I came across this forum post, https://portableapps.com/node/18388, about using the digital signature to check if a file has been downloaded correctly.
I will be travelling to a country that is known to seed incorrect files for known encryption products and browsers. i.e. If you try to download EFF's TOR, you will get a fake version of tor that will install malware instead. This is why there are PGP signatures on the website along with the downloaded files.
I am thinking about manually downloading and checking the md5 and signatures of the paf.exe files instead of using the PortableApps platform, but this will mean I won't know when to update Google Chrome Portable and may leave myself vulnerable to a flash exploit.
Essentially, I was wondering whether the automated updates via the PortableApps Platform, have any md5 or digital signature check.
Visit the Community page
Join our forums
Subscribe to our email newsletter
Subscribe with RSS
Follow us on Facebook
Follow us on LinkedIn
Follow us on Twitter
Follow us on Mastodon
Follow us on BlueSky
The PA.c Platform checks the MD5 of each app it downloads against the one stored in the app database that it downloads first. The PA.c Installer does the same thing for apps like Google Chrome (the online installer internally has the MD5 it expects compiled in and will fail if the downloaded version of Chrome doesn't match).
Sometimes, the impossible can become possible, if you're awesome!
how is the md5 database being verified?
Is it protection against manipulation or only against packet loss?
It would be very easy to modify it on the transport, by using forced proxy and a few lines of php...