Is it possible to sign archives?

I played with openssl to make a pub/prv key and create a signature of a file and validated it. I toyed with Cryptophane (windows gnupg frontend) and heard about keyservers+played with signing text.

I however not ever signed a file archive. If i want to publish an archive (7z, rar or zip, it doesnt matter) and i'd like my users or software to be able to check if THAT archive has been signed how would i do that? The public key obviously would need to be available publically. But adding the signature to the archive is what bothers me. Does any software+archive allow me to sign and verify a compressed archive file?


Solution 1:

A common method is to create a detached signature in a .sig file (usually a PGP signature by using gpg -b – X.509 is very uncommon), and provide both files in the same location. For example:

ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.0.19.tar.bz2
ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.0.19.tar.bz2.sig

This can be used with any kind of file, but the user will have to verify the signature manually using gpg --verify.


Unfortunately, out of those currently in use, no archive format (that I know of) has support for built-in signatures using PGP or X.509. (This is excluding CAB, which is used by Windows internally but practically nowhere else, and is rather complicated to sign). WinRAR 4 was able to add an "authenticity verification" record using a proprietary format, but it uses your WinRAR license as the signing key, which has been cracked repeatedly. (Update: This feature was removed from WinRAR 5 due to insecurity.)


On Windows (and soon Mac OS X), it is possible to create a "self-extracting archive" – a digitally-signed executable that extracts an archive from within itself – this is how software installers on Windows work, for example. However, SFXs are limited to a single operating system, so they only suitable for distributing programs, not documents or pictures. (Java programs can be signed and are cross-platform, but few systems still have a Java runtime.)

Solution 2:

Jar-archives, build with Javas jar-tool, are effectively zip-Archives, and there is a tool, the jarsigner, to sign them.

Here are some useful links:

  • Oracles official page for jarsigner
  • "How to Verify a signed archive?" question on SO
  • A wiki on signing jar files

It looks a bit complicated first ("What, I need keeytool to? What else?") but it is easy to follow the steps for solving it in a simple fashion. It works. Then you can dip deeper into the matter.