I know that Windows can intrinsically detect and verify signatures of PEs and some types of text file (.vbs, .ps and .wsf). However I'm curious whether there is a way to somehow attach or associate a signature to a file that doesn't directly support signatures, such as .ISO or .zip files.
Drivers packages that contain a mixture of binaries and .inf files use signed .cat files to allow their constituents to be signed indirectly, but you have to use "signtool.exe verify" to validate the file and I am getting mixed results with this approach.
I guess I am looking for some kind of signed manifest file that we can use to allow users to easily verify that the set of files they downloaded haven't been corrupted in transit or by a third party, and which doesn't involve them creating MD5's manually and comparing the results with values stored in a text file (which might also have been diddled with).