[delphizip] Re: SFX - Autorun

• From: RPeters <rpeters@xxxxxxxxxxxxx>
• To: delphizip@xxxxxxxxxxxxx
• Date: Tue, 28 Apr 2009 17:56:41 +1000

RPeters wrote:
> james.d.h.turner@xxxxxxxxxxxx wrote:
>   
>> It is the final executable that must be signed (not the zip file). I can 
>> provide code to validate the signature - it's neither huge nor complex.
>>
>> In theory, it should be possible to sign zip files by placing the signature 
>> directly before the central directory, however, I have never seen this 
>> suggested and it is not an accepted standard.
>>
>> -- James Turner
>>
>>
>> ---- RPeters <rpeters@xxxxxxxxxxxxx> wrote: 
>>   
>>     
>>> james.d.h.turner@xxxxxxxxxxxx wrote:
>>>     
>>>       
>>>> Alternative security possibilities that could be considered
>>>>
>>>> 1) Allow autorun when extracting to temp directory
>>>> 2) Allow autorun when digitally signed
>>>>
>>>> -- James Turner
>>>>
>>>> -----------
>>>> To unsubscribe from this list, send an empty e-mail 
>>>> message to:
>>>>   delphizip-request@xxxxxxxxxxxxx 
>>>> and put the word unsubscribe in the subject.
>>>>   
>>>>       
>>>>         
>>> Thanks - the first looks like a reasonable (easy/small to implement) 
>>> compromise.
>>> In theory Vista+ should take care of the second but the problem will be 
>>> how to sign it - the zip format is not very friendly to signing or would 
>>> signing the stub/loader work.
>>> Russell Peters
>>> -----------
>>> To unsubscribe from this list, send an empty e-mail 
>>> message to:
>>>   delphizip-request@xxxxxxxxxxxxx 
>>> and put the word unsubscribe in the subject.
>>>     
>>>       
>> -----------
>> To unsubscribe from this list, send an empty e-mail 
>> message to:
>>   delphizip-request@xxxxxxxxxxxxx 
>> and put the word unsubscribe in the subject.
>>   
>>     
> Please do send the code - the next version of the stub is not finished 
> yet (thought it was but there is still a problem with detached SFX).
> I have an idea that forcing this action probably won't suit some people 
> but it might help stop it being regarded as a potential virus carrier.
>
> Most zip extractors expect (demand) that the central directory 
> immediately follow the local entries and the EOC immediately follows the 
> central which the 'standards' doesn't stipulate - this is a real 
> stumbling block (oh for an embedded data field that most things would 
> ignore).
> Russell Peters
> -----------
> To unsubscribe from this list, send an empty e-mail 
> message to:
>   delphizip-request@xxxxxxxxxxxxx 
> and put the word unsubscribe in the subject.
>   
Perhaps it would help if I gave the address to send it to -
rpeters AT delphizip DOT org

I am presently doing some work on the SFX stub for the next version - it 
is one of the last known code area requiring work before testing can 
start in earnest.
Russell Peters

-----------
To unsubscribe from this list, send an empty e-mail 
message to:
  delphizip-request@xxxxxxxxxxxxx 
and put the word unsubscribe in the subject.

• References:
  • [delphizip] Re: SFX - Autorun
    • From: james.d.h.turner
  • [delphizip] Re: SFX - Autorun
    • From: RPeters

Other related posts:

• » [delphizip] SFX - Autorun- Peter Gore
• » [delphizip] Re: SFX - Autorun- RPeters
• » [delphizip] Re: SFX - Autorun- RPeters
• » [delphizip] Re: SFX - Autorun- Peter Gore
• » [delphizip] Re: SFX - Autorun- james.d.h.turner
• » [delphizip] Re: SFX - Autorun- RPeters
• » [delphizip] Re: SFX - Autorun- james.d.h.turner
• » [delphizip] Re: SFX - Autorun- RPeters
• » [delphizip] Re: SFX - Autorun - RPeters

1. Home
2. delphizip
3. Archive
4. 04-2009

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---