How to authenticate downloaded game patches?

[Nat]

Short version: I have AI War: Fleet Command v7.061 (prerelease) plus expansions installed.  I want to update manually to patch 8.024 (official).  I found and read thread "How to manually update the game?" <https://forums.arcengames.com/ai-war-classic-technical-support/how-to-manually-update-the-game/>, as well as a similar thread on the GOG forums.  I downloaded the zip files by hand without issue, and I am comfortable installing them by hand.  However, a hand install will bypass whatever authentication checks would normally be done by the Arcen auto-updater.  Since the patch contains new executable content, I am leery of dropping in new DLLs downloaded cleartext over the Internet without completing that authentication check to confirm that what I downloaded is what Arcen intended to upload.  I have not found any information on how the Arcen auto-updater authenticates the download (Authenticode signature embedded in the binaries (none found), Authenticode wrapping the container (only supported on CAB, as far as I know), or detached signature (no sign of one on download server <http://aiwar.s3.amazonaws.com/newupdates/>)).

Questions:
(1) How does the Arcen auto-updater authenticate the download?
(2) What would be the best way for me to perform an equivalent authentication?  I can verify Authenticode signatures or OpenPGP signatures.  I can compute the digest of the files and cross-check that against a trusted digest, if someone from Arcen can confirm the expected digests of the files (preferably from the copy that was used to seed Amazon, not just by redownloading the patch from Amazon .

---
$ sha1sum AIWar*
2e2cb5f9c0da1998719ce4d2f034e9ebd8832899  AIWar7061.zip
c50bb24d3f9be526e7dad5256f4240c48611040e  AIWar8001.zip
e459bb51c7d3f19302e8ad3d59ce2d81bffdd262  AIWar8014.zip
bbc31232fa90c602577a18bb7acb41254efe022d  AIWar8024.zip
$ sha256sum AIWar*
5e25ce21e7521fcf31afcaeb2e2c7fe63424df378b46a8623016150a6597e48d  AIWar7061.zip
20032d709922a4ea2cd3c324024d452e23dbcb55ab9b3827a3d678be631990e5  AIWar8001.zip
d11163eec5e43e350f5d74fd0372a50bf7c522ac702af660b6b29fed2b818a4c  AIWar8014.zip
5ee84093518e0641f4300b82cb0b3a63ded4f9e5664f58b1b76d3cc0fd962542  AIWar8024.zip
---

Long version (no new questions beyond here, just background):
I bought AI War: Fleet Command from GOG.com (formerly Good Old Games).  I was unaware at the time that their idea of "current" is prerelease 7.061 (August 2014), rather than the actual current official 8.024 (October 2016).  They do not indicate that anywhere before or after the purchase.  Your first indication will be when you start the installed game and see its version number.  In my case, I hit a couple of crashes while playing, which prompted me to look for updates.  That was when I discovered how outdated the GOG offering was.  After it was too late for the discovery to matter, I found posts in the GOG forum for AI War discussing this.  One user posted in mid-June warning people to buy direct from Arcen, not from GOG, as a result of this.  (That thread also contained instructions on how to manually apply the update, if you trust some random Internet user to tell you the expected hashes of the downloaded files.)  It also links to an August 2014 post from a GOG employee where he indicates that GOG elected not to issue patches because Arcen was updating more often than GOG could handle, so they stopped updating to avoid shipping an outdated patch.  (Yes, they settled on an outdated prerelease patch because otherwise "we'd always run the risk of having a patch go out of date on our site very quickly" -Judas.)

Rant (against GOG, not Arcen): Arcen's most recent patch was about 9 months ago, but GOG still has not caught up (users have been complaining about it to GOG for a while, to no effect).  Apparently, often is a relative concept.  It's probably fair to assume GOG will keep shipping 7.061 as "current" for as long as they are able to sell AI War at all.  I can understand them not tracking daily patches (though I like getting frequent minor patches instead of once a year rollups like so many studios do), but being almost three years out of date, shipping a prerelease with reported bugs that are fixed in a later version, and not warning users that use of the auto-updater is required for a current version is rather unpleasant.  If Arcen could lean on GOG to catch up, it might avoid more users unintentionally running outdated code.

[x4000]

Cheers, thanks for posting.  As far as GOG goes, I thought that they already had newer versions of this installed.  For the complete pack, in particular, I thought they did.  We just had been going back and forth with them getting all that updated pretty recently.  What package did you buy?  Complete pack, DLC pack, or base game?  It may be that one of them didn't get updated, or it's entirely possible my memory is faulty, too.  We had some recent updates for TLF with them, too.

As for authenticating files, our updater doesn't do that any more than downloading and unzipping the files does.  It would have to be a pretty specific man in the middle attack to redirect urls for someone who has the game to something that actually unpacks and then functions.  The DLLs in question are .net (mono) based ones, not unmanaged code.

Best,
Chris

[Nat]

I bought "AI War Collection", which is their SKU that provides both the base game and the six expansions in a single purchase.  When I view the GOG listing of purchased games, I get a single entry labeled "AI War: Fleet Command" that offers me both an installer for the base game and a separate installer that provides all the DLCs.  I don't see any indication of a patch installer (they do that for some games, and not others), and the base game installer they offer is still the same version I downloaded when I first bought the game.  It's possible that you did negotiate an update with them and they just haven't pushed it to the store download page.  As far as I know, they usually don't announce upcoming patches prior to the new installer appearing, so I won't know it's coming until it appears.  Do you recall approximately when you were dealing with them (a few days, few weeks, couple of months, etc.)?

The post on their forum by advowson (<https://www.gog.com/forum/ai_war_fleet_command/warning_gog_version_severely_outdated_currently_7061>) pretty well matches my experience (and is how I discovered the bit from Judas quoted above).  I get the same base game installer that he/she describes.  He/she did not describe the version of the DLC installer, so I can't check that, but I assume that would not be the delivery mechanism for a patch to the base engine.

As for the DLLs, I still remember the days of viruses that would piggyback on an existing executable/DLL, which made it pretty easy for the infected component to fulfill the expected purpose as well as the malicious one.  I agree that a MITM is a bit unlikely, but it's really not that hard to intercept and mangle a cleartext HTTP stream, particularly if one endpoint is on a shared wireless network.  If you have the original zips around from when you did the upload and could confirm that the digests I posted above (which agree with advowson's on the GOG forum) are correct, it would put me at ease about installing the update.