8

I need to digitally sign a tar.gz file, and have no idea how to do it. I understand the concept, and I know how to sign a jar/zip file. But I cannot find a way that will work with a tar.gz file.

Can anyone point me in the right direction, or tell me why this cannot be done?

Thanks!

lanrat
  • 4,344
  • 10
  • 35
  • 41
  • Will any pre-existing code need to be able to verify the signature? Then you need to find out which format that code expects. Otherwise you're free to roll your own. Compute the signature of the entire file, and store it somewhere convenient. Or are you asking how to piggyback the signature _inside_ the tarball itself? – hmakholm left over Monica Aug 24 '11 at 23:01
  • I can write any code needed. The signature will be generated by a makefile, and verified by perl. So ideally something in bash/perl. Storing the signature inside the tar.gz would be ideal. – lanrat Aug 24 '11 at 23:11

1 Answers1

3

One of the options is to use detached signature using an OpenPGP key or X.509 certificate. Both GnuPG and OpenSSL should be able to produce detached signatures. Of course, you will get a separate file with the signature, but this is the only viable option, as for me.

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
  • 2
    I would like to try this method. But I don't really know how. Could you possibly describe the procedure to do this? Thanks. – lanrat Aug 25 '11 at 17:28
  • Nevermind, I figured it out with this: http://www.madboa.com/geek/openssl/#cert-self – lanrat Aug 25 '11 at 23:49