Are program updates digitally signed?

[Chankama]

Hey guys. These days I am getting a message from Avast! saying that a program update is available. My question is, are the "Program updates" digitally signed?

I asked a similar question regarding the "Virus definitions" a few weeks ago before downloading Avast!, and I was told that they virus definition updates ARE digitally signed.

However, I think the program update is even more critical. We don't want any "malicious" program updates from taking place. Thanks.

-Chankama

[DavidR]

This topic has been recently covered so a forum search should be able to track it down.

I can't remember the official position as to whether they are explicitly signed but there are checks in force to ensure they are what they appear to be.

This is the thread that you started on the same topic on October 11 - http://forum.avast.com/index.php?topic=16868.0 So I guess that program updates fall into the same category.

[Lisandro]

Are the "Program updates" digitally signed?

Yes, they are as the same as the virus databases.

[Chankama]

Thx Tech. Any further info on the type of signature that is performed? I am presuming it uses the same public key as for the virus def. updates.

This topic has been recently covered so a forum search should be able to track it down.

I can't remember the official position as to whether they are explicitly signed but there are checks in force to ensure they are what they appear to be.

This is the thread that you started on the same topic on October 11 - http://forum.avast.com/index.php?topic=16868.0 So I guess that program updates fall into the same category.

Hey David. Actually they do "not" fall into the same category. Having malicious definitions, in the worst case, will corrupt your detection database and prevent things from being detected  or detect/remove things that shouldn't be removed. Where as, malicious program updates can do much more damage IMO.

The update procedure in avast! seems to be different for the def. updates and the program updates as you can actually specify whether they should be done automatically or not. So, the update logic for the 2 types of updates diverge at least in some areas. I wanted to make sure whether they diverge in the digital signatures as well.

A [forum search] about "digitally signed" only brings up my old query about virus definition signatures as well as this thread:
http://forum.avast.com/index.php?topic=12275.msg103940#msg103940

This thread doesn't answer my question explicitly.

[Lisandro]

Tech. Any further info on the type of signature that is performed?

I've asked for superior help... the programmers should say something more upon my guesses 

[kubecj]

Every file coming from the update servers is digitally signed with 1024 bit key. In fact, the difference between program and database update is minimal from the updater's point of view.

[Chankama]

Thx kubecj and Tech. Appreciate your quick response. 1024-bit? So I guess it's a RSA signature. I was worried about updating the program, but now I guess I shouldn't worry.

[RejZoR]

I also thing it would be a little hard to modify signatures/program updates by 3rd party without seriously breaking avast!'s operations and way how it works.
You'd have to completely reverse engineer it and that probably isn't exactly an easy task...

[DavidR]

Thx Tech. Any further info on the type of signature that is performed? I am presuming it uses the same public key as for the virus def. updates.

This topic has been recently covered so a forum search should be able to track it down.

I can't remember the official position as to whether they are explicitly signed but there are checks in force to ensure they are what they appear to be.

This is the thread that you started on the same topic on October 11 - http://forum.avast.com/index.php?topic=16868.0 So I guess that program updates fall into the same category.

Hey David. Actually they do "not" fall into the same category. Having malicious definitions, in the worst case, will corrupt your detection database and prevent things from being detected  or detect/remove things that shouldn't be removed. Where as, malicious program updates can do much more damage IMO.

By falling into the same category, I meant that if VPS updates are digitally signed it would follow that Program updates would be digitally signed, as it has now been confirmed.