Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve handling for checksum type #1018

Closed
pascalberger opened this issue Oct 15, 2016 · 3 comments
Closed

Improve handling for checksum type #1018

pascalberger opened this issue Oct 15, 2016 · 3 comments
Assignees
@ferventcoder
Labels
5 - Released Bug Customer Priority_HIGH
Milestone
0.10.4

Comments

@pascalberger
Copy link
Contributor

What You Are Seeing?

In the current version of choco (0.10.3) the Install-ChocolateyPackage command has two parameters: checksum and checksumType.
While it is possible to provide the checksumType, this version of chocolatey determins the type based on the length of the string.

What is Expected?

The checksum should always be checked in the provided checksumType. Or checksumType parameter should be removed and the type discovered based on the length of the string.
In any way the Verifier for community packages should always check for the checksumType to avoid broken packages for customers with older versions of Chocolatey.

How Did You Get This To Happen? (Steps to Reproduce)

  • Create a package with checksumType = sha256, but with a checksum of type md5
  • This package can be uploaded to the community feed without any validation or verification error
  • While it works for newer Chocolatey versions (0.10.3) it fails for older ones.

Output Log

This happened wth https://chocolatey.org/packages/git-lfs.install. See https://gist.github.com/choco-bot/d26bee1c74948cbbc0af2e18cfc767c7 for testing output
@ferventcoder ferventcoder added this to the 0.10.4 milestone Oct 15, 2016
@ferventcoder
Copy link
Member

Reference to chocolatey/checksum#3

@ferventcoder
Copy link
Member

This is a slight reversal of #922, which was introduced in v0.10.1.

@ferventcoder ferventcoder self-assigned this Feb 27, 2017
@ferventcoder
Copy link
Member

Completed for 0.10.4

ferventcoder added a commit that referenced this issue Mar 22, 2017
@ferventcoder
(GH-1018) Always refer to provided checksum type
aec5849 
When the checksum type is wrong, it should still be used when
validating signatures. Even if the checksum is a correct checksum for
another type. This provides the most deterministic behavior.
ferventcoder added a commit that referenced this issue Mar 22, 2017
@ferventcoder
Merge branch 'stable'
db5cb13 
* stable:
  (GH-1106) Do not display ApiKey in output
  (GH-1018) Always refer to provided checksum type
  (GH-942) Override local version
  (GH-942) update NuGet.Core
  (GH-1205) List - Do not show pkg sync prog/features
  (GH-1181) Document self-service source requirement
  (maint) formatting
  (specs) set baselines
@jpluimers jpluimers mentioned this issue Oct 5, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ferventcoder ferventcoder

Labels
5 - Released Bug Customer Priority_HIGH
Projects
None yet
Milestone
0.10.4
Development

No branches or pull requests
3 participants
@ferventcoder @gep13 @pascalberger