[nycphp-talk] Signing PHP applications.
inforequest
sm11szw02 at sneakemail.com
Sat Aug 14 00:04:16 EDT 2004
Joseph Crawford Jr. jcrawford-at-codebowl.com |nyphp 04/2004| wrote:
>What's the big deal or why would you sign a php script or file? i have never
>understood the meaning of signing files.
>
>Joe Crawford Jr.
>
>
If it is "signed" then you know it has not been modified since it was
released by the author. If it is not signed, then it may have been
modified - in worst case, it may have been corrupted or it may have been
loaded with a virus/worm/trojan. With complex scripts, it would be
relatively easy to hide a backdoor inside, for example.
"signing" can be as simple as including a hash value with the code, so
the code can be re-hashed by the recipient (if the value matches, it
hasn't been modified -- with ridiculously high probability). It could
also be encrypted with keys that need to be verified with a "trusted
authority" before used (more complicated, and if you are a realist,
there are no "trusted authorities"-- yet).
-=john andrews
More information about the talk
mailing list