How to sign a ZIP file like I would sign an assembly?

Question

I have a ZIPfile containing signed .Net assemblies, is it possible through a tool to sign not code but a ZIPfile containing those too? I'd like to be able to work with this on the code side saying something like:

if(myzipfile.IsSignedBy(name))
{
    DezipFile();
    LoadAssemblies();
}

Answer 1

You can sign anything you like, the only issue you'd have to worry about is where you're going to store the signature to verify it.

In C# you have an RSACryptoServiceProvider which can take a keypair and a byte[] and produce an RSA signature of it. To verify it you just need the public key (not the private one), the original data and the generated signature.

With a bit of cleverness you could perhaps append the signature to the end of the ZIP file without rendering the ZIP file unreadable. You'd then read the entire zip file (minus the part at the end where you store the signature) and verify using that.

You'd have to embed the public key inside your application in order to use it for verification as well.

Since only you have both the public and private key used to make the signature, then you can be sure that if the signature is correct that the zip file came from you.

Answer 2

Another standardized way to sign an arbitrary number of file of any format is to use a seperate Catalog file (.cat). This is commonly used to sign drivers but also used in some Microsoft published ISOs.

What You Get

How to Create

For this you need Powershell, and a file (or a directory of files) to sign.

Supposed that the file you want to sign is called AZipFile.zip. Run the following

New-FileCatalog -Path AZipFile.zip -CatalogFilePath myCatalog.cat -CatalogVersion 2.0

This will create a catelog file but without a signature. Image

Run the following to add a signature. A timestamping server is required so that the signature is still valid after the signing certificate expires. Replace Cert:\CurrentUser\My\18daf8ffb3dc9d84903a9eb65fb8a1970ceb7139 with the path to your certificate

Set-AuthenticodeSignature -FilePath myCatalog.cat -Certificate (Get-Item Cert:\CurrentUser\My\18daf8ffb3dc9d84903a9eb65fb8a1970ceb7139) -TimestampServer http://timestamp.comodoca.com

Now the catalog file shows a valid signature. Image

How to Verify

By double clicking on the catalog file on windows, you are able to see if the signature is valid, and a list of files and their hashes. However, the GUI does not help you verify the files. For this you need another powershell command.

Test-FileCatalog -CatalogFilePath myCatalog.cat -Path AZipFile.zip

If the signature to all files under the catalog is valid, it returns Valid.

Answer 3

IF you don't have to use ZIP for compression, another format might be a better alternative. This stackoverflow thread mentions that JAR files support signing.

Answer 4

Seems like ZIPs themselves do not have widely-used standards for signatures, but there're several ZIP-based formats which define digital signatures. The most .NET-related of them must be Open Packaging Conventions (the container format for Word/Excel documents or Visual Studio extensions), digital signatures described here: https://msdn.microsoft.com/en-us/library/windows/desktop/dd742818(v=vs.85).aspx#digital_signatures