A tool to sign and verify .zip
and .tar.gz
files with an ed25519 signing key.
cargo install zipsign
or
cargo install --git https://github.com/Kijewski/zipsign
-
.zip:
# Generate key pair: $ zipsign gen-key priv.key pub.key # ZIP a file and list the content of the ZIP file: $ zip Cargo.lock.zip Cargo.lock $ unzip -l Cargo.lock.zip Cargo.lock # Sign the ZIP file: $ zipsign sign zip Cargo.lock.zip priv.key $ unzip -l Cargo.lock.zip Cargo.lock # Verify that the generated signature is valid: $ zipsign verify zip Cargo.lock.zip pub.key OK
-
.tar:
# Generate key pair: $ zipsign gen-key priv.key pub.key # TAR a file and list the content of the ZIP file: $ tar czf Cargo.lock.tgz Cargo.lock $ tar tzf Cargo.lock.tgz Cargo.lock # Sign the .tar.gz file: $ zipsign sign tar Cargo.lock.tgz priv.key $ tar tzf Cargo.lock.tgz Cargo.lock # Verify that the generated signature is valid: $ zipsign verify tar Cargo.lock.tgz pub.key OK
Usage: zipsign gen-key <PRIVATE_KEY> <VERIFYING_KEY>
Arguments:
-
PRIVATE_KEY
: Private key file to create -
VERIFYING_KEY
: Verifying key (public key) file to create
Options:
-
-e
,--extract
: Don't create new key pair, but extract public key from private key -
-f
,--force
: Overwrite output file if it exists
Usage: zipsign sign [zip|tar] [-o <OUTPUT>] <INPUT> <KEYS>...
Subcommands:
-
zip
: Sign a .zip file -
tar
: Sign a .tar.gz file
Options:
-
-o
,--output <OUTPUT>
: Signed file to generate (if omitted, the input is overwritten) -
-c
,--context <CONTEXT>
: Arbitrary string used to salt the input, defaults to file name of<INPUT>
-
-f
,--force
: Overwrite output file if it exists
Arguments:
-
<INPUT>
: Input file to sign -
<KEYS>...
: One or more files containing private keys
Usage: zipsign verify [zip|tar] <INPUT>
Subcommands:
-
zip
: Verify a signed.zip
file -
tar
: Verify a signed.tar.gz
file
Options:
-
-c
,--context <CONTEXT>
: An arbitrary string used to salt the input, defaults to file name of<INPUT>
-
-q
,--quiet
: Don't write "OK" if the verification succeeded
Arguments:
-
<INPUT>
: Signed.zip
or.tar.gz
file -
<KEYS>...
: One or more files containing verifying keys
Usage: zipsign unsign [zip|tar] [-o <OUTPUT>] <INPUT>
Subcommands:
-
zip
: Removed signatures from.zip
file -
tar
: Removed signatures from.tar.gz
file
Arguments:
-
<INPUT>
: Signed.zip
or.tar.gz
file
Options:
-
-o
,--output <OUTPUT>
: Unsigned file to generate (if omitted, the input is overwritten) -
-f
,--force
: Overwrite output file if it exists
The files are signed with one or more private keys using ed25519ph. The signatures are stored transparently next to the data.
For .tar.gz files the signatures are encoded as base64 string. The string gets encapsulated as the comment of a GZIP file, and this GZIP file is appended to the input document. This works, because multiple GZIP files can be freely concatenated.
For .zip files the signature gets prepended to the input document. This works because ZIP files can be prepended with any data as long as all relative addresses are fixed up afterwards. This feature is used e.g. in self-extracting ZIP files.