Based on other discussions over the past weeks, I've been thinking about how to "sign" a module so you know it came from me and has not been altered or substituted.

Here is a possibility:

The simplest thing is to use PGP to produce a separate .sig file, and distribute that along with the .pm file.

But, why not find a way to embed it in the same file? So, use a specially-named POD paragraph to hold a signature block. A simple program will read a file, throw away that sig block, normalize end-of-line characters, and feed the result to PGP, then insert the new sig block into the original (un-normalized) data.

The normalization is done so that people can sign and verify on different platforms. FTP or Unzip may change line endings, and don't affect the meaning or appearance of the script. Anything else that needs to be normalized for this issue?

The sig block would contain a line stating what it is, the normal base64-encoded PGP signature that's used in email, plain text for the signer's name, and a SHA-1 hash line (base64-encoded) of the same input that was signed.

The latter is a way to do some checking even if you don't have PGP available. This won't detect fraud like a digital signature, but will detect the common case of someone changing something and not updating the version number or release information.

Meanwhile, it's possible for a Perl program to automatically check the signatures for modules it loads. I'm not saying you always want to do that because of performance issues (though MS thinks its OK with .NET, and Java has something like that), but you could. Another thing is to automatically scan and verify the library directories that contain the .pm files, along with your daily backups and virus scans.

Any thoughts on this?

—John

In reply to Muse on Digital Signatures in Perl Modules by John M. Dlugosz

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.