!/usr/bin/perl) with "=cut"
* put "=head2" on the last line
* gpg --clearsign file.pl
* add the following 2 lines to the top:
#!/usr/bin/perl
=head1
It works. The program functions, and the signature verifies successfully.
Is there a better way to do this ? Should I sign all my single .pl
programs like this ?
I realize this leaves the lines at the beginning of the program, which
could be maliciously modified to do bad things, are not verified. I think
I would mention what they should look like on the last lines before the
signature, and provide a url to my public key.
I wish there was a way to clearsign a message without the "BEGIN PGP
SIGNED MESSAGE" stuff... (verification failed when I tried removing it)
-- like, just consider everything from the first line to be part of the
signed message.
My public key is at http://www.chaosreigns.com/darxus.asc
And somebody really needs to put directions on subscribing to these
lists on http://lists.gnupg.org.
--
http://www.ChaosReigns.com
--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org