-
Notifications
You must be signed in to change notification settings - Fork 902
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Checksum requirement and enhancements #112
Comments
Is the feature |
Note that checksums are now required.
Provide insight that checksums are now required and how a maintainer can go about gathering that information. Also suggest urls use https instead of just http.
If downloaded from https location, relax checksum missing failure until 0.10.1.
* stable: (23 commits) (GH-897) Fix DISM /all for newer Windows versions (maint) bring back in nuspec into solution folders (GH-598) Add output directory for choco pack (version) bump to 0.10.0 (doc) update CHANGELOG/nuspec (GH-840) Do not set User Environment for SYSTEM (GH-840) Set TMP to cacheLocation as well (GH-830) Ensure process PSModulePath items (GH-112) Relax HTTPS checksum failure (maint) move noop run (GH-833) Don't set profile under certain conditions (doc) update generated docs (GH-112) update options for new version (GH-112) Checksums / Install Template (GH-112) Update parameter documentation (GH-112) Require checksums (GH-112) Allow Empty Checksums (GH-112) Checksum remote files unless checksum (GH-112) Allow user passed checksums (GH-112) rename checksum files for proper casing ...
Secure locations, such as HTTPS, have quite a bit of protection surrounding them. By default allow missing/empty checksums when the locations are secure. Allow the feature to be shut off either by turning off the feature `allowEmptyChecksumsSecure` or using the switch `--require-checksums`.
Ensure there is no outside influence for environment variables that are set by choco.
When debugging parameters are passed, ensure that originalUrl is also passed for debugging purposes.
* stable: (GH-112) update tab expansion (doc) update generated docs (GH-112) Get-ChecksumValid - update debug params (GH-833) Don't set tab completion if profile null (doc) update CHANGELOG/nuspec (GH-866) Fix - packages.config fails on licensed config (GH-112) clear existing environment vars (doc) add checksum verification notes (GH-112) Empty Checksums for Secure Locations (maint) remove magic strings for environment vars (maint) move environment vars to env section
For "option 2" above, I suggest the briefest of explanations of how to do that with a link to the appropriate documentation. Presumably it is:
|
Also, I'm using Install-ChocolateyZipPackage to install a local zip file that is embed in the pkg. Are local files exempt from the upcoming checksum requirement or will I need to use Get-ChocolateyUnzip (apparently I didn't see that or it wasn't there when we created lessmsi's package)? ...or should I just supply a checksum to Install-ChocolateyZipPackage? |
@activescott local files won't need it. Get-ChocolateyUnzip has always been used by Install-ChocolateyZipPackage so you just likely missed it. Plus the documentation surrounding functions has recently had a huge makeover, so it's much better now, especially in discovery of other methods. |
@ferventcoder Awesome post. Especially appreciate the boxstarter note. Thanks! |
Avoid issues with newer chocolaty versions chocolatey/choco#112 (comment)
Give the user more options when dealing with downloads
--ignore-checksums
(done with Checksumming can not be turned off by the feature flag #33)allowEmptyChecksums
set to false by default.--allow-empty-checksums
,--require-checksums
at runtime to override default behavior.allowEmptyChecksumsSecure
set to true by default (for HTTPS).Choco v1 will not allow package installs without checksums by default. For folks to be insecure, they will need to explicitly ignore checksumming or be more secure by providing their own.This has been moved up to 0.10.0.Bumping up the priority on this after a recent incident - see https://twitter.com/ferventcoder/status/760892254542102528 and http://us8.campaign-archive1.com/?u=86a6d80146a0da7f2223712e4&id=f2fe8dbe6b for details.
NOTE: We decided to relax the checksum missing failure to only HTTP for now, but will require it for HTTPS as well when #895 releases.
Running into this issue?
Option 1 - Pass the checksums through
You can pass the checksums through to the install / upgrade:
NOTE: For best security, you may wish to manually download the installer and check it with VirusTotal first, then using the checksum that VT shows on its page to pass with the choco install command. Nothing will be saved in time here, but hopefully the time savings occurs in reporting and future upgrades of the package. Reasoning: The checksum could change if the link to download resources is non-specific (not tied to a specific version). But if it is a version specific download, one should really be asking themselves why this occurred rather than simply ignoring a built-in security mechanism. It could be because the software vendor doesn't adhere to the idea of not changing a released version once offered, but it could be due to the distribution site getting hacked and offering a bad version just waiting for unsuspecting folks to download the hacked software. Without using some other method of verification when checksums fail, you are hoping that your anti-virus software would protect you in a hacked situation.
See https://chocolatey.org/docs/commands-install / https://chocolatey.org/docs/commands-upgrade:
Option 2 - Fix the package to download over HTTPS if possible, and use checksums
Update the package accordingly so it complies with the new security enhancements.
Option 3 - If the package is internal, embed the resources in the package (or put on an internal share)
Many organizations using Chocolatey internally will create packages that use internal or embedded resources. They also go through a process called recompiling to download an existing package and recompile it to use internal resources - https://chocolatey.org/docs/how-to-recompile-packages
Option 4 - Accept the risk
Now we are into the non-recommended options. So if you want to use this package and you are fine with the risks over a package downloading over HTTP without verifying the integrity of the binaries then you can use the following:
If you are using a tool that is using an older version of Chocolatey, like Boxstarter or ChocolateyGUI, but you've upgraded your local Chocolatey to v0.10.0, you may want to use:
See https://chocolatey.org/docs/commands-install / https://chocolatey.org/docs/commands-upgrade:
Option 5 - Accept the risk for everything
You can turn off the behavior by running an exec that will turn on the feature
allowEmptyChecksums
. This is a nuclear option and subverts the protections brought in by this feature. You can also turn off the featurechecksumFiles
to turn off checksumming entirely.Option 6 - Downgrade Chocolatey
Downgrading to an older version doesn't remove the risk that is there in downloading resources from the internet. 0.10.0 is more upfront about those issues so you can make an informed, aware decision on what you are installing.
The text was updated successfully, but these errors were encountered: