Re: signing source code with gpg

[Joseph Oreste Bruni]

In this case a detached signature would be your best bet. You would check the detached sig in with the source code. When the source is checked out, you could then validate that the source has not changed since it was signed. Be careful, though, if you use any embedded keywords with your revision control system ($Id$, et al). If the revision control system changes the content of the files it will invalidate the signature.

-Joe



On Mar 12, 2007, at 7:02 PM, Nathan Smith wrote:

compile, and signing must not effect the functionality of the source.
Thanks.. Nate
--

Does anyone know if there's a solution to signing source code (using gpg), in a way which will still allow the source code to function. For example for a Java file if the GPG signature code be placed within the comments embedded within the Java source (ie /* */ ), of within XML comments (ie <!-- --> ) for an XML file. We are trying to impliment a source signing policy at our company, where a developers source code is signed before it is checked into our source control system. But of course, the source must still be able to View this message in context: http://www.nabble.com/signing-source- code-with-gpg-tf3393462.html#a9447180

Sent from the GnuPG - User mailing list archive at Nabble.com.


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users