My additional analysis follows in a separate note.
Here is what I have:
1. Yes, directories/folders can be represented by file entries. I was
completely off base about that. I have confirmed that in APPNOTE 6.2.0.
But I don't think it happens the way you think in this particular file. I
will check the central directory records I reviewed more closely.
2. There is no reason that ODF 1.2 ever needs such things in a package,
since the manifest is independent of that stuff.
3. It is not possible to sign a directory/folder entry in the Zip because
there is nothing to sign. There is no data in such an entry and there
should be no way to insert data in such an entry without it being a file
instead of a folder. We'll have to see if that is actually a hole in Zip.
(Oddly enough, the 0-length file Configurations2\accelerator\current.xml
*has* data, and it is compressed, but the uncompressed size is 0. Fancy
that.)
- Dennis
Original Message-----
From: Hanssens Bart [mailto:Bart.Hanssens@fedict.be]
Sent: Sunday, September 26, 2010 14:13
To: dennis.hamilton@acm.org; 'David LeBlanc'; office@lists.oasis-open.org
Cc: Cornelis Frank
Subject: [office] RE: Directories in Zip packages - was RE: XAdES support in
ODF
Dennis,
the ZIP appnote (any version, at least since 4.50) says
" external file attributes: (4 bytes)
The mapping of the external attributes is
host-system dependent (see 'version made by'). For
MS-DOS, the low order byte is the MS-DOS directory
attribute byte. If input came from standard input, this
field is set to zero.
...
file name: (Variable)
The name of the file, with optional relative path.
The path stored should not contain a drive or
device letter, or a leading slash. All slashes
should be forward slashes '/' as opposed to
backwards slashes '\' for compatibility with Amiga
and UNIX file systems etc.
..."
(Winzip probably 'translates' this for viewing purposes)
But the real questions are:
a) is adding (empty) directories, for whatever reason, allowed per ODF 1.2
spec
(since it requires a somewhat special attribute)
b) if so, should it be signed (I would say yes)
c) in that case, should the ODF spec text "sign every file" be changed in
"every entry"
(or similar)
Best regards
Bart
________________________________________
From: Dennis E. Hamilton [dennis.hamilton@acm.org]
Sent: Sunday, September 26, 2010 10:48 PM
To: Hanssens Bart; 'David LeBlanc'; office@lists.oasis-open.org
Cc: Cornelis Frank
Subject: Directories in Zip packages - was RE: XAdES support in ODF
For further amusement, the attachment is what PKZip for Windows version
12.50.0013 says about helloworld-signed.odt.
It seems that my (1-4) below have more evidence to deal with.
Re (1), PKWare prefers to show "/" as the segment separator.
Re (2), I have no idea at this point whether this is covered in the APPNOTE
or an extension
Re (3), the observation about no directory entries for Configurations2/,
Thumbnails/, etc., also applies to Configuration2//images as well as
Configurations2/accelerator.
Re (4), the "\" business may be answered. I know where to find a reasonable
hex editor. Back soon.
- Dennis
Original Message-----
From: Dennis E. Hamilton [mailto:dennis.hamilton@acm.org]
Sent: Sunday, September 26, 2010 13:39
To: 'Hanssens Bart'; 'David LeBlanc'; 'office@lists.oasis-open.org'
Cc: 'Cornelis Frank'
Subject: RE: [office] RE: XAdES support in ODF
I knew I had a command-line Zipper somewhere. Here is what 7zip has to say
about that document:
12:57
7-Zip (A) 4.42 Copyright (c) 1999-2006 Igor Pavlov 2006-05-14
12:07:19.34 C:\MyProjects\java\ODMdev> 7za l helloworld-signed.odt
Listing archive: helloworld-signed.odt
Date Time Attr Size Compressed Name
------------------- ----- ------------ ------------ ------------
2010-09-24 16:49:42 ..... 39 39 mimetype
2010-09-24 16:49:42 ..... 3105 813 content.xml
2010-09-24 16:49:42 ..... 532 243 manifest.rdf
2010-09-24 16:49:42 ..... 10864 1993 styles.xml
2010-09-24 16:49:42 ..... 1247 1247 meta.xml
2010-09-24 16:49:42 ..... 1018 434
Thumbnails\thumbnail.png
2010-09-24 16:49:42 ..... 0 2
Configurations2\accelerator\current.xml
2010-09-24 16:49:42 D.... 0 0
Configurations2\progressbar
2010-09-24 16:49:42 D.... 0 0 Configurations2\floater
2010-09-24 16:49:42 D.... 0 0
Configurations2\popupmenu
2010-09-24 16:49:42 D.... 0 0 Configurations2\menubar
2010-09-24 16:49:42 D.... 0 0 Configurations2\toolbar
2010-09-24 16:49:42 D.... 0 0
Configurations2\images\Bitmaps
2010-09-24 16:49:42 D.... 0 0
Configurations2\statusbar
2010-09-24 16:49:42 ..... 8773 1365 settings.xml
2010-09-24 16:49:42 ..... 1989 344 META-INF\manifest.xml
2010-09-24 18:52:26 ..... 30891 13945
META-INF\documentsignatures.xml
------------------- ----- ------------ ------------ ------------
58458 20425 17 files
Hmm, attributes.
So, two things to figure out here.
1. Is it really "\" and I must remember to use that all of the time (which
says something about the resolution of relative IRIs inside the package)?
2. What is this attribute business and whose extension of the APPNOTE is
that or is it really provided in the APPNOTE.
3. Finally, notice that there is *no* such entry for Thumbnails and META-INF
nor for Configurations2 nor Configurations2\accelerator either so one
wonders what the point is that there are Zip entries of any form for those
Configurations2\... goodies (and their having bogus manifest:media-type
values in the manifest.xml markup).
4. Finally still, I have no idea how much of the way these names are
expressed is being done by the utility versus what is in the file (e.g.,
WinZip showed "\" on the ends, 7-zip shows "D" in some sort of attribute
display). I'm still looking for a decent hex editor.
I think, without fear of contradiction, however, that there is no way to
reflect those D-attribute thingies in the DSig, and we should not want there
to be. An external signature on the entire package would include whatever
that is, but we're not going there, it seems to me.
And finally, it seems like OIC Appnote time, aye?
- Dennis