Checksum requirement and enhancements #112
Comments
|
Is the feature |
Note that checksums are now required.
Provide insight that checksums are now required and how a maintainer can go about gathering that information. Also suggest urls use https instead of just http.
If downloaded from https location, relax checksum missing failure until 0.10.1.
* stable: (23 commits) (GH-897) Fix DISM /all for newer Windows versions (maint) bring back in nuspec into solution folders (GH-598) Add output directory for choco pack (version) bump to 0.10.0 (doc) update CHANGELOG/nuspec (GH-840) Do not set User Environment for SYSTEM (GH-840) Set TMP to cacheLocation as well (GH-830) Ensure process PSModulePath items (GH-112) Relax HTTPS checksum failure (maint) move noop run (GH-833) Don't set profile under certain conditions (doc) update generated docs (GH-112) update options for new version (GH-112) Checksums / Install Template (GH-112) Update parameter documentation (GH-112) Require checksums (GH-112) Allow Empty Checksums (GH-112) Checksum remote files unless checksum (GH-112) Allow user passed checksums (GH-112) rename checksum files for proper casing ...
Secure locations, such as HTTPS, have quite a bit of protection surrounding them. By default allow missing/empty checksums when the locations are secure. Allow the feature to be shut off either by turning off the feature `allowEmptyChecksumsSecure` or using the switch `--require-checksums`.
Ensure there is no outside influence for environment variables that are set by choco.
When debugging parameters are passed, ensure that originalUrl is also passed for debugging purposes.
* stable: (GH-112) update tab expansion (doc) update generated docs (GH-112) Get-ChecksumValid - update debug params (GH-833) Don't set tab completion if profile null (doc) update CHANGELOG/nuspec (GH-866) Fix - packages.config fails on licensed config (GH-112) clear existing environment vars (doc) add checksum verification notes (GH-112) Empty Checksums for Secure Locations (maint) remove magic strings for environment vars (maint) move environment vars to env section
|
For "option 2" above, I suggest the briefest of explanations of how to do that with a link to the appropriate documentation. Presumably it is:
|
|
Also, I'm using Install-ChocolateyZipPackage to install a local zip file that is embed in the pkg. Are local files exempt from the upcoming checksum requirement or will I need to use Get-ChocolateyUnzip (apparently I didn't see that or it wasn't there when we created lessmsi's package)? ...or should I just supply a checksum to Install-ChocolateyZipPackage? |
|
@activescott local files won't need it. Get-ChocolateyUnzip has always been used by Install-ChocolateyZipPackage so you just likely missed it. Plus the documentation surrounding functions has recently had a huge makeover, so it's much better now, especially in discovery of other methods. |
|
@ferventcoder Awesome post. Especially appreciate the boxstarter note. Thanks! |
Avoid issues with newer chocolaty versions chocolatey/choco#112 (comment)
and others
Give the user more options when dealing with downloads
--ignore-checksums(done with Checksumming can not be turned off by the feature flag #33)allowEmptyChecksumsset to false by default.--allow-empty-checksums,--require-checksumsat runtime to override default behavior.allowEmptyChecksumsSecureset to true by default (for HTTPS).Choco v1 will not allow package installs without checksums by default. For folks to be insecure, they will need to explicitly ignore checksumming or be more secure by providing their own.This has been moved up to 0.10.0.Bumping up the priority on this after a recent incident - see https://twitter.com/ferventcoder/status/760892254542102528 and http://us8.campaign-archive1.com/?u=86a6d80146a0da7f2223712e4&id=f2fe8dbe6b for details.
NOTE: We decided to relax the checksum missing failure to only HTTP for now, but will require it for HTTPS as well when #895 releases.
Running into this issue?
Option 1 - Pass the checksums through
You can pass the checksums through to the install / upgrade:
NOTE: For best security, you may wish to manually download the installer and check it with VirusTotal first, then using the checksum that VT shows on its page to pass with the choco install command. Nothing will be saved in time here, but hopefully the time savings occurs in reporting and future upgrades of the package. Reasoning: The checksum could change if the link to download resources is non-specific (not tied to a specific version). But if it is a version specific download, one should really be asking themselves why this occurred rather than simply ignoring a built-in security mechanism. It could be because the software vendor doesn't adhere to the idea of not changing a released version once offered, but it could be due to the distribution site getting hacked and offering a bad version just waiting for unsuspecting folks to download the hacked software. Without using some other method of verification when checksums fail, you are hoping that your anti-virus software would protect you in a hacked situation.
See https://chocolatey.org/docs/commands-install / https://chocolatey.org/docs/commands-upgrade:
--checksum, --downloadchecksum, --download-checksum=VALUE Download Checksum - a user provided checksum for downloaded resources for the package. Overrides the package checksum (if it has one). Defaults to empty. Available in 0.10.0+. --checksum64, --checksumx64, --downloadchecksumx64, --download-checksum-x64=VALUE Download Checksum 64bit - a user provided checksum for 64bit downloaded resources for the package. Overrides the package 64-bit checksum (if it has one). Defaults to same as Download Checksum. Available in 0.10.0+. --checksumtype, --checksum-type, --downloadchecksumtype, --download-checksum-type=VALUE Download Checksum Type - a user provided checksum type. Overrides the package checksum type (if it has one). Used in conjunction with Download Checksum. Available values are 'md5', 'sha1', 'sha256' or 'sha512'. Defaults to 'md5'. Available in 0.10.0+. --checksumtype64, --checksumtypex64, --checksum-type-x64, --downloadchecksumtypex64, --download-checksum-type-x64=VALUE Download Checksum Type 64bit - a user provided checksum for 64bit downloaded resources for the package. Overrides the package 64-bit checksum (if it has one). Used in conjunction with Download Checksum 64bit. Available values are 'md5', 'sha1', 'sha256' or 'sha512'. Defaults to same as Download Checksum Type. Available in 0.10.0+.Option 2 - Fix the package to download over HTTPS if possible, and use checksums
Update the package accordingly so it complies with the new security enhancements.
Option 3 - If the package is internal, embed the resources in the package (or put on an internal share)
Many organizations using Chocolatey internally will create packages that use internal or embedded resources. They also go through a process called recompiling to download an existing package and recompile it to use internal resources - https://chocolatey.org/docs/how-to-recompile-packages
Option 4 - Accept the risk
Now we are into the non-recommended options. So if you want to use this package and you are fine with the risks over a package downloading over HTTP without verifying the integrity of the binaries then you can use the following:
If you are using a tool that is using an older version of Chocolatey, like Boxstarter or ChocolateyGUI, but you've upgraded your local Chocolatey to v0.10.0, you may want to use:
See https://chocolatey.org/docs/commands-install / https://chocolatey.org/docs/commands-upgrade:
--ignorechecksum, --ignore-checksum, --ignorechecksums, --ignore-checksums IgnoreChecksums - Ignore checksums provided by the package. Overrides the default feature 'checksumFiles' set to 'True'. Available in 0.9.9.9+. --allowemptychecksum, --allowemptychecksums, --allow-empty-checksums Allow Empty Checksums - Allow packages to have empty/missing checksums for downloaded resources from non-secure locations (HTTP, FTP). Use this switch is not recommended if using sources that download resources from the internet. Overrides the default feature 'allowEmptyChecksums' set to 'False'. Available in 0.10.0+. --allowemptychecksumsecure, --allowemptychecksumssecure, --allow-empty-checksums-secure Allow Empty Checksums Secure - Allow packages to have empty checksums for downloaded resources from secure locations (HTTPS). Overrides the default feature 'allowEmptyChecksumsSecure' set to 'True'. Available in 0.10.0+. --requirechecksum, --requirechecksums, --require-checksums Require Checksums - Requires packages to have checksums for downloaded resources (both non-secure and secure). Overrides the default feature 'allowEmptyChecksums' set to 'False' and 'allowEmptyChecksumsSecure' set to 'True'. Available in 0.10.0+.Option 5 - Accept the risk for everything
You can turn off the behavior by running an exec that will turn on the feature
allowEmptyChecksums. This is a nuclear option and subverts the protections brought in by this feature. You can also turn off the featurechecksumFilesto turn off checksumming entirely.Option 6 - Downgrade Chocolatey
Downgrading to an older version doesn't remove the risk that is there in downloading resources from the internet. 0.10.0 is more upfront about those issues so you can make an informed, aware decision on what you are installing.
The text was updated successfully, but these errors were encountered: