16

I played with openssl to make a pub/prv key and create a signature of a file and validated it. I toyed with Cryptophane (windows gnupg frontend) and heard about keyservers+played with signing text.

I however not ever signed a file archive. If i want to publish an archive (7z, rar or zip, it doesnt matter) and i'd like my users or software to be able to check if THAT archive has been signed how would i do that? The public key obviously would need to be available publically. But adding the signature to the archive is what bothers me. Does any software+archive allow me to sign and verify a compressed archive file?

  • Why do you want to sign it? You could just create a SHA1 hash and make the hash available for your clients/users to check. This is sufficient to confirm that the file has not been tampered with. Although your users do need to have the ability to verify the hash but no harder than verifying a signature. – BJ292 May 19 '12 at 10:10
  • @BJ292: And how do you verify that the *hash* hasn't been tampered with? – u1686_grawity May 19 '12 at 13:30
  • @grawity - Not sure I follow - what's the point of tampering with the hash? I send you a file and the hash - you recreate the hash from the file and confirm it matches - this confirms the file has not been changed. In most circumstances this is all most people want - confirmation the file got from A to B unchanged. Certainly sounds like this is what the OP is after. – BJ292 May 19 '12 at 15:28
  • 3
    @BJ292: You're assuming the OP is only concerned with accidental data corruption. This hasn't been stated (or denied) in the question, but the OP is asking about digital signatures, so I'm going to assume there's a need to protect against *intentional* (possibly malicious) data modifications. – u1686_grawity May 19 '12 at 17:14
  • @grawity - ok, that's a fair point. – BJ292 May 19 '12 at 18:02
  • @grawity: Well if its signed than any tampering will be rejected. Also most (zip, rar,7z do) covers corruption with a checksum –  May 20 '12 at 00:55
  • 1
    @BJ292: The files will be mirrored on other ppls sites. I'd like to sign them so none of the mirrors may tamper –  May 20 '12 at 00:57
  • @acidzombie24 - For what you are suggesting most sites just rely on a file hash. Look at most linux distros for instance - they provide a MD5 or SHA1 hash. If you put the hash on your website for instance and the mirror provides the file + hash users can then hash the file themselves and check they all match. A malicious user would then need to hack your website and the mirror to make changes to the file. – BJ292 May 20 '12 at 11:54

5 Answers5

10

A common method is to create a detached signature in a .sig file (usually a PGP signature by using gpg -b – X.509 is very uncommon), and provide both files in the same location. For example:

ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.0.19.tar.bz2
ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.0.19.tar.bz2.sig

This can be used with any kind of file, but the user will have to verify the signature manually using gpg --verify.

Unfortunately, out of those currently in use, no archive format (that I know of) has support for built-in signatures using PGP or X.509. (This is excluding CAB, which is used by Windows internally but practically nowhere else, and is rather complicated to sign). WinRAR 4 was able to add an "authenticity verification" record using a proprietary format, but it uses your WinRAR license as the signing key, which has been cracked repeatedly. (Update: This feature was removed from WinRAR 5 due to insecurity.)

On Windows (and soon Mac OS X), it is possible to create a "self-extracting archive" – a digitally-signed executable that extracts an archive from within itself – this is how software installers on Windows work, for example. However, SFXs are limited to a single operating system, so they only suitable for distributing programs, not documents or pictures. (Java programs can be signed and are cross-platform, but few systems still have a Java runtime.)

Community
  • 1
u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
2

Jar-archives, build with Javas jar-tool, are effectively zip-Archives, and there is a tool, the jarsigner, to sign them.

Here are some useful links:

It looks a bit complicated first ("What, I need keeytool to? What else?") but it is easy to follow the steps for solving it in a simple fashion. It works. Then you can dip deeper into the matter.

Community
  • 1
user unknown
  • 1,802
  • 1
  • 14
  • 25
  • This is true (XPI archives also are ZIPs signed in a very similar fashion), but AFAIK, only the Java Runtime actually *verifies* JAR signatures, and needing to do manual verification makes it even less practical than GnuPG. – u1686_grawity Jun 15 '12 at 12:14
  • What do you mean with `manual verification`? What is the alternative? An autopopup, which verifies itself every 10 minutes? Shall the OS automatically verify the archive on boot up? When an archive is received - be it from CD, email-attachment, download, ...? Should it be a plugin in your virus scanner? – user unknown Jun 15 '12 at 13:42
  • I meant verification performed by the archive extraction tool before/during extraction, or by the OS/runtime during program execution. For example, `.deb` package signatures are verified by `dpkg` before the package is installed, *without* the user taking any additional action. – u1686_grawity Jun 16 '12 at 19:03
  • @grawity: Signed applets, zipped in a jar, ARE verified before execution. To generate a minimal shell script, which combines verification (jarsigner) with extraction (jar) will be trivial. – user unknown Jun 18 '12 at 00:29
  • third link "wiki on signing jar files" is broken – Jason S Mar 27 '18 at 21:37
  • @Jason: Yes, it's about 6 years old. Feel free to suggest a valid source or maybe you're lucky with the wayback machine - did you try? – user unknown Mar 28 '18 at 15:23
1

You can simply tell winrar to make an SFX (self extracting) archive. As you might guess that file is executable and can be signed with whatever tool you use to sign other executables. This avoids detached signatures because .exe files natively support integrated signatures.

Enforcer
  • 33
  • 1
  • 9
0

Sure, every time you install signed software, you're verifying a signed archive. To create one, you should use the same packaging tools developers use. There are some tradeoffs, ease of use against cross platform compatibility. I can't think of a way of making a cross platform signed self-extracting archive.

For windows, create a self extracting archive with the iexpress tool, then sign it using signtool.exe, as described here. When your users double click on the file, they'll have the familiar windows confirm dialogue identifying you as the publisher of the archive.

bbsimonbb
  • 111
  • 5
-1

You can sign files using jarsigner with these two commands:

keytool -genkeypair -alias <key-alias> -keyalg RSA -keystore <keystore> -validity 180

jarsigner -verbose -sigalg SHA256withRSA -digestalg SHA-256 -keystore <keystore> <file-to-sign> <key-alias>

You need to install java jdk in your pc.

-The first command creates the key store in the current directory (assuming it doesn't already exist). It generates a public/private key pair using the algorithm SHA-256.

-The second one signs the file using the same algorithm, the keystore and the alias generated by the first one.

To verify a file signed using a key store, you can run this command:

jarsigner -keystore <keystore> -verify -verbose -certs <file-signed>
afonte
  • 101
  • 3