Whats the best way digitally sign a zip file for download using .Net_问答_开发者

Whats the best way digitally sign a zip file for download using .Net

开发者 https://www.devze.com 2023-01-13 22:58 出处：网络

Whats the best way to digitally sign a file server side with .Net before offering it for download via an asp.net based web site

In addition how do I trigger checking of the signature and hence prov开发者_StackOverflowe the file has not been tmapered with during the download process in a web browser

A signature does not need to be included with the ZIP file, it can be a "detached" signature. So you could have the zip and allow someone to verify the sig, which is usually just a series of hex or base64 characters, out of band with an app you write.

At a high-level, the signing steps are:

AsymmetricAlgorithm privateKey = certificate.PrivateKey;
byte[] buffer = Encoding.Default.GetBytes(<data from the zip>);
byte[] signature = privateKey.SignData(buffer, new SHA1Managed());

and verification:

RSACryptoServiceProvider publicKey =  certificate.PublicKey.Key as RSACryptoServiceProvider;
bool verify = publicKey.VerifyData(buffer, new SHA1Managed(), signature);

You need to define what risks you want to defend yourself and the user from. While PKWare's AppNote for ZIP format defines digital signing as part of the format, I doubt that there exist a lot of unzippers, that properly support validation of digital signatures in ZIP files.

If you worry that the file contents can be modified in the middle, you have the following options: 1) HTTPS, as mentioned above 2) PGP-signed package. You can either create a detached signature for existing ZIP archive that you distribute and put the signature near the download link, or, if you are targeting Windows, create self-extracting PGP archive. PGP format includes compression as well. In both cases you will need to put your public PGP key to your site. But note, that people who change the file, would be able to change the public key as well, if you distribute it this way.

Without a client-side plugin or download manager there's not much you can do. The best way to secure it would be to use HTTPS, but if that is not an option then the usual way to ensure integrity is to provide an MD5 hash of the file on the site that the end user can validate against. If you're doing it as a file download, then you can't really automate that validation on the client side without a plugin, as Javascript and such is not going to be able to access the file to validate it.