Greetings! I just found this excellent resource (as well as a very similar site which seems to be equally informative in case any of you browse both ) and I am looking forwarding to continued browsing and hopefully some contributing. However, I am having some difficulty myself with the idea of cryptographically signing patch files to be used in conjunction with an auto updating application. The software is for Windows only.
Currently, I just have the program download a text file that further instructs it on what to download, but this text file could be overwritten by a hacker or anyone else who might have access.
Ultimately, my goal is to be able to run some sort of cryptography program on my computer and somehow sign the text file (and probably the files to be patched too) and have my software only proceed with the patch if it can verify it was signed by my computer.
Ideally, I would be able to sign it from a Linux LiveCD (maybe in conjunction with wine if its a typically Windows program?) so as to better secure against insecurity from my own computer. I realize this extra step complicates matters so if you don't know of a solution that can sign on Linux and yet verify that signature on Windows I'd still appreciate your suggestions very much.
Can anyone offer suggestions as to how to do this (or something similar that would accomplish the same thing)? I'm only somewhat competent with C++, so if you know of any solutions in the form of already made programs that I could just execute from the updater program, that would be preferred. Thank you very much for reading!
edit: A friend told me I should look at GPG and it does seem like that might be what I need, but I'm really confused with how I could implement what I need with them and the friend never used it in that way. If any of you have familiar with GPG could you offer some advice (even if its simply that I am confused as to the purpose of GPG and it cannot in fact be used for in the way I think it can)? Thanks again!