Generic approach for signing non-PE files

I know that Windows can intrinsically detect and verify signatures of PEs and some types of text file (.vbs, .ps and .wsf). However I'm curious whether there is a way to somehow attach or associate a signature to a file that doesn't directly support signatures, such as .ISO or .zip files.

Drivers packages that contain a mixture of binaries and .inf files use signed .cat files to allow their constituents to be signed indirectly, but you have to use "signtool.exe verify" to validate the file and I am getting mixed results with this approach.

I guess I am looking for some kind of signed manifest file that we can use to allow users to easily verify that the set of files they downloaded haven't been corrupted in transit or by a third party, and which doesn't involve开发者_运维技巧 them creating MD5's manually and comparing the results with values stored in a text file (which might also have been diddled with).

NTFS's Alternate Data Streams seem like a good fit for storing the signatures - this would allow you to attach a signature to any kind of file, so you wouldn't need a separate manifest.

You would of course still need to develop an application to verify the signatures - there is no way around that.