> But the moment the user modifies something in the
> image and saves it,
> you've invalidated the signature. So signing and
> verifying the whole
> image probably won't work.
What do you think of launching images from a trusted
image via OSProcess?
Immediately after saving an image, a hash for its
.image file contents is computed. This hash is stored
in a secure place (i.e., your keyring or sealed in a
Capability). Later, to launch that saved image, you
use a "SecureLauncher" class from your trusted image.
SecureLauncher computes the hash of the .image you
want to launch and looks for that specific hash on
your keyring. If its not there, a Warning or Error is