mirror of
https://github.com/tahoe-lafs/tahoe-lafs.git
synced 2025-02-15 23:42:08 +00:00
25 lines
914 B
Plaintext
25 lines
914 B
Plaintext
|
|
||
|
|
This is a simple demonstration of adding an import hook that verifies
|
||
|
|
a digital signature on a Python code object before allowing it to be
|
||
|
|
imported. There are three files:
|
||
|
|
|
||
|
|
* sign.py, which signs all the *.pyc files in the directories
|
||
|
|
listed on the command line. The contents of the .pyc file is stored
|
||
|
|
along with the signature in a file whose name ends with .pys .
|
||
|
|
|
||
|
|
* secimp.py, which implements a secimport() function which
|
||
|
|
will use *.pys files.
|
||
|
|
|
||
|
|
* testkey.py is the key used to sign and verify *.pys files.
|
||
|
|
|
||
|
|
To try it out:
|
||
|
|
1. Run "sign.py ." to compile and sign all the *.py files in
|
||
|
|
the current directory.
|
||
|
|
|
||
|
|
2. Run secimp.py from the command-line; it will try to
|
||
|
|
securely import testkey.pys, which should succeed.
|
||
|
|
|
||
|
|
3. Fire up your favorite editor, and change a single byte in a
|
||
|
|
string somewhere in testkey.pys. Run secimp.py again; it should raise
|
||
|
|
an exception when the signature can't be verified.
|