[nycphp-talk] Signing PHP applications.
Joseph Crawford Jr.
jcrawford at codebowl.com
Sat Aug 14 00:45:32 EDT 2004
Dan,
am i wrong or is MD5 and GPG in the php code such as variables, that is how
i would picture signing a php script.
Or are you talking about compressing the files and signing the zip/rar file.
Joe Crawford Jr.
----- Original Message -----
From: "Daniel Convissor" <danielc at analysisandsolutions.com>
To: "NYPHP Talk" <talk at lists.nyphp.org>
Sent: Saturday, August 14, 2004 12:33 AM
Subject: Re: [nycphp-talk] Signing PHP applications.
> Sir Joe:
>
> On Sat, Aug 14, 2004 at 12:19:18AM -0400, Joseph Crawford Jr. wrote:
> >
> > but the fact of signing a php app when it is not obfuscated say with
zend
> > encoder what is the point?
>
> Zend encoding has nothing to do with it.
>
>
> > the key or md5 sum is publicly viewable and
> > changeable hence it doesnt make any sense.
>
> Depends what you're looking for.
>
> If the main server is compromised and someone changes the tarball and the
> md5, youre right.
>
> Sidebar: This is why SIGNING with GPG/etc is superior, because the
> intruder would need to know your secret passphrase to create a valid
> signature for the file.
>
> BUT, if you install a program, and then, on your own, determine the md5
> sums and store them in a secure manner, you can use md5's to ensure your
> server is in good health.
>
> Of course, any security measures can be circumnavigated somehow. But that
> doesn't mean we shouldn't undertake security measures.
>
> --Dan
>
> --
> T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
> data intensive web and database programming
> http://www.AnalysisAndSolutions.com/
> 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409
> _______________________________________________
> New York PHP Talk
> Supporting AMP Technology (Apache/MySQL/PHP)
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.newyorkphp.org
>
>
More information about the talk
mailing list