You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the current version of choco (0.10.3) the Install-ChocolateyPackage command has two parameters: checksum and checksumType.
While it is possible to provide the checksumType, this version of chocolatey determins the type based on the length of the string.
What is Expected?
The checksum should always be checked in the provided checksumType. Or checksumType parameter should be removed and the type discovered based on the length of the string.
In any way the Verifier for community packages should always check for the checksumType to avoid broken packages for customers with older versions of Chocolatey.
How Did You Get This To Happen? (Steps to Reproduce)
Create a package with checksumType = sha256, but with a checksum of type md5
This package can be uploaded to the community feed without any validation or verification error
While it works for newer Chocolatey versions (0.10.3) it fails for older ones.
When the checksum type is wrong, it should still be used when
validating signatures. Even if the checksum is a correct checksum for
another type. This provides the most deterministic behavior.
* stable:
(GH-1106) Do not display ApiKey in output
(GH-1018) Always refer to provided checksum type
(GH-942) Override local version
(GH-942) update NuGet.Core
(GH-1205) List - Do not show pkg sync prog/features
(GH-1181) Document self-service source requirement
(maint) formatting
(specs) set baselines
What You Are Seeing?
In the current version of choco (0.10.3) the
Install-ChocolateyPackage
command has two parameters: checksum and checksumType.While it is possible to provide the checksumType, this version of chocolatey determins the type based on the length of the string.
What is Expected?
The checksum should always be checked in the provided checksumType. Or checksumType parameter should be removed and the type discovered based on the length of the string.
In any way the Verifier for community packages should always check for the checksumType to avoid broken packages for customers with older versions of Chocolatey.
How Did You Get This To Happen? (Steps to Reproduce)
Output Log
This happened wth https://chocolatey.org/packages/git-lfs.install. See https://gist.github.com/choco-bot/d26bee1c74948cbbc0af2e18cfc767c7 for testing output
The text was updated successfully, but these errors were encountered: