Home/ Questions/Q 118039
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-11T03:25:53+00:00

I am building a system for distributing packages (.zip archives) created by different organizations.

  • 0

I am building a system for distributing packages (.zip archives) created by different organizations. I’d like a way to verify that the publisher of a package is indeed who they claim to be, and that the file has not been tampered with.

To verify the publisher, a system similar to what is used by web browsers is required – e.g., my application contacts the root certificate authorities, who verify the identity. In other words, the ‘green bar’ 🙂

I’m guessing the package creation would work like this:

  1. Author creates zip package
  2. Author hashes package and signs the hash
  3. It is re-packaged, with:
    • A header containing the signed hash, and the public certificate
    • A body containing the contents of the zip file

Package opening would work like this:

  1. Take the body of the data
  2. Hash it using the same algorithm
  3. Decrypt the package’s hash using the public key from the certificate
  4. Compare the two hashes – we now have integrity
  5. Contact the root CAs to verify the identity

This way, I have verified the identity, and also verified the contents (the contents themselves do not need to be encrypted – the goal is verification, not privacy).

So my questions are:

  1. Is the above the correct way to approach it?
  2. What hashing algorithm do people normally use? I assume it should be one-way. Would you just choose one (MD5, SHA1, SHA2?) or is it more normal to support a variety and let the package author tell you which one they used (e.g., the header of the document contains the name of the hashing function).
  3. How do you work with the root CA’s? Is this the job of the X509Store class, or are there additional steps involved?
  4. What kind of certificates are involved here? The same kind of certificates used to sign .NET assemblies? (Code-signing certificates?)

Lastly, if an organization does not have a paid-for certificate and instead decide to use a self-issued certificate, I assume I can still verify the hashes (for the sake of data integrity) without having to install stuff into the computer’s certificate stores or any magic like that (in these cases, I’d just display: ‘Published by XYZ Co. (Unverified)’. Is this correct?

I have found plenty of links on how to use the X509 and RSACryptoServiceProvider, so I can probably figure the code out, I guess I’m more interested in the process and knowing I’m using the right techniques.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. There is a standard API to create signed ZIP packages.

    System.IO.Packaging namespace contains necessary classes to create OPS (open packaging specification) conformant ZIP packages with digital signatures.

    • 0