Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Vcpkg 2018.11.23-nohash #2733
As part of installing packages, vcpkg downloads several external executables such as
To protect users from malicious executables, the vcpkg system has hashes checked in for every file that is externally downloaded. Unfortunately, NuGet.org has just modified all existing packages to include signature files inside the zip, which changes the hash.
We have fixed this issue in Vcpkg master, however since appveyor uses an older copy it will not have these fixes until the next image update.
These are the possible mitigation strategies I see:
A longer-term mitigation against issues like this in the future would be to recommend in the appveyor docs on vcpkg that users explicitly pull new versions before running their build.
added a commit
Nov 8, 2018
referenced this issue
Nov 8, 2018
@ras0219-msft will add this to next image update, Unfortunately we started distribution of new image yesterday and it is already late to get into this train. Next one should not take too long. As you see I am updating documentation, and you are welcome to contribute too :)