How to trust your distributed binaries ?

In a word, you can trust portapps binaries over those provided by other systems offering portable applications.
Why ? Because the whole process is open source as well as the build process for the executable wrapper. Let’s take Skype as an example.

The “main” file of each portapps repositories is the build.properties file. It’s a spec file for the building procedure of a portapp using Apache Ant.

In this file you have the original source of the distributed package from the official website. For Skype this file is at the following url : https://endpoint920510.azureedge.net/s4l/s4l/download/win/Skype-8.25.0.5.exe.

If you go on the official website of Skype the link to the artifact is https://go.skype.com/windows.desktop.download, but it redirects to an azure CDN :

> https://go.skype.com/windows.desktop.download
HTTP/1.1 301 Moved Permanently
> https://get.skype.com/go/getskype-skypeforwindows
HTTP/1.1 302 Found
> https://endpoint920510.azureedge.net/s4l/s4l/download/win/Skype-8.25.0.5.exe

How does it work ?

Concerning the building process to make it “portapp”, we are going to take Skype as an example.

Everything is revealed in the logs on Appveyor. Here are the building steps :

  • Install Golang, Java and ANT
  • Load required libraries
    • ant-contrib
    • 7zip
    • dep (dependency manager for golang)
    • rcedit (to add icons to the final executable)
    • innoextract (to extract the original setup)
    • innosetup (to package the final portapp as a portable setup using innosetup)
    • upx (to compress the portapp executable)
  • Download the original setup from the official website
  • Extract this setup
  • Download go dependencies using dep (based on Gopkg.toml)
  • “Go” generate (prepare versioning file for the final executable and rcedit resources)
  • “Go” build (create the portapp executable)
  • Compressing executable with UPX
  • Load asar (tool to extract app.asar ; because Skype is based on Electron)
  • Replace paths in app.asar
  • Repackaging app.asar
  • Create 7z portapp archive
  • Create innosetup portapp setup
  • Send artefacts from Appveyor to Github releases
  • Done tada

This process is quite the same for the current portapps available but can differ following the original setup (can be archive, electron app, innosetup, etc…).

Antivirus complains about the wrapper

Wrapper [appname]-portable.exe of all portapps are scanned by VirusTotal and a link is provided in the description of GitHub releases page.
Checkout brave-portable releases page on GitHub as an example :

Every detections found by VirusTotal scans are generic. Most likely based on a heuristic detection. Heuristics are more prone to false-positive detections :

This happens quite often with programs written in Golang. The best you can do is to report this to your Antivirus software vendor as a false positive :

And this is often quickly solved : portapps/skype-portable#4, portapps/postman-portable#1