diff --git a/checkin_notes b/checkin_notes
index 23b60dc0f5..a1aa2fddfb 100755
--- a/checkin_notes
+++ b/checkin_notes
@@ -24707,3 +24707,13 @@ David  13 Feb 2005
         sched_config.C,h
         sched_send.C
         server_types.C,h
+
+David  13 Feb 2005
+    - Core client: require that all app_version files be signed
+    - update_versions: put signatures on all app_version files
+
+    client/
+        client_state.C
+        cs_files.C
+    py/Boinc/
+        tools.py
diff --git a/client/client_state.C b/client/client_state.C
index 8fb1deca2a..441168723e 100644
--- a/client/client_state.C
+++ b/client/client_state.C
@@ -608,11 +608,9 @@ int CLIENT_STATE::link_app_version(PROJECT* p, APP_VERSION* avp) {
             return ERR_NOT_FOUND;
         }
 
-        // any executable file associated with an app version must be signed
+        // any file associated with an app version must be signed
         //
-        if (fip->executable) {
-            fip->signature_required = true;
-        }
+        fip->signature_required = true;
         file_ref.file_info = fip;
     }
     return 0;
diff --git a/client/cs_files.C b/client/cs_files.C
index cd970fbc91..d1cf13c181 100644
--- a/client/cs_files.C
+++ b/client/cs_files.C
@@ -92,7 +92,8 @@ int FILE_INFO::verify_downloaded_file() {
     get_pathname(this, pathname);
     if (signature_required) {
         if (!file_signature) {
-            msg_printf(project, MSG_ERROR, "file %s missing signature", name);
+            msg_printf(project, MSG_ERROR, "Application file %s missing signature", name);
+            msg_printf(project, MSG_ERROR, "This BOINC client cannot accept unsigned application files");
             error_msg = "missing signature";
             return ERR_NO_SIGNATURE;
         }
diff --git a/py/Boinc/tools.py b/py/Boinc/tools.py
index 99345b5205..0dc90eb395 100644
--- a/py/Boinc/tools.py
+++ b/py/Boinc/tools.py
@@ -142,7 +142,7 @@ def process_app_version(
 
     signature_files is a dictionary of exec_file -> signature file mappings.
                     process_app_version() will generate a new signature for
-                    any exec_files that don't have one given already.
+                    any files that don't have one given already.
 
                     NOTE: using the feature of generating signature files on
                     the same machine (requiring having the private key stored
@@ -170,13 +170,12 @@ def process_app_version(
         xml_doc += process_app_file(exec_file, signature_text, quiet=quiet)
 
     for non_exec_file in non_exec_files:
-        # default: use MD5 sum instead of RSA signature
         signature_file = signature_files.get(non_exec_file)
         if signature_file:
             if not quiet: print 'Using signature file', signature_file
             signature_text = open(signature_file).read()
         else:
-            signature_text = None
+            signature_text = sign_executable(non_exec_file, quiet=quiet)
         xml_doc += process_app_file(
             non_exec_file, signature_text=signature_text,
             executable=False, quiet=quiet)