I'm not surprised that most people couldn't produce a matching PGP executbales - most compilers (irrespective of compiler optimisation options etc) include a timestamp in the executable.
Regards, Sam Simpson [EMAIL PROTECTED] http://www.samsimpson.com/ Mob: +44 (0) 7866 726060 Home Office: +44 (0) 1438 229390 Fax: +44 (0) 1438 726069 On Fri, 9 Aug 2002, Lucky Green wrote: > Anonymous wrote: > > Matt Crawford replied: > > > Unless the application author can predict the exact output of the > > > compilers, he can't issue a signature on the object code. The > > > compilers then have to be inside the trusted base, checking a > > > signature on the source code and reflecting it somehow through a > > > signature they create for the object code. > > > > It's likely that only a limited number of compiler > > configurations would be in common use, and signatures on the > > executables produced by each of those could be provided. > > Then all the app writer has to do is to tell people, get > > compiler version so-and-so and compile with that, and your > > object will match the hash my app looks for. DEI > > The above view may be overly optimistic. IIRC, nobody outside PGP was > ever able to compile a PGP binary from source that matched the hash of > the binaries built by PGP. > > --Lucky Green > > > --------------------------------------------------------------------- > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]