Hi,
for some legal requirements in some countries we have to make sure, that OpenEdge RCode ist not altered in any way by a customer and only "secure/signed" code is executed within our application.
I had a look at RCode MD5 value, but this does not do, what we need. (we can alter string in RCode file via some editor and code can be executed and MD5 value does not change!).
So my questions:
Does anyone have created some "signed code" "secure code" framework with OpenEdge?
Does anyone have some guidelines/ideas what route to go?
I would also like to hear more on this from Progress, as this is (becoming) a requirement more and more...
When you compile you need to specify GENERATE-MD5.
E.g.:
compile myfile.p SAVE GENERATE-MD5.
We're using MD5 to track which programs were changed between 2 releases. It's much better compared to the CRC.
Thanks, for the answer.
I know how to create MD5 value for RCode. But regrattably this does not solve the problem. When you change RCode with some hex-editor, the MD5 value does not change and there is no functionality to use on the client side to calculate MD5 for existing rcode and compare it to MD5 value acutally stored in rcode file.
(Besides: MD5 is considered to be not sure any more)
RCODE-INFO:MD5-VALUE is /not/ MD5 value of rcode. It's MD5 value of a source code that was used at compile time.
You can use MD5-DIGEST() function to calculate MD5 value for rcode as a file.
made a *lot* simpler if you shove the .r code into a pl - then md5 / digest that file ;)
md5=($(md5sum file.pl))
with the added advantage that if you name the .pl as `YYYY-MM-DD-release.pl` you can swap out any "bad" pl and start using the older pl immediately. practically no down time ..
While people can create very creative *solutions* for this problem, I really think it's up to Progress to quickly provide something robust to handle this...
@Peter, I don't think calculating a hash like that at every application startup (with sometimes lots of files/large files) is the way to go...
Also, how do you make sure that the .r file that does the verification isn't tampered with? I would expect one can either change no .r files or all of them, only some sounds unlikely.