I know that Windows can internally detect and verify the signatures of PE and some types of text files (.vbs, .ps and .wsf). However, I am curious if there is a way to somehow attach or associate the signature with a file that does not directly support signatures, such as .ISO or .zip files.
Driver packages containing a mixture of binary and .inf files use signed .cat files so that their subscribers sign indirectly, but you must use "signtool.exe verify" to verify the file, and I get mixed results with this approach.
I assume that I am looking for some kind of signed manifest file that we can use to allow users to easily verify that the set of downloaded files was not damaged during transit or by a third party, and which isn’t involved in manually creating MD5 and comparing the results with values stored in a text file (which can also be deleted with).
source
share