tags:

views:

42

answers:

3
Q: 

Whats the best way digitally sign a zip file for download using .Net

Whats the best way to digitally sign a file server side with .Net before offering it for download via an asp.net based web site

In addition how do I trigger checking of the signature and hence prove the file has not been tmapered with during the download process in a web browser

A: 

Without a client-side plugin or download manager there's not much you can do. The best way to secure it would be to use HTTPS, but if that is not an option then the usual way to ensure integrity is to provide an MD5 hash of the file on the site that the end user can validate against. If you're doing it as a file download, then you can't really automate that validation on the client side without a plugin, as Javascript and such is not going to be able to access the file to validate it.

Gerald  2010-09-02 09:55:07
HTTPS won't work if you want to the ZIP file to "standalone" and have it's sig verified at any time in the future. Don't use MD5, it's now known to be weak, minimally use SHA1, or stronger (SHA256 etc)
Michael Howard-MSFT  2010-09-03 03:42:00
A: 

You need to define what risks you want to defend yourself and the user from. While PKWare's AppNote for ZIP format defines digital signing as part of the format, I doubt that there exist a lot of unzippers, that properly support validation of digital signatures in ZIP files.

If you worry that the file contents can be modified in the middle, you have the following options: 1) HTTPS, as mentioned above 2) PGP-signed package. You can either create a detached signature for existing ZIP archive that you distribute and put the signature near the download link, or, if you are targeting Windows, create self-extracting PGP archive. PGP format includes compression as well. In both cases you will need to put your public PGP key to your site. But note, that people who change the file, would be able to change the public key as well, if you distribute it this way.

Eugene Mayevski 'EldoS Corp  2010-09-02 10:21:24
A: 

A signature does not need to be included with the ZIP file, it can be a "detached" signature. So you could have the zip and allow someone to verify the sig, which is usually just a series of hex or base64 characters, out of band with an app you write.

At a high-level, the signing steps are:

AsymmetricAlgorithm privateKey = certificate.PrivateKey;
byte[] buffer = Encoding.Default.GetBytes(<data from the zip>);
byte[] signature = privateKey.SignData(buffer, new SHA1Managed());

and verification:

RSACryptoServiceProvider publicKey =  certificate.PublicKey.Key as RSACryptoServiceProvider;
bool verify = publicKey.VerifyData(buffer, new SHA1Managed(), signature);
Michael Howard-MSFT  2010-09-03 03:47:11

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?