You are completely misunderstanding what I did. I didn't include encrypted code with the program, I included a line of code in the program that executes a decrypted ciphertext as another script if it has a special signal string in it. The only difference between a completely legitimate version of my simple script (that merely takes a file with a GPG ciphertext in it and prints the plaintext to the screen after the user has entered their password) and a malicious version that allows an attacker to craft a ciphertext that decrypts into additional code that is executed, is this line of code in the original program: | #{[105, 114, 98].pack("c*") And you can claim all you want here about how your code functions, but nobody will ever know unless they look at it and the full point we are trying to make is that the people who are going to buy it inherently are people who will not notice that | #{[105, 114, 98].pack("c*") is the difference between a safe program and a backdoored version.