On Sunday 21 September 2014 21:13:50, Richard van den Berg wrote:
> Package formats like apk and jar avoid this chicken and egg problem
> by hashing the files inside a package, and storing those hashes in
> a manifest file. Signatures only sign the manifest file. The
> manifest itself and the signature files are not part of the
> manifest, but are part of the package. So a package including it's
> signature(s) is still a single file.
This is bad design and will inevitably lead to security issues (as has
been demonstrated by Android and apk). One must check the signature
first, and only if the signature matches, start parsing complex file
formats. And yes, zip is complex enough to be a problem.
Reproducible-builds mailing list