Open dcblack opened 2 years ago
Interesting idea. I suppose the perfect solution will be to implement that signature in a standardized way so others can use it too. Just tried zipsign
, will take a look at signapk
later to see it it's done the same way.
Do you know if signapk
is used by default for example with apt
and official repositories?
Keka could also add an option to create the credentials used for signing
For sure! If this the sign/verify feature is implemented Keka must create the required files to at least create new signed files.
Forget my question, had a short circuit in my brain, just noticed signapk
it's aimed to Android.
Attached a build of zipsign
for testing: zipsign-master.zip
Background
In these days of malware, it would be nice if we could verify a zip file's authorship and integrity before opening it. In particular, it would be nice to create zip files that contain signatures and then verify them. This can be used to raise the level of trust.
Desired solution
Ubuntu has a solution in the form of something called signAPK. The process of using this is unfortunately somewhat involved, and most people would not avail themselves of it. However, I think Keka could provide both the signing and verification as an option. As a bonus, perhaps Keka could also add an option to create the credentials used for signing.
Alternatives
Of course, the individual could sign the contents before adding, but that is more involved than one would hope. The recipient would also need to then validate the files.
Additional context
The following GitHub might be useful in accomplishing this goal:
https://github.com/falk-werner/zipsign