In <199706220814.JAA06026@server.test.net>, on 06/22/97 at 09:14 AM, Adam Back <aba@dcs.ex.ac.uk> said:
- those running the rc5 crack don't sign their binaries (presumably because they don't use PGP, or don't know what it is or something), who knows what you're downloading, virus, disk formatter, what ever. If you had source code, you could verify it yourself at least, even if there is no signature.
- This problem with taking too few keys, if you had the source, and they can't be bothered to write instructions, or even brief usage notes, you could at least figure out how to use it from the source
It's a shame that more shareware/freeware authors don't sign their code. I wrote a small Rexx script that signs all my source code, signs the binaries, creates the zip archive & signs it then creates a wrapper zip archive for the archive & the detached signature file. For C, H & CMD files you can clear sign the text files and still be able to compile them without revmoving the signatures. Example Test.C main(){ . . . } Add the following to the top and bottom of the file: */ main(){ . . . } /* Now clearsign the file. -----BEGIN PGP SIGNED MESSAGE----- */ main(){ . . . } /* -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBM6m/I49Co1n+aLhhAQGI4gQAgdJ8wU8PZezxO+DHFAzLoMmrnPoi7xBV 4YVGablxDRO16cELE8p2YVaNeZ+dOOLiZYnpZKPoPW2w8Ze7gDxAz5ODJ8ZBd+Ta x/3o3jkFGednnlJoEQcpS/R4bmoKy9hMzO7KJpXJB8YiWrbbGfiA3YidGMtYhWUf bDPiuD+rqXI= =gNYv -----END PGP SIGNATURE----- Now add the following to the top and bottom of the message: /* -----BEGIN PGP SIGNED MESSAGE----- */ main(){ . . . } /* -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBM6m/I49Co1n+aLhhAQGI4gQAgdJ8wU8PZezxO+DHFAzLoMmrnPoi7xBV 4YVGablxDRO16cELE8p2YVaNeZ+dOOLiZYnpZKPoPW2w8Ze7gDxAz5ODJ8ZBd+Ta x/3o3jkFGednnlJoEQcpS/R4bmoKy9hMzO7KJpXJB8YiWrbbGfiA3YidGMtYhWUf bDPiuD+rqXI= =gNYv -----END PGP SIGNATURE----- */ Now the PGP Signature has been commented out of the source code so it will not interfere with compiling. The end user can verify the signature without any modifications. I don't know if this will work with other languages that use different dilimiters. It all depends if you have the ability to comment out a block of text or if you need to add a dilimiter to every line. -- --------------------------------------------------------------- William H. Geiger III http://www.amaranth.com/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 2.6.3a at: http://www.amaranth.com/~whgiii/pgpmr2.html ---------------------------------------------------------------