Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require checksums for HTTPS resources #895

Open
ferventcoder opened this issue Aug 7, 2016 · 11 comments
Open

Require checksums for HTTPS resources #895

ferventcoder opened this issue Aug 7, 2016 · 11 comments
Labels
0 - Backlog Improvement Priority_HIGH Requires Upstream Change Security
Milestone
2.x

Comments

@ferventcoder
Copy link
Member

ferventcoder commented Aug 7, 2016
edited

With #112, we started requiring checksums for HTTP/FTP and provided an enabled feature to require checksums for HTTPS as well. If a checksum is missing in these scenarios, it would fail the package.

This switches the feature allowEmptyChecksumsSecure to disabled.
@ferventcoder ferventcoder added this to the 0.10.1 milestone Aug 7, 2016
@ferventcoder ferventcoder mentioned this issue Aug 8, 2016
Closed
7 tasks
@ferventcoder
Copy link
Member Author

Considering making this one an opt in feature

@spraints spraints mentioned this issue Aug 10, 2016
Open
@ferventcoder ferventcoder changed the title Require checksum for HTTPS as well Ability to require checksum for HTTPS Aug 11, 2016
@ferventcoder ferventcoder changed the title Ability to require checksum for HTTPS Require checksums for HTTPS resources Aug 11, 2016
@ferventcoder
Copy link
Member Author

This is up for discussion, please feel free to weigh in here.

@TheFynx
Copy link

TheFynx commented Aug 15, 2016

👍
A checksum provides positive factors outside of ensuring the source. Just because a connection is secure doesn't mean the source file is the right one. With Let's Encrypt (which I love) means just about anyone can have HTTPS these days (which is a good thing).

  • Ensures corruption didn't happen during download
  • This also helps detect changes in sources that don't provide any kind of versioning in the package name (e.g.; amazon) and keep the same download path (e.g.; slack).

Just my two cents.

@ferventcoder
Copy link
Member Author

@TheFynx thanks. One thing to consider is that you can turn it on now in 0.10.0 already. The feature is set to allow empty checksums for secure connections by default.

@ferventcoder ferventcoder mentioned this issue Aug 16, 2016
Closed
@ferventcoder ferventcoder modified the milestones: 0.10.2, 0.10.1 Sep 1, 2016
@ferventcoder
Copy link
Member Author

Going to hold on this one for a little while - I think the plan is to turn this on, but provide a little more time for folks to get their packages in order.

nathancorvussolis added a commit to nathancorvussolis/chocolatey-package that referenced this issue Sep 5, 2016
@nathancorvussolis
Add checksum option
0acda39 
chocolatey/choco#895
@ferventcoder ferventcoder modified the milestones: 0.10.2, 0.10.3 Sep 20, 2016
@ferventcoder ferventcoder modified the milestones: 0.10.3, 0.10.4 Oct 3, 2016
@ferventcoder ferventcoder modified the milestones: 0.10.5, 0.10.4 Nov 15, 2016
@ferventcoder ferventcoder modified the milestones: 0.10.5, 0.10.6 Mar 30, 2017
@ferventcoder ferventcoder modified the milestones: 0.10.9, 0.10.10 Aug 27, 2017
@ferventcoder ferventcoder modified the milestones: 0.10.10, 0.10.12 Mar 27, 2018
@ferventcoder ferventcoder modified the milestones: 0.10.12, 0.10.13 May 3, 2018
@vertigo220
Copy link

I'm in agreement with @TheFynx on this one. This is one of the things I came here to mention, because I definitely think this should not be enabled by default. That is, it should not allow empty checksums just because the source is HTTPS by default. Just because a file is downloaded from an HTTPS site doesn't mean it couldn't be corrupted (either on the site or during the download) or replaced with a malicious version (if the site were compromised). HTTPS isn't a guarantee of a file's integrity; all it "guarantees" is that your connection to the file is secure.

@gep13
Copy link
Member

gep13 commented May 10, 2018

@vertigo220 we don't disagree with you here, and this is something that will get turned on by default.

@vertigo220
Copy link

I'm confused, because you say it will get turned on by default, but I read that as the option to allow empty checksums for HTTPS will be enabled by default, which is the opposite of what I'm saying. Do you mean the need for checksums will be turned on by default?

@ferventcoder
Copy link
Member Author

@vertigo220 apologies for the confusion - what was meant is that allowEmptyChecksumsSecure will be disabled by default at some point. https://github.com/chocolatey/choco/wiki/ChocolateyConfiguration#security

@ferventcoder
Copy link
Member Author

@vertigo220 for features choco has the ability for us to switch a default for a newer edition and if a user has not explicitly set the value, it will adjust automatically when the default changes.

@ferventcoder ferventcoder modified the milestones: 0.10.13, 0.10.14, 0.10.15 Mar 9, 2019
@ferventcoder ferventcoder modified the milestones: 0.10.15, 0.10.16 Apr 1, 2019
@gep13 gep13 modified the milestones: 0.10.16, 0.10.17 May 31, 2019
@ferventcoder ferventcoder modified the milestones: 0.10.17, 0.10.18 Jan 14, 2020
@ferventcoder ferventcoder modified the milestones: 0.10.18, 0.10.x Apr 14, 2021
@gep13 gep13 modified the milestones: 0.11.x, 2.x Jan 17, 2022
@gep13
Copy link
Member

gep13 commented Jan 17, 2022

This will need a change to package-validator, to enforce this rule for all new package submissions as well:

https://gitlab.com/chocolatey/community-infrastructure/package-validator/-/issues/143

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0 - Backlog Improvement Priority_HIGH Requires Upstream Change Security
Projects
None yet
Milestone
2.x
Development

No branches or pull requests
4 participants
@ferventcoder @gep13 @TheFynx @vertigo220