1

I have a cab file provided by a company and in order to secure my environment (terminal) I need to sign the cab as well as all the files inside (DLLs and EXEs) I want to avoid uncabing and recabing to do it. Is there any tool? I've seen signtool from Microsoft I can only sign the cab, not the files inside.

Artjom B.
  • 61,146
  • 24
  • 125
  • 222
Anas EL HAJJAJI
  • 1,048
  • 2
  • 10
  • 22

1 Answers1

1

You can sign the files BUT ONLY if it's your code on the device which will unpack them, unwrap the signed data into original files and then install them.

Explanation:

  1. there must be something that will validate the signatures. You can sign the CAB, but if the system doesn't care about the signature (say allows the user to install the unsigned or badly-signed CABs), then your signature makes little sense unless it's your own code that performs CAB installation
  2. You can sign any file, but then again, there must be something (your code?) that will validate the signatures. For PKCS#7 (certificate-based) signing you can use wrapping signatures which make the file original data part of the signed file, or detached signatures, which are kept separately in the different place (eg. other file). In case of wrapping signature your code needs to unwrap the files after extracting them from the CAB.
Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
  • Thank you for your answer. But maybe I didn't make my self clear ... I have already all the security configured in my environnment but I have some cabs comming from other companies which are not signed. So with my certificate and using some tools can I in command line: 1- Extract the CAB into files + inf file. 2- Sign the files. 3- Re create the cab file and eventually sign the cab. – Anas EL HAJJAJI Dec 01 '10 at 09:42
  • @Anaseh Yes, there exist tools that let you work with CAB file like a regular archive. However, the question is how your environment will handle signed files inside the CAB, i.e. what format you need to use in order to sign the files in the CAB. Once you figure this out, you would be able to look for the tool. CAB files are signed using MS Authenticode technology, but it can't be used for signing generic file. – Eugene Mayevski 'Callback Dec 01 '10 at 10:55