Secure Sources Not Working

[The1nternet]

We have a private feed hosted on MyGet, and it no longer works after updating to Chocolatey 9.9.4. Our feed requires a username and password. I am setting up the feed like this:

choco source add -n mysource -s https://www.myget.org/F/myfeed/api/v2 -u UserName -p password

After setting up this feed, if I then do a search for any packages in this feed, it returns 0 results (i've tried it with and without quotes around the source url). I have tried installing packages by name, and I get an error that the package wasn't found on my feed. Here is the search command I run that returns "0 packages found":

choco search -s mysource

Before the new update, the way I setup this source before the chocolatey update was like this:

.\NuGet.exe sources add -name "mysource" -source "https://www.myget.org/F/myfeed/"
.\NuGet.exe sources update -Name "mysource" -UserName "MyUserName" -Password "mypassword"

this way worked perfectly with no issues. This is a very serious issue as we depend on chocolatey for the distribution of our software to our clients, and we have to have the secure feed from myget, and now all of our packages are unreachable.

*note: I am able to see the packages on my feed if I make the feed public, then pass the full URL of the feed as the "-s" parameter for "choco install". Also, i'm able to see the packages if I keep the feed private, then pass the full pre-authenticated URL as the "-s" parameter of "choco install". Neither of these options are acceptable however, as they both require using the full url instead of the short source name, the first requires making my feed public, and the second requires passing around my pre-authenticated api-key to everyone who needs to install our software.

URGENT!

[The1nternet]

This is the only output in the log for this issue:

2015-04-10 15:32:18,004 [INFO ] - =====================================================
2015-04-10 15:32:18,035 [INFO ] - Chocolatey v0.9.9.4
2015-04-10 15:32:18,113 [INFO ] - Added mysource - https://www.myget.org/F/myfeed/
2015-04-10 23:28:21,499 [INFO ] - =====================================================
2015-04-10 23:31:06,917 [INFO ] - =====================================================
2015-04-10 23:31:06,950 [INFO ] - Chocolatey v0.9.9.4
2015-04-10 23:31:07,020 [INFO ] - Installing the following packages:
2015-04-10 23:31:07,026 [INFO ] - mypackage
2015-04-10 23:31:07,030 [INFO ] - By installing you accept licenses for the packages.
2015-04-10 23:31:07,166 [ERROR] - mypackage not installed. The package was not found with the source(s) listed.
If you specified a particular version and are receiving this message, it is possible that the package name exists but the version does not.
Version: ""
Source(s): "mysource"
2015-04-10 23:31:07,177 [WARN ] -
Chocolatey installed 0/1 package(s). 1 package(s) failed.
See the log for details.
2015-04-10 23:31:07,181 [ERROR] - Failures:
2015-04-10 23:31:07,187 [ERROR] - - mypackage
2015-04-10 23:42:18,407 [INFO ] - =====================================================
2015-04-10 23:42:18,438 [INFO ] - Chocolatey v0.9.9.4
2015-04-10 23:42:18,641 [WARN ] - 0 packages found.
2015-04-11 00:13:58,900 [INFO ] - =====================================================
2015-04-11 00:13:58,931 [INFO ] - Chocolatey v0.9.9.4
2015-04-11 00:13:58,944 [DEBUG] - Chocolatey is running on Windows v 6.3.9600.0
2015-04-11 00:13:58,953 [DEBUG] - Attempting to delete file "C:/ProgramData/chocolatey/choco.exe.old".
2015-04-11 00:13:58,957 [DEBUG] - Attempting to delete file "C:\ProgramData\chocolatey\choco.exe.old".
2015-04-11 00:13:58,970 [DEBUG] - Command line: "C:\ProgramData\chocolatey\choco.exe" list winzip -v -d -y -f --execution-timeout=5000
2015-04-11 00:13:58,975 [DEBUG] - Received arguments: list winzip -v -d -y -f --execution-timeout=5000
2015-04-11 00:13:59,012 [DEBUG] -
NOTE: Hiding sensitive configuration data! Please double and triple
check to be sure no sensitive data is shown, especially if copying
output to a gist for review.
2015-04-11 00:13:59,031 [DEBUG] - Configuration: CommandName='list'|
CacheLocation='C:\Users\YOU\AppData\Local\Temp'|
ContainsLegacyPackageInstalls='True'|
CommandExecutionTimeoutSeconds='5000'|
Sources='https://chocolatey.org/api/v2/;https://www.myget.org/F/myfeed'|

Debug='True'|Verbose='True'|Force='True'|Noop='False'|
HelpRequested='False'|RegularOutput='True'|
PromptForConfirmation='False'|AcceptLicense='True'|
AllowUnofficialBuild='False'|Input='winzip'|AllVersions='False'|
SkipPackageInstallProvider='False'|Prerelease='False'|ForceX86='False'|
OverrideArguments='False'|NotSilent='False'|IgnoreDependencies='False'|
AllowMultipleVersions='False'|ForceDependencies='False'|
Information.PlatformType='Windows'|
Information.PlatformVersion='6.3.9600.0'|
Information.PlatformName='Windows 8.1'|
Information.ChocolateyVersion='0.9.9.4'|
Information.ChocolateyProductVersion='0.9.9.4'|
Information.FullName='choco, Version=0.9.9.4, Culture=neutral, PublicKeyToken=79d02ea9cad655eb'|

Information.Is64Bit='True'|Information.IsInteractive='True'|
Information.IsUserAdministrator='True'|
Information.IsProcessElevated='True'|Features.AutoUninstaller='False'|
Features.CheckSumFiles='True'|ListCommand.LocalOnly='False'|
ListCommand.IncludeRegistryPrograms='False'|
UpgradeCommand.FailOnUnfound='False'|
NewCommand.AutomaticPackage='False'|SourceCommand.Command='unknown'|
FeatureCommand.Command='unknown'|PushCommand.TimeoutInSeconds='0'|
PinCommand.Command='unknown'|
2015-04-11 00:13:59,060 [DEBUG] - _ Chocolatey:ChocolateyListCommand - Normal Run Mode _
2015-04-11 00:13:59,066 [DEBUG] - Searching for package information
2015-04-11 00:14:02,448 [WARN ] - Could not connect to the feed specified at 'https://www.myget.org/F/myfeed'. Please verify that the package source (located in the Package Manager Settings) is valid and ensure your network connectivity.

[ferventcoder]

I think this is also a known issue - duplicate of #201

[ferventcoder]

Actually, let's call this the issue filed for #201.

[ferventcoder]

This is a very serious issue as we depend on chocolatey for the distribution of our software to our clients, and we have to have the secure feed from myget, and now all of our packages are unreachable.

Apologies here, it does seem like you guys may need to take advantage of a support contract so that urgent issues like this will be met with urgent priority. Would you say that is a correct assumption?

[The1nternet]

I was a kickstarter backer at the $35 level which got me: "1 annual pro license at the same time as the general population". Does that have any influence on bug priority?

[The1nternet]

The Read-Host issue is more urgent for me than this one, though, since this one has an insecure work-around.

[ferventcoder]

I was a kickstarter backer at the $35 level which got me: "1 annual pro license at the same time as the general population". Does that have any influence on bug priority?

Definitely helps! This is something we want to address in the next version - 0.9.9.5 which should be out as soon as we get a few more fixes in.

[ferventcoder]

The Read-Host issue is more urgent for me than this one, though, since this one has an insecure work-around.

Agreed. Read-Host seems pretty high priority.

[da9l]

Just some extra info on the case here.
We've got the same issue with chocolatey + myget (enterprise subscription). Since myget allows usage of the API key instead of UID+pwd credentials we tested that alternative as well and we get the same result. 0 packages found.

[ferventcoder]

The issue here is that the source never passes the sources with the security information. I am working on this now.

[mboudreau]

When can we expect a new release of chocolatey with these fixes?

[ferventcoder]

In the next few hours. Hopefully sooner.

[mboudreau]

Awesome :D

On Tue, Apr 21, 2015 at 9:18 AM Rob Reynolds notifications@github.com
wrote:

In the next few hours. Hopefully sooner.

—
Reply to this email directly or view it on GitHub
#240 (comment).

[The1nternet]

a moment ago, I install 0.9.9.8 to see if this issue was now fixed, but I still get "0 packages found".

[ferventcoder]

@The1nternet What arguments did you pass?

[The1nternet]

choco list -s=mysourcename

[ferventcoder]

So my first question - have you added the source to your default sources with the correct credentials?

Second if not - you should pass username and password to the prior arg.

[The1nternet]

at the top of this issue, i detailed all the arguments I passed when setting up the source. That's still how I am setting it up. i.e.

choco source add -n mysource -s https://www.myget.org/F/myfeed/api/v2 -u UserName -p password

[ferventcoder]

And you are querying that source exactly with trailing slashes?

[ferventcoder]

You cannot use the source name. Sorry just noticed that

[ferventcoder]

Sourceurl is all that works currently

[ferventcoder]

Because we don't yet resolve sources by name

[eschu21]

Hi, I am still seeing a similar issue when trying to poll my Artifactory nuget repo. I currently have it mirroring the public Chocolatey feed. Artifactory requires username/password for auth.

If I run choco search googlechrome I get a return.

If I run choco install googlechrome I get the following:

[NuGet] Exception has been thrown by the target of an invocation.
googlechrome not installed. The package was not found with the source(s) listed.
If you specified a particular version and are receiving this message, it is possible that the package name exists but
he version does not.
Version: ""
Source(s): "https://myrepo/artifactory/api/nuget/myrepo"

Chocolatey installed 0/1 packages. 1 packages failed.
See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).

Failures

• googlechrome - googlechrome not installed. The package was not found with the source(s) listed.
  If you specified a particular version and are receiving this message, it is possible that the package name exists but
  he version does not.
  Version: ""
  Source(s): "https://myrepo.com/artifactory/api/nuget/myrepo"

[eschu21]

Additionally, if I do not specify -u username -p password when adding the source, I can successfully install packages. The problem is that I then get prompted for username/pass every time.

[ferventcoder]

@eschu21 howdy. If choco search works, but install does not, I don't think it is a problem with hitting the secure source. To really understand what may be going on, the chocolatey.log is going to have very detailed information. Ensure you are on the latest version of Chocolatey (v0.10.7), and run those commands with -dv and submit the output (redact anything sensitive, but do not omit any section of the log, especially configuration output).

[ferventcoder]

Also, make sure you are not on an older version that is subject to #1248

[eschu21]

See the gist here: https://gist.github.com/eschu21/3f192578f1bf7aa57da51cbc29ee9ea6

Attempt to install lines 0-112. The rest is a search that works.

I am running latest version (v0.10.7).

Another quirk, I was able to pull packages earlier today when prompted for creds, but now it is failing both with prompt and with supplying them when adding the source. The search still works.

Thanks much in advance!

[ferventcoder]

Looks like it is something in NuGet.Core throwing an exception - https://gist.github.com/eschu21/3f192578f1bf7aa57da51cbc29ee9ea6#file-output-log-L93.

@eschu21 can you file a new issue with this information? Thanks!

[eschu21]

Interesting. I will file an issue, but I want to note that if I use nuget.exe I am able to pull the package down. Would this indicate an issue specific to chocolatey?

[ferventcoder]

@eschu21 Chocolatey uses NuGet.Core v2.11 modified. There could have been a fix or incompatibility introduced in Artifactory that prevents choco from working in some way or there is something where the credentials are having issues. There could also be other things preventing this from working properly. I will say there are many folks successfully doing exactly what you are doing, so it's likely something in configuration or environment.

[eschu21]

@ferventcoder I think I just found my issue. I am pointing to a virtual repo that contains a reference to our public chocolatey repo cache. This is when it fails. If I point directly to the cache repo, I get challenged for credentials and the package pulls.

I will see what I can dig up on how to manage this setup.

Thanks for taking the time to take a look with me!