7.2 Demo 2: secimp and sign

secimp demonstrates an application of the Toolkit that may be useful if Python is being used as an extension language for mail and Web clients: secure importing of Python modules. To use it, run sign.py in a directory with several compiled Python files present. It will use the key in testkey.py to generate digital signatures for the compiled Python code, and save both the signature and the code in a file ending in ".pys". Then run python -i secimp.py, and import a file by using secimport.

For example, if foo.pys was constructed, do secimport('foo'). The import should succeed. Now fire up Emacs or some other editor, and change a string in the code in foo.pys; you might try changing a letter in the name of a variable. When you run secimport('foo'), it should raise an exception reporting the failed signature. If you execute the statement __import__ = secimport, the secure import will be used by default for all future module imports. Alternatively, if you were creating a restricted execution environment using rexec.py, you could place secimport() in the restricted environment's namespace as the default import function.