Thanks Mitchell! These are the steps that I did to test the theory -
1. I changed the digest values in the manifest file
2. Cleared the appdata of the previous runs of the same package
3. Ran the same package
Result - package ran without a problem
Reason why I'm asking is that info security team has questioned the whether it is possible to manipulate the package at the users end. I was wondering it was the manifest file that kept the integrity of the package in-tact.
I do understand that manifest file helps in getting the latest version of the package. Apart from that does in help the package in any other ways? Is there anything else in the package that helps maintain the integrity of the package?
Did you check to see if the files were downloaded when you did this? My understanding is that the local manifest is checked against the server manifest and if they are different the package is downloaded from the server.
It is possible to sign a package if the location you are deploying to (server for instance) is not secure. This is normally a secure location.
Yes, I did confirm that the files were not downloaded. Also the security team was worried about the users copying over the package to a different local folder or to a different machine, manipulating the package and running it locally without connecting to the robot manager. So the question, in a way, is that how can we make sure that package can safeguard its integrity and will fail to run if someone tampers with it after it is deployed to a user's machine?