[nycphp-talk] Signing PHP applications.
Daniel Convissor
danielc at analysisandsolutions.com
Sat Aug 14 00:33:47 EDT 2004
Sir Joe:
On Sat, Aug 14, 2004 at 12:19:18AM -0400, Joseph Crawford Jr. wrote:
>
> but the fact of signing a php app when it is not obfuscated say with zend
> encoder what is the point?
Zend encoding has nothing to do with it.
> the key or md5 sum is publicly viewable and
> changeable hence it doesnt make any sense.
Depends what you're looking for.
If the main server is compromised and someone changes the tarball and the
md5, youre right.
Sidebar: This is why SIGNING with GPG/etc is superior, because the
intruder would need to know your secret passphrase to create a valid
signature for the file.
BUT, if you install a program, and then, on your own, determine the md5
sums and store them in a secure manner, you can use md5's to ensure your
server is in good health.
Of course, any security measures can be circumnavigated somehow. But that
doesn't mean we shouldn't undertake security measures.
--Dan
--
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
data intensive web and database programming
http://www.AnalysisAndSolutions.com/
4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409
More information about the talk
mailing list