|
Hi Varun,
script signing is necessary when accessing scripts from the web or
when you install scripts together with a plugin, share samples via
email, ...
So what you get is the script source file in the end, nothing more.
If you want it signed, the signature has to be part of the file.
I see no big use case in people getting scripts and signing them
themselves to keep that signature in a local storage. This might be
necessary sometimes just to make sure an online file was not changed
in the meantime. But for that a simple hash calculated locally would
be fully sufficient.
We want to host scripts at eg eclipse.org which get signed with an
eclipse certificate. Then users can directly execute such scripts
from the website if they trust eclipse.org developers.
From my point of view the default use case is to append the
signature to the script file.
Christian
On 08/03/2016 07:23 PM, Varun Raval
wrote:
Hi Christian,
We should change that as we want to store the signature to the
file directly from the context menu. As sometimes a file might
be read-only it is a good idea to have alternative locations
to store signatures.
Do we need to append signature directly to the file to
which it is getting applied? If so, won't user be able to
manipulate it even unintentionally?
What I propose is:
- We store only signature to 'state location' of plugin so
that user cannot directly access it. See [1] on stack
overflow regarding state location.
- We provide a context menu 'Extract Signature' which will
be active only when signature is present.
- Later on, user can chose to extract signature using
'Extract Signature' context menu to his preferred
location.
- We can also provide user with an option to remove
signature using context menu.
|
