Code signing python scripts.

Well, it sounds like it simply encrypts your code. When you run the program it decrypts the encrypted file and checks to see if it matches the code. Sounds relatively simple. You could use some simple encryption keys.

No. That's not it. The code isn't encrypted. A value is created from the code, and if it doesn't match your certificate, the code has been altered.

Autopython is almost right. Correct me if I'm wrong: no matter how long the code is the value is always the same length. If so this is called signing and it uses a hash function to shorten the code and then uses a public key cipher signing method to encrypt that which is the unique value. Or it may simply just hash the code but I assume not

Could any character be used in the certificate or value? Or it just numbers and letters, or just numbers.

Autopython is almost right. Correct me if I'm wrong: no matter how long the code is the value is always the same length. If so this is called signing and it uses a hash function to shorten the code and then uses a public key cipher signing method to encrypt that which is the unique value. Or it may simply just hash the code but I assume not

Basically it's just a fixed length hash of the code, and maybe a developer's private key. The most common hashing algorithms used to hash the code are MD5, SHA1, and SHA2.

The primary use is a user or utility can examine the hash value of the code, and check it against a hash value on a site. If the hash values are the same, the user can be highly certain that the code came from that source and that the code hasn't been modified.

However, there are some other features.

http://en.wikipedia.org/wiki/Code_signing

I just looked at the links at the bottom of that wiki page. They're very informative.

I know this is an old post, but we've developed a new solution. We were confronted with the same challenge -- to distribute python source code, but to prevent hackers from tampering with the code. The solution we developed was to create a custom loader for our application using signet http://jamercee.github.io/signet/.

What signet does is scans your script and it's dependencies creating sha1 hashes. It embeds these hashes into a custom loader which you deliver to your customer with your script. Your customers run the loader which re-verifies the hashes before it transfers control to your script for normal execution. If there's been tampering it emits an error message, and refuses to run the tampered code.

Signet is multiplatform and runs on windows, unix, linux, freebsd, etc... If you deploy to windows, the loader building process can even apply your company code certificate for 100% verification of your code. It also does PE verification.

The code is fully open source including the c++ source code to the default loader template. You can extend the loader to do additional verifications and even take actions if it detects code tampering (like undoing the tampering...).