[delphizip] Re: SFX - Autorun

• From: RPeters <rpeters@xxxxxxxxxxxxx>
• To: delphizip@xxxxxxxxxxxxx
• Date: Sat, 18 Apr 2009 10:15:11 +1000

james.d.h.turner@xxxxxxxxxxxx wrote:
> It is the final executable that must be signed (not the zip file). I can 
> provide code to validate the signature - it's neither huge nor complex.
>
> In theory, it should be possible to sign zip files by placing the signature 
> directly before the central directory, however, I have never seen this 
> suggested and it is not an accepted standard.
>
> -- James Turner
>
>
> ---- RPeters <rpeters@xxxxxxxxxxxxx> wrote: 
>   
>> james.d.h.turner@xxxxxxxxxxxx wrote:
>>     
>>> Alternative security possibilities that could be considered
>>>
>>> 1) Allow autorun when extracting to temp directory
>>> 2) Allow autorun when digitally signed
>>>
>>> -- James Turner
>>>
>>> -----------
>>> To unsubscribe from this list, send an empty e-mail 
>>> message to:
>>>   delphizip-request@xxxxxxxxxxxxx 
>>> and put the word unsubscribe in the subject.
>>>   
>>>       
>> Thanks - the first looks like a reasonable (easy/small to implement) 
>> compromise.
>> In theory Vista+ should take care of the second but the problem will be 
>> how to sign it - the zip format is not very friendly to signing or would 
>> signing the stub/loader work.
>> Russell Peters
>> -----------
>> To unsubscribe from this list, send an empty e-mail 
>> message to:
>>   delphizip-request@xxxxxxxxxxxxx 
>> and put the word unsubscribe in the subject.
>>     
>
> -----------
> To unsubscribe from this list, send an empty e-mail 
> message to:
>   delphizip-request@xxxxxxxxxxxxx 
> and put the word unsubscribe in the subject.
>   
Please do send the code - the next version of the stub is not finished 
yet (thought it was but there is still a problem with detached SFX).
I have an idea that forcing this action probably won't suit some people 
but it might help stop it being regarded as a potential virus carrier.

Most zip extractors expect (demand) that the central directory 
immediately follow the local entries and the EOC immediately follows the 
central which the 'standards' doesn't stipulate - this is a real 
stumbling block (oh for an embedded data field that most things would 
ignore).
Russell Peters
-----------
To unsubscribe from this list, send an empty e-mail 
message to:
  delphizip-request@xxxxxxxxxxxxx 
and put the word unsubscribe in the subject.

• Follow-Ups:
  • [delphizip] Re: SFX - Autorun
    • From: RPeters

• References:
  • [delphizip] Re: SFX - Autorun
    • From: james.d.h.turner

Other related posts:

• » [delphizip] SFX - Autorun- Peter Gore
• » [delphizip] Re: SFX - Autorun- RPeters
• » [delphizip] Re: SFX - Autorun- RPeters
• » [delphizip] Re: SFX - Autorun- Peter Gore
• » [delphizip] Re: SFX - Autorun- james.d.h.turner
• » [delphizip] Re: SFX - Autorun- RPeters
• » [delphizip] Re: SFX - Autorun- james.d.h.turner
• » [delphizip] Re: SFX - Autorun - RPeters
• » [delphizip] Re: SFX - Autorun- RPeters

1. Home
2. delphizip
3. Archive
4. 04-2009

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---