I have a ZIPfile containing signed .Net assemblies, is it possible through a tool to sign not code but a ZIPfile containing those too? I'd like to be able to work with this on the code side saying something like:
if(myzipfile.IsSignedBy(name))
{
DezipFile();
LoadAssemblies();
}
You can sign anything you like, the only issue you'd have to worry about is where you're going to store the signature to verify it.
In C# you have an RSACryptoServiceProvider which can take a keypair and a byte[] and produce an RSA signature of it. To verify it you just need the public key (not the private one), the original data and the generated signature.
With a bit of cleverness you could perhaps append the signature to the end of the ZIP file without rendering the ZIP file unreadable. You'd then read the entire zip file (minus the part at the end where you store the signature) and verify using that.
You'd have to embed the public key inside your application in order to use it for verification as well.
Since only you have both the public and private key used to make the signature, then you can be sure that if the signature is correct that the zip file came from you.