NYCPHP Meetup

[Joseph Crawford Jr.]

Dan,

am i wrong or is MD5 and GPG in the php code such as variables, that is how
i would picture signing a php script.

Or are you talking about compressing the files and signing the zip/rar file.

Joe Crawford Jr.


----- Original Message ----- 
From: "Daniel Convissor" <danielc at analysisandsolutions.com>
To: "NYPHP Talk" <talk at lists.nyphp.org>
Sent: Saturday, August 14, 2004 12:33 AM
Subject: Re: [nycphp-talk] Signing PHP applications.


> Sir Joe:
>
> On Sat, Aug 14, 2004 at 12:19:18AM -0400, Joseph Crawford Jr. wrote:
> >
> > but the fact of signing a php app when it is not obfuscated say with
zend
> > encoder what is the point?
>
> Zend encoding has nothing to do with it.
>
>
> > the key or md5 sum is publicly viewable and
> > changeable hence it doesnt make any sense.
>
> Depends what you're looking for.
>
> If the main server is compromised and someone changes the tarball and the
> md5, youre right.
>
> Sidebar:  This is why SIGNING with GPG/etc is superior, because the
> intruder would need to know your secret passphrase to create a valid
> signature for the file.
>
> BUT, if you install a program, and then, on your own, determine the md5
> sums and store them in a secure manner, you can use md5's to ensure your
> server is in good health.
>
> Of course, any security measures can be circumnavigated somehow.  But that
> doesn't mean we shouldn't undertake security measures.
>
> --Dan
>
> -- 
>  T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
>             data intensive web and database programming
>                 http://www.AnalysisAndSolutions.com/
>  4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409
> _______________________________________________
> New York PHP Talk
> Supporting AMP Technology (Apache/MySQL/PHP)
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.newyorkphp.org
>
>