0

I have a few old software setup files in my hard disk. I am helping someone to setup their new laptop, but unfortunately there is no internet access at his place currently. Technically, how can I be sure that the setup files I have are not tampered in anyway?

Say for example, I have a Windows 10 ISO or an Office ISO. If the UAC pop-up shows the Verified Publisher as "Microsoft", can I be sure that the file is not tampered in any way? Does the Verified Publisher name show "Unknown" even when a 1 megabyte file is changed in the 6GB set-up file?

InternetUser
  • 31
  • 1
  • 4
  • This is an interesting question. In a situation like the Windows 10 ISO, it's not the ISO that's signed, but the setup.exe file on it, and the question is whether that signing extends to the other files (including the large WIM) that actually contain the installation files. I'd say there are two separate questions here: Can the Verified Publisher be trusted, and can the related-but-not-the-same files be trusted. – music2myear Feb 02 '18 at 19:17
  • Microsoft actually publishes the checksum for their files on their download site, usually right next to the Download link. This would allow you to compare the checksums to confirm the files are identical. This would cover the "was part of this archive modified" question. – music2myear Feb 02 '18 at 19:20
  • If you're not sure about the Windows 10 ISO, just download the latest directly from MS... it will be the latest version. And yes, it is *theoretically* possible to tamper with a signed file so that the checksum still shows it as valid, but likely only a government agency has time and resources to do so. – DrMoishe Pippik Feb 02 '18 at 19:55

1 Answers1

1

Technically, how can I be sure that the setup files I have are not tampered in anyway?

Only use installation files that have been digitally signed by somebody you trust.

Say for example, I have a Windows 10 ISO or an Office ISO. If the UAC pop-up shows the Verified Publisher as "Microsoft", can I be sure that the file is not tampered in any way?

The publisher cannot be changed without making the digital signature invalid. If the signed file indicates it was published by Microsoft, then the signature is valid, otherwise, Microsoft wouldn't be the publisher.

Does the Verified Publisher name show "Unknown" even when a 1 megabyte file is changed in the 6GB set-up file?

The installer itself is signed, which means contents of that archive, is also signed. The contents cannot be modified, if it is modified, then the signature of the archive wouldn't be valid.

Ramhound
  • 41,734
  • 35
  • 103
  • 130
  • I am not going to explain the entire process of how Windows handles digitally signed files in my answer. That process is well documented, I would just be quoting that documentation, but that research should have performed before asking this question. – Ramhound Feb 02 '18 at 19:19
  • My answer is complete and currently answers all questions that you have asked. – Ramhound Feb 02 '18 at 21:01