Self Decrypting Archives

David Shaw
Fri Jun 20 00:47:02 2003

Hash: SHA1

On Thu, Jun 19, 2003 at 03:23:53PM -0700, wrote:
> >Message: 11
> >Date: Thu, 19 Jun 2003 16:58:07 -0400
> >From: David Shaw <>
> >To: "''" <>
> >Subject: Re: Self Decrypting Archives
> [...]
> >> If you really wanted to, you could even send your receiver a zip
> >file
> >> containing the "gpg" binary, plus the encrypted file, and a batch
> >file
> >> that contained something like "gpg theencryptedfile.gpg".  Poof:
> >> instant SDA.  Of course, it's still insecure ;)
> >
> >It works, and the end result is a SDA.
> [...]
> just curious,
> other than making a .exe file of what would otherwise be batch files,
> what does the pgp sda do differently?
> it seems as if it would need just a watered-down binary for symmetric
> decryption only


> in your idea, wouldn't it also be possible to make a much smaller binary
> for the same symmetric decryption, and send it as a batch file, with
> the same instructions/caveats as for an sda,


That's why I'm confused that what PGP creates is an "SDA", and a
self-extracting zip file containing gpg, an encrypted file, and an
autorun command to decrypt the file somehow isn't an "SDA".  All "SDA"
is is a "(S)elf (D)ecrypting (A)rchive".  There is no magic there.

> a practical way that sda's are done 'sort-of' securely, for multiple
> large files, is that they are all written as sda's onto a cdrw, sent
> by certified registered mail, and confirmed by phone by the receiver
> calling the sender upon receipt of the packet.

The problem is that there is no way to do it in a portable manner.
Linux executables won't run on Windows, Windows executables won't run
on FreeBSD, etc, etc.  It would be very easy for someone to make their
own SDAs by self-extracting-zipping together the encrypted file, and
the decryption engine, but that's not really the point of GnuPG.

Version: GnuPG v1.2.3rc1 (GNU/Linux)
Comment: Key available at