Am 01.09.2015 21:49, schrieb tim Rowledge:
> I mentioned working on using SAR files and/or MCZ as a way to
> distribute device driver add-ons for Pi Scratch  a while ago. The
> basics are working nicely and it’s time to ask for advice on securing
> the files. I’ve noticed assorted ssl/encryption/certificate checking
> related emails whizz by but never paid a lot of attention in the past.
> 
I'd go with the "industry standard" (read: Java) solution even if it's 
from Mordor.
JAR files are just ZIP files with another extension, just as SAR and MCZ 
files (correct me if I'm wrong).
So the jarsigner signature mechanisms should be applicable. We have a 
cryptography package which includes most functionality already (x.509 
stuff and various algorithms).
Don't know how much work it would be to implement signing ZIP files and 
checking their signatures, probably an evening or two for someone who's 
sufficiently fluent with crypto stuff.
However, this would imply that the Pi Scratch images would need to have 
(a subset of) the Cryptography classes loaded.

Edgar, I don't know what the #enigma2015: method actually does. Is it an 
encryption algorithm? If yes, a standard one or homebrew? How does it 
relate to digital signatures?
If this weren't a use case with pretty low security requirements, I'd 
put on my hobby cryptographer hat and shout at the top of my lungs
"YOU MUST NEVER USE CRYPTO ALGORITHMS THAT HAVE NOT BEEN DESIGNED AND 
THOROUGHLY ANALYZED BY EXPERTS IN THE FIELD!!!11eleven!!"

Cheers,
Hans-Martin