Story #6291
closed
SigningService should issue a warning if the signing script has changed on disk
0%
Description
Currently, signing services like AsciiArmoredDetachedSigningService which inherit from SigningService must verify that the signing script provided by the user produces valid signatures as expected by the signing service before the signing service can be saved.
However, there is no guarantee that the signing script is not changed (for one that is potentially broken) after the signing service has been saved.
The proposal is to store the hash of the signing service when saving the service and checking the actual hash of the script against this stored value whenever the sign() function is called.
After some discussion on irc we concluded that an incorrect hash should merely produce a warning, since there may be legitimate reasons for the script to change and since this check is insufficient to guard against a malicious actor (only against accidental breakage).
One possibility would be to rerun the verification if a hash value mismatch is found.
.