-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 There are certainly some hacks you could try out, but they would be somewhat error-prone. The easiest and most secure way to go about this would probably be to --detach-sign instead of doing a cleartext signature.
If you require a cleartext signature, reconsider your design. If you still require a cleartext signature, _reconsider your design_. If you _still_ require a cleartext signature, here's something that would clearsign a (slightly modified) Java file and still compile: echo "/*" > startcomment.tmp echo "*/" > endcomment.tmp cat endcomment.tmp HelloWorld.java startcomment.tmp | \ gpg --not-dash-escaped --no-escape-from-lines --clearsign | \ cat startcomment.tmp - endcomment.tmp > HelloWorld.signed.java The signed part itself is not valid Java, but the result of the message after signing is. If you were to actually use this, anyone who verifies your code will be required to make sure nothing substantive occurs before or after the signed part (i.e., nothing before the start line except /* and nothing after the end line except */); it would be easy to sneak in some bad code. Additionally, your verifiers would need GnuPG to verify since the NotDashEscaped extension is included. Between these two factors it's really just way better to --detach-sign the code. HTH PSM Nathan Smith wrote: > Does anyone know if there's a solution to signing source code (using gpg), in > a way which will still allow the source code to function. For example for a > Java file if the GPG signature code be placed within the comments embedded > within the Java source (ie /* */ ), of within XML comments (ie <!-- --> ) > for an XML file. We are trying to impliment a source signing policy at our > company, where a developers source code is signed before it is checked into > our source control system. But of course, the source must still be able to > compile, and signing must not effect the functionality of the source. > Thanks.. Nate -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF+CqVei6R+3iF2vwRCu8eAJ4syVjBDxg/QHlSUiUAF/oI6gpwfgCeKbhl v3wwib/RPRWchIT7BUEn7Xk= =RJd8 -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
