16

I played with openssl to make a pub/prv key and create a signature of a file and validated it. I toyed with Cryptophane (windows gnupg frontend) and heard about keyservers+played with signing text.

I however not ever signed a file archive. If i want to publish an archive (7z, rar or zip, it doesnt matter) and i'd like my users or software to be able to check if THAT archive has been signed how would i do that? The public key obviously would need to be available publically. But adding the signature to the archive is what bothers me. Does any software+archive allow me to sign and verify a compressed archive file?

5 Answers5

10

A common method is to create a detached signature in a .sig file (usually a PGP signature by using gpg -b – X.509 is very uncommon), and provide both files in the same location. For example:

ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.0.19.tar.bz2
ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.0.19.tar.bz2.sig

This can be used with any kind of file, but the user will have to verify the signature manually using gpg --verify.

Unfortunately, out of those currently in use, no archive format (that I know of) has support for built-in signatures using PGP or X.509. (This is excluding CAB, which is used by Windows internally but practically nowhere else, and is rather complicated to sign). WinRAR 4 was able to add an "authenticity verification" record using a proprietary format, but it uses your WinRAR license as the signing key, which has been cracked repeatedly. (Update: This feature was removed from WinRAR 5 due to insecurity.)

On Windows (and soon Mac OS X), it is possible to create a "self-extracting archive" – a digitally-signed executable that extracts an archive from within itself – this is how software installers on Windows work, for example. However, SFXs are limited to a single operating system, so they only suitable for distributing programs, not documents or pictures. (Java programs can be signed and are cross-platform, but few systems still have a Java runtime.)

Community
  • 1
grawity
  • 501,077
2

Jar-archives, build with Javas jar-tool, are effectively zip-Archives, and there is a tool, the jarsigner, to sign them.

Here are some useful links:

It looks a bit complicated first ("What, I need keeytool to? What else?") but it is easy to follow the steps for solving it in a simple fashion. It works. Then you can dip deeper into the matter.

Community
  • 1
user unknown
  • 1,872
1

You can simply tell winrar to make an SFX (self extracting) archive. As you might guess that file is executable and can be signed with whatever tool you use to sign other executables. This avoids detached signatures because .exe files natively support integrated signatures.

Enforcer
  • 33
0

Sure, every time you install signed software, you're verifying a signed archive. To create one, you should use the same packaging tools developers use. There are some tradeoffs, ease of use against cross platform compatibility. I can't think of a way of making a cross platform signed self-extracting archive.

For windows, create a self extracting archive with the iexpress tool, then sign it using signtool.exe, as described here. When your users double click on the file, they'll have the familiar windows confirm dialogue identifying you as the publisher of the archive.

bbsimonbb
  • 111
-1

You can sign files using jarsigner with these two commands:

keytool -genkeypair -alias <key-alias> -keyalg RSA -keystore <keystore> -validity 180

jarsigner -verbose -sigalg SHA256withRSA -digestalg SHA-256 -keystore <keystore> <file-to-sign> <key-alias>

You need to install java jdk in your pc.

-The first command creates the key store in the current directory (assuming it doesn't already exist). It generates a public/private key pair using the algorithm SHA-256.

-The second one signs the file using the same algorithm, the keystore and the alias generated by the first one.

To verify a file signed using a key store, you can run this command:

jarsigner -keystore <keystore> -verify -verbose -certs <file-signed>
afonte
  • 101