Hey, I am updating Portfolio Performance every time it tells me too but I am wondering if the upgrade process is secure.
It looks like from the progress messages it is just downloading a few Java files.
Thanks in advance.
Check the URL in the PP preferences.
You should also check to make sure, but PP updates use Equinox p2, which does support cryptographic signatures.
To stop the worries - simply install ubuntu on your windows laptop/pc and run it in this seperate linux system enviroment. Thats what I have done and am using PP without worry. It’s a bit slower but thats no real probelm.
No trojen or virus installed on this linux subsystem will be able to keylogging or run any program on your main windows enviroment!
Search my profile posts for the full details.
(you can still access your data file on yor windows drive via the linux machine and PP remembers it)
Thanks, it does reference https.
That does sound promissing but I do neither have much insight in Java development nor Equinox p2.
That’s why I am asking if one of the developers can state that the downloads get cryptographically verified during an update or not.
I am using Linux already, it is more secure but still can be attacked.
Of course you are talking about separating Portfolio Performance from the rest of the every day used system by kind of a VM which is pretty secure but also quite complicated.
In any way I still would like the update process to be secure because Portfolio Performance consists quite some sensitive data.
I don’t think the update is verifying (every) upgrade cryptographically. Overall, there are too many unsigned artifacts (JAR files). Eclipse asks you to confirm all of them, but what does that mean for a “non-technical user”.
I am code singing the JAR files produce by the project itself. You could check that signature, e.g. ~/plugins/name.abuchen.portfolio_0.70.3.jar with the jarsigner utility.
The macOS DMG is signed.
The download artifacts are GPG signed (check the Github downloads).
I do have a code signing certificate that can in principle sign the windows installer and executable, but I do not (yet) get it to work in my build setup (which must build on Linux or macOS for the cross platform builds).
Maybe your “upgrade” process is a fresh install that checks the GPG signing? It is bigger, but you can check the whole ZIP.