clearsigning perl ?

[Darxus@ChaosReigns.com]

It is good practice to provide a gpg signature for programs you've
released, right ?

I have a few small perl programs at http://www.chaosreigns.com/code/ that
are just a single .pl file... no need for a tarball.  ..and perl is
plaintext, so I figured, why not include the signature in the .pl ?

The result: http://www.chaosreigns.com/code/apache2dot/apache2dot.sig.pl


What I did was:

* replace the 1st line (#!/usr/bin/perl) with "=cut" 
* put "=head2" on the last line
* gpg --clearsign file.pl
* add the following 2 lines to the top:
  #!/usr/bin/perl
  =head1

It works.  The program functions, and the signature verifies successfully.

Is there a better way to do this ?  Should I sign all my single .pl
programs like this ?

I realize this leaves the lines at the beginning of the program, which
could be maliciously modified to do bad things, are not verified.  I think
I would mention what they should look like on the last lines before the
signature, and provide a url to my public key.

I wish there was a way to clearsign a message without the "BEGIN PGP
SIGNED MESSAGE" stuff... (verification failed when I tried removing it)
-- like, just consider everything from the first line to be part of the
signed message.


My public key is at http://www.chaosreigns.com/darxus.asc


And somebody really needs to put directions on subscribing to these
lists on http://lists.gnupg.org.

-- 
http://www.ChaosReigns.com

-- 
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of  "unsubscribe"  to gnupg-users-request@gnupg.org