diff --git a/tools/backend_lib.C b/tools/backend_lib.C
index 8570608f95..4cefe31b49 100644
--- a/tools/backend_lib.C
+++ b/tools/backend_lib.C
@@ -143,16 +143,14 @@ static int process_wu_template(
 // Create a new result for the given WU.
 //
 int create_result(
-    WORKUNIT& wu, char* result_template_filename,
+    WORKUNIT& wu, char* result_template,
     char* result_name_suffix, R_RSA_PRIVATE_KEY& key,
     char* upload_url, char* download_url
 ) {
     RESULT r;
     char base_outfile_name[256];
+    char result_template_copy[MAX_BLOB_SIZE];
     int retval;
-    FILE* result_template_file, *tempfile;
-
-    assert(result_template_filename!=NULL);
 
     memset(&r, 0, sizeof(r));
     r.report_deadline = time(0) + 1000;
@@ -164,19 +162,14 @@ int create_result(
     sprintf(r.name, "%s_%s", wu.name, result_name_suffix);
     sprintf(base_outfile_name, "%s_", r.name);
 
-    result_template_file = fopen(result_template_filename, "r");
-    tempfile = tmpfile();
+    strcpy(result_template_copy, result_template);
     retval = process_result_template(
-        result_template_file,
-        tempfile,
+        result_template,
         key,
         base_outfile_name,
         upload_url, download_url
     );
-    rewind(tempfile);
-    read_file(tempfile, r.xml_doc_in);
-    fclose(tempfile);
-    fclose(result_template_file);
+    strcpy(r.xml_doc_in, result_template_copy);
 
     retval = db_result_new(r);
     if (retval) {
@@ -188,7 +181,7 @@ int create_result(
 int create_work(
     WORKUNIT& wu,
     char* wu_template,
-    char* result_template_file,
+    char* result_template_filename,
     int nresults,
     char* infile_dir,
     char** infiles,
@@ -198,12 +191,7 @@ int create_work(
 ) {
     int i, retval;
     char suffix[256];
-    assert(wu_template!=NULL);
-    assert(result_template_file!=NULL);
-    assert(nresults>=0);
-    assert(infile_dir!=NULL);
-    assert(infiles!=NULL);
-    assert(ninfiles>=0);
+    char result_template[MAX_BLOB_SIZE];
 
     wu.create_time = time(0);
     retval = process_wu_template(
@@ -221,10 +209,15 @@ int create_work(
     }
     wu.id = db_insert_id();
 
+    retval = read_filename(result_template_filename, result_template);
+    if (retval) {
+        fprintf(stderr, "create_work: can't read result template\n");
+        return retval;
+    }
     for (i=0; i<nresults; i++) {
         sprintf(suffix, "%d", i);
         create_result(
-            wu, result_template_file, suffix, key, upload_url, download_url
+            wu, result_template, suffix, key, upload_url, download_url
         );
     }
     return 0;
diff --git a/tools/backend_lib.h b/tools/backend_lib.h
index 48cc065493..3e8cf15737 100644
--- a/tools/backend_lib.h
+++ b/tools/backend_lib.h
@@ -20,7 +20,7 @@
 #include "crypt.h"
 
 extern int process_result_template(
-    FILE* in, FILE* out,
+    char* result_template,
     R_RSA_PRIVATE_KEY& key,
     char* base_filename,
     char* upload_url, char* download_url
diff --git a/tools/process_result_template.C b/tools/process_result_template.C
index 0392c7e910..37f1ca6ddf 100644
--- a/tools/process_result_template.C
+++ b/tools/process_result_template.C
@@ -17,102 +17,128 @@
 // Contributor(s):
 //
 
-// macro-substitute a result template file:
-// - replace OUTFILE_x with base_filename_x, etc.
-// - At the end of every <file_info> element, add a signature
-//   of its contents up to that point.
-//
-// TODO - have this work in memory instead of using disk files
-
 #include <string.h>
 #include <stdlib.h>
 #include <assert.h>
 
 #include "db.h"
+#include "error_numbers.h"
 #include "parse.h"
 #include "crypt.h"
 
 #define OUTFILE_MACRO   "<OUTFILE_"
 #define UPLOAD_URL_MACRO      "<UPLOAD_URL/>"
-#define DOWNLOAD_URL_MACRO      "<DOWNLOAD_URL/>"
 
+// compute an XML signature element for some text
+//
+int generate_signature(
+    char* signed_xml, char* signature_xml, R_RSA_PRIVATE_KEY& key
+)  {
+    DATA_BLOCK block, signature;
+    unsigned char signature_buf[SIGNATURE_SIZE_BINARY];
+    char buf[MAX_BLOB_SIZE];
+    int retval;
+
+    block.data = (unsigned char*)signed_xml;
+    block.len = strlen(signed_xml);
+    signature.data = signature_buf;
+    signature.len = SIGNATURE_SIZE_BINARY;
+    retval = sign_block(block, key, signature);
+    if (retval) return retval;
+    sprint_hex_data(buf, signature);
+#if 0
+    printf("signing [\n%s]\n", signed_xml);
+    printf("signature: [\n%s]\n", buf);
+#endif
+    sprintf(signature_xml,
+        "<xml_signature>\n%s</xml_signature>\n", buf
+    );
+    return 0;
+}
+
+// At the end of every <file_info> element,
+// add a signature of its contents up to that point.
+//
+int add_signatures(char* xml, R_RSA_PRIVATE_KEY& key) {
+    char* p = xml, *q1, *q2, buf[MAX_BLOB_SIZE], buf2[MAX_BLOB_SIZE];;
+    char signature[MAX_BLOB_SIZE];
+    int retval, len;
+
+    while (1) {
+        q1 = strstr(p, "<file_info>");
+        if (!q1) break;
+        q2 = strstr(q1, "</file_info>");
+        if (!q2) {
+            fprintf(stderr, "add_signatures: malformed XML: %s\n", xml);
+            return ERR_XML_PARSE;
+        }
+        q1 += strlen("<file_info>");
+        len = q2 - q1;
+        memcpy(buf, q1, len);
+        buf[len] = 0;
+        retval = generate_signature(buf, signature, key);
+        if (retval) return retval;
+        strcpy(buf2, q2);
+        strcpy(q2, signature);
+        strcat(q2, buf2);
+        p = q2;
+    }
+    return 0;
+}
+
+// remove file upload signatures from a result XML doc
+//
+int remove_signatures(char* xml) {
+    char* p, *q;
+    while (1) {
+        p = strstr(xml, "<xml_signature>");
+        if (!p) break;
+        q = strstr(p, "</xml_signature>");
+        if (!q) {
+            fprintf(stderr, "remove_signatures: invalid XML:\n%s", xml);
+            return ERR_XML_PARSE;
+        }
+        q += strlen("</xml_signature>");
+        strcpy(p, q);
+    }
+    return 0;
+}
+
+// macro-substitute a result template:
+// - replace OUTFILE_x with base_filename_x, etc.
+// - add signatures for file uploads
+//
 int process_result_template(
-    FILE* in, FILE* out,
+    char* result_template,
     R_RSA_PRIVATE_KEY& key,
     char* base_filename,
     char* upload_url, char* download_url
 ) {
-    char* p,*q, *signed_xml=strdup("");
-    char buf[256], temp[256];
-    unsigned char signature_buf[SIGNATURE_SIZE_BINARY];
-    DATA_BLOCK block, signature;
+    char* p,*q;
+    char temp[256];
     char num;
     int i;
-    bool found;
 
-    assert(in!=NULL);
-    assert(out!=NULL);
-    assert(base_filename!=NULL);
-    while (fgets(buf, 256, in)) {
-
-        // when we reach the end of a <file_info> element,
-        // generate a signature for the contents thus far
-        //
-        if (match_tag(buf, "<file_info>")) {
-            free(signed_xml);
-            signed_xml = strdup("");
-            fputs(buf, out);
+    while (1) {
+        p = strstr(result_template, OUTFILE_MACRO);
+        if (p) {
+            i = atoi(p+strlen(OUTFILE_MACRO));
+            q = p+strlen(OUTFILE_MACRO);
+            num = q[0];
+            strcpy(temp, p+strlen(OUTFILE_MACRO)+1+2);
+            strcpy(p, base_filename);
+            strncat(p, &num, 1);
+            strcat(p, temp);
             continue;
         }
-        if (match_tag(buf, "</file_info>")) {
-            block.data = (unsigned char*)signed_xml;
-            block.len = strlen(signed_xml);
-            signature.data = signature_buf;
-            signature.len = SIGNATURE_SIZE_BINARY;
-            sign_block(block, key, signature);
-            fprintf(out, "<xml_signature>\n");
-            print_hex_data(out, signature);
-#if 0
-            printf("signing [\n%s]\n", signed_xml);
-            printf("signature: [\n");
-            print_hex_data(stdout, signature);
-            printf("]\n");
-#endif
-            fprintf(out, "</xml_signature>\n");
-            fprintf(out, "</file_info>\n");
+        p = strstr(result_template, UPLOAD_URL_MACRO);
+        if (p) {
+            strcpy(temp, p+strlen(UPLOAD_URL_MACRO));
+            strcpy(p, upload_url);
+            strcat(p, temp);
             continue;
         }
-        while (1) {
-            found = false;
-            p = strstr(buf, OUTFILE_MACRO);
-            if (p) {
-                found = true;
-                i = atoi(p+strlen(OUTFILE_MACRO));
-                q = p+strlen(OUTFILE_MACRO);
-                num = q[0];
-                strcpy(temp, p+strlen(OUTFILE_MACRO)+1+2);
-                strcpy(p, base_filename);
-                strncat(p, &num, 1);
-                strcat(p, temp);
-            }
-            p = strstr(buf, UPLOAD_URL_MACRO);
-            if (p) {
-                found = true;
-                strcpy(temp, p+strlen(UPLOAD_URL_MACRO));
-                strcpy(p, upload_url);
-                strcat(p, temp);
-            }
-            p = strstr(buf, DOWNLOAD_URL_MACRO);
-            if (p) {
-                found = true;
-                strcpy(temp, p+strlen(DOWNLOAD_URL_MACRO));
-                strcpy(p, download_url);
-                strcat(p, temp);
-            }
-            if (!found) break;
-        }
-        strcatdup(signed_xml, buf);
-        fputs(buf, out);
+        break;
     }
-    return 0;
+    return add_signatures(result_template, key);
 }