I know of md5 or sha256 hashing it won't work for my case -- see "My needs" section
I am having a tar file which resides on a server and the file is consumed by several clients over the internet. I want to ensure that the tar file is not tampered. Clients are programmed using python and I have control over their source code (which means I can reprogram clients to verify certificate).
- even if someone hacked into the server he should not be able to attack the client by altering the tar file in the server. so md5, or sha256 hashing won't work(attacker can change it on the server)
My questions are?
- I have heard openssl making x.509 certificates but I believe openssl is not fit for this purpose because openssl is for providing security over internet not for code signing. Is my assumption correct ?
- If the above assumption was correct then what tool or technology should i use to sign a tar ball?
- Is there any built in support for this in python ? (Note : the tar ball is the output of "python setup.py sdist")