feat: encrypted archive detection for 7z/RAR + error alert on open

Iakov Senatov · Iakov Senatov · commit 3bf92c55c760 · 2026-03-03T00:35:29.000+01:00
EncryptedArchiveCheck:
- ZIP: 8-byte header read (instant)
- 7z: shell 7z l -slt, detect exit!=0 or Encrypted=+ (cached)
- RAR: shell unrar lt, fallback to 7z (cached)
- All other archive formats: checked via 7z if available
- Results cached via NSCache per file path

AppState.enterArchive:
- Show NSAlert on failure instead of silently swallowing error
- Encrypted archives: specific message about password protection
- Other errors: show error description to user
diff --git a/GUI/Resources/Localizable.xcstrings b/GUI/Resources/Localizable.xcstrings
@@ -598,6 +598,10 @@
     "Copy All Paths" : {
       "comment" : "Copy all paths action"
     },
+    "Copy as Pathname" : {
+      "comment" : "A button that copies the full path of a file as a pathname to the clipboard.",
+      "isCommentAutoGenerated" : true
+    },
     "Copy File?" : {
       "comment" : "Copy confirmation dialog title",
       "localizations" : {
diff --git a/GUI/Sources/Features/Panels/EncryptedArchiveCheck.swift b/GUI/Sources/Features/Panels/EncryptedArchiveCheck.swift
@@ -3,10 +3,11 @@
 //
 // Created by Claude on 03.03.2026.
 // Copyright © 2026 Senatov. All rights reserved.
-// Description: Lightweight encrypted archive detection for icon display.
+// Description: Encrypted archive detection for icon display.
 //   ZIP: reads 8 bytes from Local File Header (bit 0 of General Purpose Flag).
-//   Other formats: not checked (would require ArchiveKit dependency).
-//   Results cached via NSCache — zero repeated I/O cost.
+//   7z:  runs `7z l -slt` — checks exit code and "Encrypted = +" marker.
+//   RAR: runs `unrar lt` — checks for encryption markers, fallback to 7z.
+//   Results cached via NSCache — zero repeated I/O cost after first check.
 
 import FileModelKit
 import Foundation
@@ -16,28 +17,105 @@ enum EncryptedArchiveCheck {
     // MARK: - Cache (NSCache is internally thread-safe)
     nonisolated(unsafe) private static let cache = NSCache<NSString, NSNumber>()
     // MARK: - Public API
-    /// Returns true if archive is encrypted. Currently supports ZIP only.
-    /// Returns false for non-ZIP archives (not nil — safe for icon logic).
+    /// Returns true if archive is encrypted.
+    /// Supports ZIP (instant), 7z, RAR (via shell, cached).
     static func isEncrypted(url: URL) -> Bool {
         let key = url.path as NSString
         if let cached = cache.object(forKey: key) {
             return cached.boolValue
         }
-        let result = checkZip(url: url)
+        let result = detect(url: url)
         cache.setObject(NSNumber(value: result), forKey: key)
         return result
     }
-    // MARK: - ZIP Check
+    /// Invalidate cache for a specific file (e.g. after modification)
+    static func invalidate(url: URL) {
+        cache.removeObject(forKey: url.path as NSString)
+    }
+    // MARK: - Detection Router
+    private static func detect(url: URL) -> Bool {
+        let ext = url.pathExtension.lowercased()
+        switch ext {
+        case "zip":
+            return checkZipHeader(url: url) || checkVia7z(url: url)
+        case "7z":
+            return checkVia7z(url: url)
+        case "rar":
+            return checkViaUnrar(url: url) ?? checkVia7z(url: url)
+        default:
+            // Other archive formats handled by 7z (cab, arj, etc.)
+            if ArchiveExtensions.isArchive(ext) {
+                return checkVia7z(url: url)
+            }
+            return false
+        }
+    }
+    // MARK: - ZIP Header Check
     /// Reads PK signature + General Purpose Bit Flag. Bit 0 = encrypted.
-    private static func checkZip(url: URL) -> Bool {
-        guard url.pathExtension.lowercased() == "zip" else { return false }
+    /// Cost: 8 bytes, instant.
+    private static func checkZipHeader(url: URL) -> Bool {
         guard let handle = try? FileHandle(forReadingFrom: url) else { return false }
         defer { try? handle.close() }
         guard let data = try? handle.read(upToCount: 8), data.count >= 8 else { return false }
-        // Verify PK\x03\x04 signature
         guard data[0] == 0x50, data[1] == 0x4B, data[2] == 0x03, data[3] == 0x04 else { return false }
-        // General Purpose Bit Flag at offset 6 (little-endian)
         let flags = UInt16(data[6]) | (UInt16(data[7]) << 8)
         return (flags & 0x0001) != 0
     }
+    // MARK: - 7z Shell Check
+    /// Runs `7z l -slt <archive>`. Encrypted header → exit != 0.
+    /// Encrypted content → output contains "Encrypted = +".
+    private static func checkVia7z(url: URL) -> Bool {
+        guard let bin = findExecutable("7z") else { return false }
+        let (exit, stdout, stderr) = shell(bin, "l", "-slt", url.path)
+        // Non-zero exit with password/encrypted message → header-encrypted
+        if exit != 0 {
+            let combined = (stdout + stderr).lowercased()
+            if combined.contains("password") || combined.contains("encrypted") || combined.contains("headers error") {
+                return true
+            }
+            return false
+        }
+        // Content-encrypted: individual entries marked
+        return stdout.contains("Encrypted = +")
+    }
+    // MARK: - RAR Shell Check
+    /// Runs `unrar lt <archive>`. Returns nil if unrar not found.
+    private static func checkViaUnrar(url: URL) -> Bool? {
+        guard let bin = findExecutable("unrar") else { return nil }
+        let (exit, stdout, stderr) = shell(bin, "lt", url.path)
+        let combined = (stdout + stderr).lowercased()
+        if exit != 0 && (combined.contains("encrypted") || combined.contains("password")) {
+            return true
+        }
+        if stdout.lowercased().contains("encrypted") {
+            return true
+        }
+        if exit == 0 { return false }
+        return nil // inconclusive, let caller fallback to 7z
+    }
+    // MARK: - Shell Helper
+    private static func shell(_ args: String...) -> (Int32, String, String) {
+        let proc = Process()
+        let outPipe = Pipe()
+        let errPipe = Pipe()
+        proc.executableURL = URL(fileURLWithPath: args[0])
+        proc.arguments = Array(args.dropFirst())
+        proc.standardOutput = outPipe
+        proc.standardError = errPipe
+        proc.environment = ProcessInfo.processInfo.environment
+        do { try proc.run() } catch { return (-1, "", error.localizedDescription) }
+        proc.waitUntilExit()
+        let outData = outPipe.fileHandleForReading.readDataToEndOfFile()
+        let errData = errPipe.fileHandleForReading.readDataToEndOfFile()
+        return (
+            proc.terminationStatus,
+            String(data: outData, encoding: .utf8) ?? "",
+            String(data: errData, encoding: .utf8) ?? ""
+        )
+    }
+    // MARK: - Find Executable
+    private static func findExecutable(_ name: String) -> String? {
+        ["/opt/homebrew/bin/\(name)", "/usr/local/bin/\(name)", "/usr/bin/\(name)"]
+            .first { FileManager.default.isExecutableFile(atPath: $0) }
+    }
 }
diff --git a/GUI/Sources/States/AppState/AppState.swift b/GUI/Sources/States/AppState/AppState.swift
@@ -409,6 +409,7 @@ extension AppState {
             log.info("[AppState] Successfully entered archive: \(archiveURL.lastPathComponent)")
         } catch {
             log.error("[AppState] Failed to enter archive: \(error.localizedDescription)")
+            await showArchiveErrorAlert(archiveName: archiveURL.lastPathComponent, error: error)
         }
     }
 
@@ -456,6 +457,24 @@ extension AppState {
         }
     }
 
+    /// Shows NSAlert when archive open fails (encrypted, corrupted, etc.)
+    @MainActor
+    private func showArchiveErrorAlert(archiveName: String, error: Error) async {
+        let desc = error.localizedDescription
+        let isEncrypted = desc.lowercased().contains("password") || desc.lowercased().contains("encrypted")
+        let alert = NSAlert()
+        alert.alertStyle = .critical
+        if isEncrypted {
+            alert.messageText = "Encrypted Archive"
+            alert.informativeText = "\"\(archiveName)\" is password-protected.\n\nPassword-protected archives cannot be opened yet."
+        } else {
+            alert.messageText = "Cannot Open Archive"
+            alert.informativeText = "\"\(archiveName)\" could not be opened.\n\n\(desc)"
+        }
+        alert.addButton(withTitle: "OK")
+        alert.runModal()
+    }
+
     /// Shows NSAlert asking user whether to repack the modified archive.
     /// Returns true if user chose to repack.
     @MainActor
