Signtool should support the generation of detached signatures in for archives that don't have integrated signing support. Under this category are:

• .zip
• tar.gz
• .tgz

There are some key bits to consider when dealing with detached signature signing:

• The signing infrastructure signs files in-place. The original file is replaced with the signed copy. For file types that only support detached signatures, this means that the original file is overwritten with the signature. Therefore, the original file must be preserved, so it can be placed back in the original location (as the "signed" copy) after the signature is generated.
• The newly generated detached signature needs to get an appropriate name (e.g. originalfilename.tar.gz.sig) and be propagated as output. One consideration with these additional generated files is what to do if they are signatures for files that go inside another container. For instance, if a detached signature is generated for a .zip file, and that .zip file is inside a .nupkg, does the nupkg get the signature added to it? The decision here is no. Most likely the container the zip is in will get signed, or it itself would be in another signed container, etc. etc. The detached signature will be generated, but only detached signatures for top level files passed to SignTool will end up alongside the original artifacts.