Skip to content

Commit

Permalink
Merge branch 'stable'
Browse files Browse the repository at this point in the history 
* stable:
  (GH-112) update tab expansion
  (doc) update generated docs
  (GH-112) Get-ChecksumValid - update debug params
  (GH-833) Don't set tab completion if profile null
  (doc) update CHANGELOG/nuspec
  (GH-866) Fix - packages.config fails on licensed config
  (GH-112) clear existing environment vars
  (doc) add checksum verification notes
  (GH-112) Empty Checksums for Secure Locations
  (maint) remove magic strings for environment vars
  (maint) move environment vars to env section
  • Loading branch information
@ferventcoder
ferventcoder committed Aug 11, 2016
2 parents edc338e + cbf1180 commit d5e1850
Show file tree
Hide file tree
Showing 20 changed files with 241 additions and 70 deletions.
18 changes: 15 additions & 3 deletions CHANGELOG.md
View file
@@ -1,4 +1,4 @@
## [0.10.0](https://github.com/chocolatey/choco/issues?q=milestone%3A0.10.0+is%3Aclosed) (unreleased)
## [0.10.0](https://github.com/chocolatey/choco/issues?q=milestone%3A0.10.0+is%3Aclosed) (August 11, 2016)
What was planned for 0.9.10.4 is now 0.10.0. This is due partly to a breaking change we are making for security purposes and a move to provide better a better versioning scheme for the remainder of the sub-v1 versions of Chocolatey. Instead of 0.y.z.0 being considered where major verions occur in the sub 1 series, 0.y.0 will now be considered where those major versions occur. We also are moving right along towards v1 (and hope to be there in 2017).

0.10.0 carries the fixes for 0.9.10.4 and includes a major security enhancement (checksum requirement).
Expand All @@ -9,7 +9,7 @@ What was planned for 0.9.10.4 is now 0.10.0. This is due partly to a breaking ch

Checksums in package scripts are meant as a measure to validate the originally intended downloaded resources used in the creation of a package are the same files that are received at a future date. This also ensures that the same files that are checked by all parts of moderation (if applicable) are the same files that are received by users for a package. This is seen mostly on the community repository because it is public and packages are subject to copyright laws (distribution rights), which typically requires the package scripts to download software from the official distribution locations. The Chocolatey framework has had the ability to use checksums in package scripts since [July 2014](https://chocolatey.org/packages/chocolatey/0.9.8.24#releasenotes).

**What is the requirement?** choco will now fail if a package download resources from HTTP/FTP and does not use checksums to verify those downloaded resources. The requirement for HTTP/FTP is [#112](https://github.com/chocolatey/choco/issues/112). Soon we'll also require it for [HTTPS (#895)](https://github.com/chocolatey/choco/issues/895) as well.
**What is the requirement?** choco will now fail if a package download resources from HTTP/FTP and does not use checksums to verify those downloaded resources. The requirement for HTTP/FTP is [#112](https://github.com/chocolatey/choco/issues/112). We are considering also requiring it for [HTTPS (#895)](https://github.com/chocolatey/choco/issues/895) as well. You can optionally set a feature (`allowEmptyChecksumsSecure`) to ensure packages using HTTPS also use checksums.

**How does this protect the community anymore than before?** During moderation review, there is a check of these downloaded binaries against VirusTotal (which verifies these binaries against 50-60+ different virus scanners). The binaries are also verified for installation purposes against a test computer. With an independent 3rd party checksum in the package itself, it guarantees that the files received by a user from those remote sources are the exact same files that were used in the verification process.

Expand All @@ -20,7 +20,9 @@ You can shut off the checksum requirement by enabling the feature `allowEmptyChe

You can shut it off or turn it per package install/upgrade with `--allow-empty-checksums` and `--require-checksums`, respectively. See https://chocolatey.org/docs/commands-install / https://chocolatey.org/docs/commands-upgrade.

**Other things I should know?** Users also now have the ability to pass their own checksums and checksumtypes into the install. See https://chocolatey.org/docs/commands-install / https://chocolatey.org/docs/commands-upgrade.
You can also disable the feature `allowEmptyChecksumsSecure` to enforce checksums for packages that download from secure locations (HTTPS).

**Other things I should know?** Users also now have the ability to pass their own checksums and checksumtypes into the install. See https://chocolatey.org/docs/commands-install / https://chocolatey.org/docs/commands-upgrade. You can also disable `allowEmptyChecksumsSecure` to ensure HTTPS checksums are also .

### KNOWN ISSUES

Expand Down Expand Up @@ -50,13 +52,16 @@ You can shut it off or turn it per package install/upgrade with `--allow-empty-c
* Fix - When Choco fails to get a package from NuGet Core, fail the package with exit code 1 - see [#867](https://github.com/chocolatey/choco/issues/867)
* Fix - Illegal characters in path - see [#857](https://github.com/chocolatey/choco/issues/857)
* Fix - Get-OSArchitectureWidth doesn't do what it says it does - see [#828](https://github.com/chocolatey/choco/issues/828)
* Fix - Pro/Business - Choco install config file fails on licensed assembly - see [#866](https://github.com/chocolatey/choco/issues/866)
* Fix - DISM /all doesn't run anywhere but Windows 6.2 -- no dependencies get installed - see [#897](https://github.com/chocolatey/choco/issues/897)

### IMPROVEMENTS

* Do not install tab completion (edit of profile) under certain conditions - see [#833](https://github.com/chocolatey/choco/issues/833)
* Choco install with packages.config should print out the packages to install - see [#878](https://github.com/chocolatey/choco/issues/878)
* Larger default log file size and retention - see [#852](https://github.com/chocolatey/choco/issues/852)
* Allow getting installer type to be overridden - see [#885](https://github.com/chocolatey/choco/issues/885)
* Pack - Add optional output folder option - see [#598](https://github.com/chocolatey/choco/issues/598)
* Little command name correction on init.ps1 - see [#595](https://github.com/chocolatey/choco/issues/595)
* Tab completion - don't query if there is a file in the folder that meets completion - see [#847](https://github.com/chocolatey/choco/issues/847)

Expand All @@ -77,6 +82,7 @@ You can shut it off or turn it per package install/upgrade with `--allow-empty-c
* Hold pending check for 10 seconds / provide means of explicitly overriding the transactional install cleanup - see [#822](https://github.com/chocolatey/choco/issues/822)
* Pro/Business - Add runtime skip option to allow skipping the virus scanner - see [#786](https://github.com/chocolatey/choco/issues/786)


## [0.9.10.2](https://github.com/chocolatey/choco/issues?q=milestone%3A0.9.10.2+is%3Aclosed) (June 19, 2016)

### BUG FIXES
Expand Down Expand Up @@ -309,18 +315,21 @@ This further restricts the default installation location by removing all permiss
* API - Choco search should sort by version - see [#668](https://github.com/chocolatey/choco/issues/668)
* API - Switch dll to .NET Client Profile - see [#680](https://github.com/chocolatey/choco/issues/680)


## [0.9.9.12](https://github.com/chocolatey/choco/issues?q=milestone%3A0.9.9.12+is%3Aclosed) (March 18, 2016)

### BUG FIXES

* Fix - PowerShell "Collection is read-only" - see [#659](https://github.com/chocolatey/choco/issues/659)


## [0.9.9.11](https://github.com/chocolatey/choco/issues?q=milestone%3A0.9.9.11+is%3Aclosed) (October 6, 2015)

### BUG FIXES

* Fix - Pin list is broken - see [#452](https://github.com/chocolatey/choco/issues/452)


## [0.9.9.10](https://github.com/chocolatey/choco/issues?q=milestone%3A0.9.9.10+is%3Aclosed) (October 3, 2015)

Not to be confused with 0.9.10 (this is not that version). This fixes a small but extremely significant issue with relation to configuration managers and other tools that use choco.
Expand All @@ -330,6 +339,7 @@ Not to be confused with 0.9.10 (this is not that version). This fixes a small bu
* Fix - List output for other tools messed up in 0.9.9.9 (pipe separator missing) - see [#450](https://github.com/chocolatey/choco/issues/450)
* Fix - accidentally escaped characters in "new" -help - see [#447](https://github.com/chocolatey/choco/issues/447)


## [0.9.9.9](https://github.com/chocolatey/choco/issues?q=milestone%3A0.9.9.9+is%3Aclosed) (October 2, 2015)

With this release you can completely configure choco from the command line (including the priority of sources). Choco now allows you to create [custom package templates](https://github.com/chocolatey/choco/issues/76). Choco has [proper proxy support](https://github.com/chocolatey/choco/issues/243) now. We also squashed up some bugs, like the infinite download loop that happens if the connection is lost. We've also improved the installation experience of Chocolatey itself, [unpacking all of the required setup files in the chocolatey package](https://github.com/chocolatey/choco/issues/347) and improving the messaging output during the bootstrapping process. Chocolatey also [doesn't try to write config updates every command](https://github.com/chocolatey/choco/issues/364), unless something actually changes in the config file. And last but not least for mentions, the issue of [choco not recognizing itself as needing upgraded after being installed by the bootstrapper](https://github.com/chocolatey/choco/issues/414) is now fixed.
Expand Down Expand Up @@ -374,6 +384,7 @@ With this release you can completely configure choco from the command line (incl
* Set environment variables once configuration is complete - see [#420](https://github.com/chocolatey/choco/issues/420)
* Enhance Package Template for 0.9.9.9 - see [#366](https://github.com/chocolatey/choco/issues/366)


## [0.9.9.8](https://github.com/chocolatey/choco/issues?q=milestone%3A0.9.9.8+is%3Aclosed) (June 26, 2015)

### BUG FIXES
Expand All @@ -385,6 +396,7 @@ With this release you can completely configure choco from the command line (incl

* Download Progress Bar is Missing - see [#56](https://github.com/chocolatey/choco/issues/56)


## [0.9.9.7](https://github.com/chocolatey/choco/issues?q=milestone%3A0.9.9.7+is%3Aclosed) (June 20, 2015)

"Fix Everything. Fix All The Things" - There have been some things bugging us for a long time related to limitations with NuGet, so we decided to fix that. Like [nuspec enhancements](https://github.com/chocolatey/choco/issues/205), that crazy [content folder restriction](https://github.com/chocolatey/choco/issues/290) has been removed (I know, right?!), and we're working around [badly](https://github.com/chocolatey/choco/issues/316) [behaved](https://github.com/chocolatey/choco/issues/326) packages quite a bit more to bring you more feature parity.
Expand Down
6 changes: 3 additions & 3 deletions docs/generated/CommandsDownload.md
View file
Expand Up @@ -114,9 +114,9 @@ Includes [[default options/switches|CommandsReference#default-options-and-switch
Recompile - Download all external resources and recompile the package to
use the local resources instead.
--embed
Embed - When recompiling packages, embed the downloaded resources into
the package.
--resources-location=VALUE
Resources Location - When recompiling, use this location for resources
instead of embedding the downloaded resources into the package.
--outputdirectory=VALUE
OutputDirectory - Specifies the directory for the downloaded Chocolatey
Expand Down
21 changes: 15 additions & 6 deletions docs/generated/CommandsInstall.md
View file
Expand Up @@ -275,14 +275,23 @@ Includes [[default options/switches|CommandsReference#default-options-and-switch
the default feature 'checksumFiles' set to 'True'. Available in 0.9.9.9+.
--allowemptychecksum, --allowemptychecksums, --allow-empty-checksums
Allow Empty Checksums - Allow packages to have empty checksums.
Overrides the default feature 'allowEmptyChecksums' set to 'False'.
Available in 0.10.0+.
Allow Empty Checksums - Allow packages to have empty/missing checksums
for downloaded resources from non-secure locations (HTTP, FTP). Use this
switch is not recommended if using sources that download resources from
the internet. Overrides the default feature 'allowEmptyChecksums' set to
'False'. Available in 0.10.0+.
--allowemptychecksumsecure, --allowemptychecksumssecure, --allow-empty-checksums-secure
Allow Empty Checksums Secure - Allow packages to have empty checksums
for downloaded resources from secure locations (HTTPS). Overrides the
default feature 'allowEmptyChecksumsSecure' set to 'True'. Available in
0.10.0+.
--requirechecksum, --requirechecksums, --require-checksums
Require Checksums - Requires packages to have checksums. Overrides the
default feature 'allowEmptyChecksums' set to 'False'. Available in 0.1-
0.0+.
Require Checksums - Requires packages to have checksums for downloaded
resources (both non-secure and secure). Overrides the default feature
'allowEmptyChecksums' set to 'False' and 'allowEmptyChecksumsSecure' set
to 'True'. Available in 0.10.0+.
--checksum, --downloadchecksum, --download-checksum=VALUE
Download Checksum - a user provided checksum for downloaded resources
Expand Down
5 changes: 5 additions & 0 deletions docs/generated/CommandsPack.md
View file
Expand Up @@ -22,6 +22,7 @@ Chocolatey will attempt to package a nuspec into a compiled nupkg. Some
choco pack
choco pack --version 1.2.3
choco pack path/to/nuspec
choco pack --outputdirectory build


## Options and Switches
Expand Down Expand Up @@ -89,6 +90,10 @@ Includes [[default options/switches|CommandsReference#default-options-and-switch
--version=VALUE
Version - The version you would like to insert into the package.
--outputdirectory=VALUE
OutputDirectory - Specifies the directory for the created Chocolatey
package file. If not specified, uses the current directory.
~~~

[[Command Reference|CommandsReference]]
Expand Down
2 changes: 1 addition & 1 deletion docs/generated/CommandsReference.md
View file
Expand Up @@ -15,8 +15,8 @@ This is a listing of all of the different things you can pass to choco.
* [[pack|Commandspack]] - packages up a nuspec to a compiled nupkg
* [[push|Commandspush]] - pushes a compiled nupkg
* [[new|Commandsnew]] - generates files necessary for a chocolatey package from a template
* [[sources|Commandssources]] - view and configure default sources (alias for source)
* [[source|Commandssource]] - view and configure default sources
* [[sources|Commandssources]] - view and configure default sources (alias for source)
* [[config|Commandsconfig]] - Retrieve and configure config file settings
* [[feature|Commandsfeature]] - view and configure choco features
* [[features|Commandsfeatures]] - view and configure choco features (alias for feature)
Expand Down
21 changes: 15 additions & 6 deletions docs/generated/CommandsUpgrade.md
View file
Expand Up @@ -177,14 +177,23 @@ Includes [[default options/switches|CommandsReference#default-options-and-switch
the default feature 'checksumFiles' set to 'True'. Available in 0.9.9.9+.
--allowemptychecksum, --allowemptychecksums, --allow-empty-checksums
Allow Empty Checksums - Allow packages to have empty checksums.
Overrides the default feature 'allowEmptyChecksums' set to 'False'.
Available in 0.10.0+.
Allow Empty Checksums - Allow packages to have empty/missing checksums
for downloaded resources from non-secure locations (HTTP, FTP). Use this
switch is not recommended if using sources that download resources from
the internet. Overrides the default feature 'allowEmptyChecksums' set to
'False'. Available in 0.10.0+.
--allowemptychecksumsecure, --allowemptychecksumssecure, --allow-empty-checksums-secure
Allow Empty Checksums Secure - Allow packages to have empty checksums
for downloaded resources from secure locations (HTTPS). Overrides the
default feature 'allowEmptyChecksumsSecure' set to 'True'. Available in
0.10.0+.
--requirechecksum, --requirechecksums, --require-checksums
Require Checksums - Requires packages to have checksums. Overrides the
default feature 'allowEmptyChecksums' set to 'False'. Available in 0.1-
0.0+.
Require Checksums - Requires packages to have checksums for downloaded
resources (both non-secure and secure). Overrides the default feature
'allowEmptyChecksums' set to 'False' and 'allowEmptyChecksumsSecure' set
to 'True'. Available in 0.10.0+.
--checksum, --downloadchecksum, --download-checksum=VALUE
Download Checksum - a user provided checksum for downloaded resources
Expand Down
53 changes: 48 additions & 5 deletions docs/generated/HelpersGetChecksumValid.md
View file
Expand Up @@ -9,21 +9,55 @@ Get-ChecksumValid `
-File <String> `
[-Checksum <String>] `
[-ChecksumType <String>] `
[-OriginalUrl <String>] `
[-IgnoredArguments <Object[]>] [<CommonParameters>]
~~~

## Description

Makes a determination if a file meets an expected checksum. This
function is usually used when comparing a file that is downloaded from
an official distribution point. If the checksum fails to
match, this function throws an error.
Makes a determination if a file meets an expected checksum signature.
This function is usually used when comparing a file that is downloaded
from an official distribution point. If the checksum fails to match the
expected output, this function throws an error.

Checksums have been used for years as a means of verification. A
checksum hash is a unique value or signature that corresponds to the
contents of a file. File names and extensions can be altered without
changing the checksum signature. However if you changed the contents of
the file, even one character, the checksum will be different.

Checksums are used to provide as a means of cryptographically ensuring
the contents of a file have not been changed. While some cryptographic
algorithms, including MD5 and SHA1, are no longer considered secure
against attack, the goal of a checksum algorithm is to make it
extremely difficult (near impossible with better algorithms) to alter
the contents of a file (whether by accident or for malicious reasons)
and still result in the same checksum signature.

When verifying a checksum using a secure algorithm, if the checksum
matches the expected signature, the contents of the file are identical
to what is expected.

## Notes

This uses the checksum.exe tool available separately at
https://chocolatey.org/packages/checksum.

Options that affect checksum verification:

* `--ignore-checksums` - skips checksumming
* `--allow-empty-checksums` - skips checksumming when the package is missing a checksum
* `--allow-empty-checksums-secure` - skips checksumming when the package is missing a checksum for secure (HTTPS) locations
* `--require-checksums` - requires checksums for both non-secure and secure locations
* `--download-checksum`, `--download-checksum-type` - allows user to pass their own checksums
* `--download-checksum-x64`, `--download-checksum-type-x64` - allows user to pass their own checksums

Features that affect checksum verification:

* `checksumFiles` - when turned off, skips checksumming
* `allowEmptyChecksums` - when turned on, skips checksumming when the package is missing a checksum
* `allowEmptyChecksumsSecure` - when turned on, skips checksumming when the package is missing a checksum for secure (HTTPS) locations

## Aliases

None
Expand All @@ -33,7 +67,7 @@ None
**EXAMPLE 1**

~~~powershell
Get-CheckSumValid -File $fileFullPath -CheckSum $checksum -ChecksumType $checksumType
Get-ChecksumValid -File $fileFullPath -CheckSum $checksum -ChecksumType $checksumType
~~~

Expand Down Expand Up @@ -105,6 +139,15 @@ Position? | 3
Default Value | md5
Accept Pipeline Input? | false

### -OriginalUrl [&lt;String&gt;]
Property | Value
---------------------- | -----
Aliases |
Required? | false
Position? | 4
Default Value |
Accept Pipeline Input? | false

### -IgnoredArguments [&lt;Object[]&gt;]
Allows splatting with arguments that do not apply. Do not use directly.

Expand Down

0 comments on commit d5e1850

Please sign in to comment.