There isn't really a way to sign a directory entry without making up a transform. If you did that, then you'd have to specify the transform in the standard. I can think of several ways to make a transform, but it would be a nuisance to implement and express in normative language.
IMHO, that's really overkill. I think we want to drop back to "What You See Is What You Sign." If an empty directory has no effect on either the content or appearance of the document, and I cannot imagine a scenario in which it would, then we should ignore it for the purpose of signatures. If a file turned up later in that directory, then the presence of a new file would then violate the requirement that all of the files be signed, and you're dealing with either an invalid or partial signature, depending on how an implementer wanted to treat that particular error.
In OOXML signatures, there are provisions for certain parts of the archive not being signed, so there's some tolerance for metadata to get updated without invalidating the signature. This is part of why I wrote the proposal to say that "all files must be signed in order for the signature to be a full document signature" - I wanted to provide for the possibility in the future of signing something less.
Given the time constraints, I'd propose doing the following:
1) Ignore empty directories.
2) Do not make a transform that captures the directory structure of the archive, because it does not affect the appearance or content of the document.
3) In vNext, we should work on defining what must be signed in a more refined manner, paying attention to what affects content and/or appearance and what does not.
Original Message-----
From: Bob Jolliffe [mailto:bobjolliffe@gmail.com]
Sent: Monday, September 27, 2010 3:19 PM
To: dennis.hamilton@acm.org
Cc: Hanssens Bart; Svante Schubert; ODF TC List
Subject: Re: [office] RE: Directories in Zip packages
On 27 September 2010 22:11, Dennis E. Hamilton