secimp demonstrates an application of the Toolkit that may be
useful if Python is being used as an extension language for mail and Web
clients: secure importing of Python modules. To use it, run
sign.py in a directory with several compiled Python files
present. It will use the key in testkey.py to generate digital
signatures for the compiled Python code, and save both the signature and
the code in a file ending in ".pys". Then run python -i
secimp.py
, and import a file by using secimport
.
For example, if foo.pys was constructed, do
secimport('foo')
. The import should succeed. Now fire up Emacs
or some other editor, and change a string in the code in foo.pys;
you might try changing a letter in the name of a variable. When you run
secimport('foo')
, it should raise an exception reporting the
failed signature. If you execute the statement __import__ =
secimport
, the secure import will be used by default for all future
module imports. Alternatively, if you were creating a restricted
execution environment using rexec.py, you could place
secimport()
in the restricted environment's namespace as the
default import function.