I do not see any problem… you can just initialize a WebClient (in c# or some simmilar in other languages) with direct http link on file.
I made something like that back in past, it was a custom launcher for our small WoW server.
In my solution, I also perform version check and size check, which is actually coded. That I have stored in another external file or in database.
In a shortcut, my launcher works like:
- check for connection stuff //irrelevant in this case
- check for external file, where is coded a list of files including its version and size, that should be downloaded = you cant know the name or the data before you will download them and dehash. The serverside coding is done manually, I need to create the “hash” and save it to the specified file, where my launcher will look for data
- decode strings
- check local version, sizes and stuff of all files
- do decision mechanics, what files will be deleted, redownloaded or not touched (there is more complicated crosscheck though, in my solution, I need to check the integrity of all local files, chekck their version and if they were not modified by user without permission, in your solution, simple check of version of package and installed version will be enough, but of course, with external size check of downloaded package
- Download/delete/update/whatever files based on decisions
- check again the downloaded file. This time, compare not the external file with external data check, but downloaded file with external data check
- isntall/ lauch
Actually, it is not, I have used my ow coding, but for the external check, you can use some hashing, MD5 (weak but usable and quite quick) or some version of SHA. But I hit a problem trying this, when the file had a different checksum after the download, even the files were the same (maybe some attributes like date created/modified do that? I don’t know)
Good is, that this method is good for basic security…
you do not know, what file will be downloaded
if the download will be performed via https, you (and I hope that in this point I do not lie, I have not really test it) you cannot see, what file is being downloaded (and client will not tell ya). Ofc, there is being the file/process started where you can get the name … so add one more layer - do some magic trick, like “hash” and check for integrity even the name of the file, so yep, you have found file 46werf6sfb498r219sfb49sfb198sfb4. CG, but you do not know, what that stands for. Decoding of the NAME will do the game and will launch it (and e.g. if the string will not match some wanted string like “today_is_a_great_day_for_play.exe”, it will not be accepted for launch). Of course you can rename it to a.exe and launch, but in this case if you want to fake it, you need to send it, you cannot fake it - and that you can do with regular download too.
Also, I combine multiple data, like the name and size into one hashed string, which is then decoded and processed, so in one moment, you will have to fake the name, the size and for example more, like some inner attribute that can be checked …
Again, it might seem like complicated, but it is not …
Gather some data from file, hash it. Provide it to the client, where the downloaded file will be dehashed and checked
what more, again, I am talking like c# programmer, when you call WebClient method, ift will call the regular component of OS like it is called by any other browser. If correct link provided, the game will act like you were downloaded the file (which is technically safer, because the situation like "Where I can get it? -Here, my friend evil laugh ". In this case, game does it automatically.
Of course, we can talk about faking proxy, faking dns, but in that case, even a regular download woud get you the fake file.
Also, the updater/installer in this case will also open in the same way like you were downloaded the file manually, as you call Process.start(file), same as you click it. So the UAC will show up and than you can see the digital signature.
I am not 100% sure, if I want to give my coding method away, but in case you get interested on this, maybe I can help to my favourite game and provide the code for inspiration, in case it will not be shared and used only on this project