VSoft Technologies Blogs

rss

VSoft Technologies Blogs - posts about our products and software development.

Signing files that can't carry a signature: detached CMS for ZIPs, ISOs and more

In this article:
  • Why some files can't carry an embedded signature
  • What a detached .p7s signature is, and when Signotaur writes one
  • Signing archives and disk images with no extra flags
  • Extending detached signing to arbitrary files with --detached
  • Controlling the output path, and verifying with Signotaur or OpenSSL

Most of the file types Signotaur signs have somewhere to put the signature. A PE binary has a certificate table, an MSI has a digital-signature stream, a NuGet package has a reserved ZIP entry. You sign the file, the signature goes inside it, and the file still works exactly as before.

Plenty of files people need to sign have no standard embedded-signature format. A .zip, a .tar.gz, an .iso, a firmware blob, a plain .json manifest — several of these do have comment or metadata areas you could stash bytes in, but there's no agreed-upon signing format that other tools would recognise. You can wrap the whole file inside a signature structure, but that changes the file itself: your zip is no longer a zip, it's a CMS structure containing the zip.

The standard answer to this is a detached signature: sign the bytes, leave the original artifact untouched, and write the signature to a separate file. Signotaur now supports this directly, producing a standard CMS/PKCS#7 .p7s signature next to the file it signed.

CMS (Cryptographic Message Syntax, RFC 5652) is the IETF standard format for digitally signed data; PKCS#7 is the older format CMS was based on, and the names are still often used interchangeably. The .p7s extension is the conventional one for a detached CMS signature, which is why you'll see it throughout this post.

Archives and disk images: nothing to do

Signing a zip while keeping it usable is by far the most common case, so Signotaur automatically uses detached signatures for common archive and disk-image formats, with no extra flags:

SignotaurTool.exe sign -a [APIKey] -s [SignServer] -t [Thumbprint] release.zip

That signs release.zip and writes the signature to release.zip.p7s alongside it. release.zip itself is not touched — same bytes, same hash, still opens in any zip tool. The formats handled this way are .zip, .7z, .tar, .gz, .tgz, .bz2, .xz, .iso, .img, .vhd and .vhdx.

Command Prompt output of SignotaurTool signing a zip with a detached CMS/PKCS#7 signature; the final line shows the signature written to the matching .p7s file alongside the untouched original.

Files that do have a native embedded format — PE, MSI, NuGet, VSIX, RDP, ClickOnce manifests, .mobileconfig — keep using it. You don't have to think about which is which; the sign command routes each file by its type.

Other file types: --detached

To produce a detached signature for a file type that Signotaur would not otherwise sign as an embedded format — for example a .txt, a .json, an arbitrary binary — add --detached (--dt):

SignotaurTool.exe sign -a [APIKey] -s [SignServer] -t [Thumbprint] --detached manifest.json

This writes manifest.json.p7s and leaves manifest.json alone. The flag is ignored for file types that have their own embedded signature, so it's harmless to leave on in a script that signs a mix of things.

Choosing where the signature lands

By default the signature is written next to each signed file as [file].p7s. To put signatures somewhere else, use --signature-file (--sf). For a single file you can give an exact path:

SignotaurTool.exe sign release.zip --signature-file C:\sigs\release.sig ...

When signing many files at once, use placeholders so each output is distinct:

  • {name} — the file name including extension (archive.ziparchive.zip.p7s).
  • {name-no-ext} — the file name without extension (archive.ziparchive.p7s).
  • {rel-path} — the file path relative to the current directory, or to --base-directory if specified. This avoids collisions when different folders contain files with the same name.
SignotaurTool.exe sign src\**\*.zip --signature-file sigs\{rel-path}.p7s ...

Any directories in the output path are created for you. An exact (placeholder-free) path is only valid when signing a single file — otherwise every file would write to the same signature file.

Verifying

A .p7s file is a plain CMS/PKCS#7 SignedData structure, so it's not locked to Signotaur. Point verify at either the original or its .p7s signature and it auto-detects the pairing:

SignotaurTool.exe verify release.zip

Terminal output from SignotaurTool verify confirming a valid detached signature, showing the signer certificate and a verified result.

And because it's standards-compliant, OpenSSL — or anything else that speaks CMS — can verify it too:

openssl cms -verify -binary -inform DER -in release.zip.p7s -content release.zip -CAfile root.pem -out NUL

That example assumes a signer certificate issued directly by the root in root.pem; in practice, use whichever CA bundle or certificate chain is appropriate for the signer certificate. (-out NUL just discards the recovered content so the zip isn't dumped to the console.)

If you only need an integrity check — confirm the signature matches the content, without deciding whether the signer is trusted — add -noverify. It skips chain validation, so no root.pem is required:

openssl cms -verify -noverify -binary -inform DER -in release.zip.p7s -content release.zip -out NUL

This confirms the bytes haven't changed since signing, but it does not establish that you trust the signer — for that, use the chain-validating form above.

RFC 3161 timestamping works on detached signatures the same as everywhere else — pass --tr (and optionally --st) and the timestamp is embedded into the .p7s.

Wrapping up

Detached signing extends Signotaur beyond formats with a built-in signature slot. Where a file has a native signing format, Signotaur continues to use it. Where it does not, Signotaur can write a clean .p7s signature alongside the untouched original.

The result is still standards-compliant CMS/PKCS#7, so consumers are not tied to Signotaur for verification. More to come, but this removes a "you can't sign that" answer we'd rather not give.

For the full option reference see the sign and verify command pages in the Signotaur documentation. As always, the private key never leaves your signing server — detached or embedded, only the digest is ever sent for signing.

Related Posts


  • Signing .rdp files with Signotaur (and surviving the April Windows update)

    After the April 2026 Windows cumulative update, signed .rdp files that opened cleanly for years started showing users a big orange warning. This post covers what changed, why teams got caught out, and what Signotaur's new .rdp signing support (plus a bit of Group Policy) does about it.

  • New in FinalBuilder 5 - more actions now support FileSets

    FileSets are cool. We introduced them in FinalBuilder 4 but in FinalBuilder 5 we've made them natively supported by more actions

  • Code Signing with USB Tokens

    Big changes are coming for OV (Organisation Validation) code signing certificates - from (1 June 2023, extended from 15 November 2022), new and reissued publicly trusted organization validation (OV) and individual validation (IV) code signing certificates will have to be issued or stored on preconfigured secure hardware by the issuing certificate authority (CA) and the device must meet FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent security standards.

  • Continuous Integration Server performance

    Continuous Integration Servers are often underspecified when it comes to hardware. In the early days of Automated Builds, the build server was quite often that old pc in the corner of the office, or an old server in the data center that no one else wanted. Developers weren't doing many builds per day, so it worked, it was probably slow but that didn't seem to matter much. Fast forward 20 years, and the CI server is now a critical service. The volume and frequency of builds has increased dramatically, and a slow CI server can be a real problem in an environment where we want fast feedback on that code we just committed (even though it "worked on my machine"). Continuous Deployment only adds to the workload of the CI server. In this post I'm going to cover off some ideas to hopefully improve the performance of your CI server.

  • DPM Package Manager for Delphi - Beta

    I've been working on a package manager for Delphi for a long time. I hit a roadblock and life got in the way and I couldn't find the time (or the motivation if I am honest) to work on it. I was using it every day, but it wasn't really usable for the masses. That was until recently..

  • Introducing Signotaur - Remote Code Signing Server

    Over the last few years, code signing has changed somewhat. With the requirement that private keys be secured, many developers have run into the issues that USB tokens present, or the limitations and costs associated with cloud-based signing solutions. Gone are the days of sharing a PFX file around the dev team or with the CI server (unless you managed to snag a 3-year renewal just before the new requirements were enforced). Signotaur is a self hosted code signing server (and client) that makes sharing certificates simple, all whilst ensuring the private key never leaves the server.
.p7s, Archives, CI/CD, CMS, Code Signing, Code Signing Certificates, Cryptographic Message Syntax, Delphi, Detached Signatures, DevOps, Digital Signatures, Disk Images, File Signing, ISO, OpenSSL, PKCS#7, RFC 3161, RFC 5652, Security, Signotaur, SignotaurTool, Timestamping, ZIP
Showing 0 Comment
your Comment will be showing after administrator's approval







b i u quote



Save Comment