Do not treat unknown checksum types as MD5

[jberezanski]

Currently, when a package passes a checksum type unknown to Chocolatey, Chocolatey treats it as MD5. This is suboptimal, as it leads to misleading error messages about checksum verification failures, such as here.

Upon encountering an unknown checksum type, Chocolatey should stop the installation with a clear error: "Checksum type '$checksumType' is unsupported. Please upgrade your Chocolatey client."

sha256/sha512 were added in 0.9.9.9 - #113

[ferventcoder]

And how do you propose we fix that older version?

[ferventcoder]

More information - We can fix this going forward, but the message is already there in the older versions, where we would want the to be. But we can't put it in the older versions so they would need to upgrade to take advantage of that. A slight chicken and egg problem if you get where I'm going with this.

[ferventcoder]

In retrospect, it was likely a bad idea not to bubble that up as a warning. And possibly to do that at all.

[ferventcoder]

I guess it used to be worse -

choco/src/chocolatey.resources/helpers/functions/Get-CheckSumValid.ps1

Line 27 in 2639afd

if ($checksumType -ne 'sha1') { $checksumType = 'md5'}

This is representative of what those older clients are doing, not even a warning or a debug message.

[ferventcoder]

In all fairness, at least the error message mentions the wrong type -

choco/src/chocolatey.resources/helpers/functions/Get-CheckSumValid.ps1

Line 51 in 2639afd

throw "Checksum for `'$file'` did not meet `'$checksum`' for checksum type `'$checksumType`'."

[ferventcoder]

It's still wrong though, and we should handle it. As a workaround, I think we'll suggest folks take a dependency on at least the version of Chocolatey that is necessary to support the package. Although that may not fix the current install chain (until choco reloads during the current install chain when it is brought in as a dependency).

[jberezanski]

Yes, there is nothing we can do about the older versions, we can only prevent this from occurring in the future (in case a new hash algorithm gains popularity).

I like the dependency on a minimum Chocolatey version. Perhaps it could be made an official moderation requirement and a check for it could even be implemented in the validator?

The issue of choco upgrade not affecting the current install brings back memories: chocolatey-archive/chocolatey#460
I'm not sure how the autoupgrade process of Chocolatey works currently (which files are replaced when). However, checksum support is implemented in Get-CheckSumValid.ps1 and checksum.exe, so reloading of choco.exe should not be required for the new algorithms to light up - assuming (1) the helpers and tools are upgraded in place and (2) choco.exe resets its PowerShell host state between packages.

[ferventcoder]

@jberezanski with upgrade, all module files are reimported, but the rest of Chocolatey (exe parts) still runs under the old process during upgrade.

This can lead to an undesired situation. For instance - if I called an install for something that needed 0.10.0, which has the new checksum requirement and it brought the module files along with it, the install will fail for something that takes a dependency but doesn't have checksums in it. Plus you can't pass --allow-empty-checksums to the older version. Even if you could, choco.exe 0.9.10.3 wouldn't be able to pass the proper arguments/environment variables through to the new module code.

The above situation is about impossible to expect it to ever pass, but I can imagine there may be a situation where one thing is required to be passed from the exe to the PowerShell modules that could fail spectacularly.

[jberezanski]

Agreed.
I've created a new issue so that we do not wander off-topic here too much ;-)