We would like to protect our zip files by registering the user into the installer at download time.
Is there any place in a zipped package where a script could add such hidden info?
The note field is not good as most zip software displays it.
A zip archiver will read a zip file from the end and find entries using offsets. If you put bytes at the beginning of the zip file (and make sure the offsets are still correct !), you will get a valid zip file and I doubt archivers will show the additional content. That's how self-extracting zip files work: the file starts with the
unzip exe and ends with the actual zip content.
In your case, you could prepare archives with a fixed-length blob at the beginning and overwrite it when a user download it.
Note that won't "protect" the zip file, just mark the zip file as downloaded by a given user (and the mark can be removed easily).