How to trust your distributed binaries ?
In a word, you can trust portapps binaries over those provided by other systems offering portable applications.
Why ? Because the whole process is open source as well as the build process for the executable wrapper. Let’s take Skype as an example.
In this file you have the original source of the distributed package from the official website. For Skype this file is at the following url :
If you go on the official website of Skype the link to the artifact is
https://go.skype.com/windows.desktop.download, but it redirects to an azure CDN :
> https://go.skype.com/windows.desktop.download HTTP/1.1 301 Moved Permanently > https://get.skype.com/go/getskype-skypeforwindows HTTP/1.1 302 Found > https://endpoint920510.azureedge.net/s4l/s4l/download/win/Skype-184.108.40.206.exe
How does it work ?
Concerning the building process to make it “portapp”, we are going to take Skype as an example.
Everything is revealed in the logs on Appveyor. Here are the building steps :
- Install Golang, Java and ANT
- Load required libraries
- dep (dependency manager for golang)
- rcedit (to add icons to the final executable)
- innoextract (to extract the original setup)
- innosetup (to package the final portapp as a portable setup using innosetup)
- upx (to compress the portapp executable)
- Download the original setup from the official website
- Extract this setup
- Download go dependencies using dep (based on Gopkg.toml)
- “Go” generate (prepare versioning file for the final executable and rcedit resources)
- “Go” build (create the portapp executable)
- Compressing executable with UPX
- Load asar (tool to extract app.asar ; because Skype is based on Electron)
- Replace paths in app.asar
- Repackaging app.asar
- Create 7z portapp archive
- Create innosetup portapp setup
- Send artefacts from Appveyor to Github releases
This process is quite the same for the current portapps available but can differ following the original setup (can be archive, electron app, nsis, innosetup, multi arch, etc…).
Antivirus complains about the wrapper
[appname]-portable.exe of all portapps are scanned by VirusTotal and a link is provided in the description of GitHub releases page.
Checkout brave-portable releases page on GitHub as an example :
Every detections found by VirusTotal scans are generic. Most likely based on a heuristic detection. Heuristics are more prone to false-positive detections :
- Adaware : https://www.adaware.com/report-false-positives
- Avast : https://www.avast.com/false-positive-file-form.php
- AVG : https://www.avg.com/en-us/false-positive-file-form
- Bitdefender : https://www.bitdefender.com/submit/
- F-Secure : https://www.f-secure.com/en/web/labs_global/submit-a-sample
- Kaspersky : https://virusdesk.kaspersky.com/
- McAfee : https://kc.mcafee.com/corporate/index?page=content&id=KB85567
- Windows Defender : https://www.microsoft.com/en-us/wdsi/filesubmission