Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fleetd-base.msi can't be updated because the sha256 checksum is hardcoded in Fleet #19176

Closed
roperzh opened this issue May 21, 2024 · 7 comments
Closed

fleetd-base.msi can't be updated because the sha256 checksum is hardcoded in Fleet #19176

roperzh opened this issue May 21, 2024 · 7 comments
Assignees
@roperzh
Labels
bug Something isn't working as documented #g-mdm MDM product group :incoming New issue in triage process. :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~released bug This bug was found in a stable release.
Milestone
4.54.0

Comments

@roperzh
Copy link
Member

roperzh commented May 21, 2024
edited by getvictor
Loading

Fleet version: 4.49.4

💥  Actual behavior

With #18194 we are able to ship updated fleetd-base.msi installers with each fleetd release, however we had to rollback the changes because the sha256 checksum of the file is hardcoded in Fleet.

🧑‍💻  Steps to reproduce

See #19105

🕯️ More info (optional)

The checksum is hardcoded here:

fleet/server/service/microsoft_mdm.go

Lines 1352 to 1355 in ae24e6e

<Validation>
<FileHash>9F89C57D1B34800480B38BD96186106EB6418A82B137A0D56694BF6FFA4DDF1A</FileHash>
</Validation>
<Enforcement>

Documentation about the CSP is here: https://learn.microsoft.com/en-us/windows/client-management/mdm/enterprisedesktopappmanagement-csp

The fix will need to be backward compatible so that older versions of Fleet don't break.
@roperzh roperzh added bug Something isn't working as documented :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~released bug This bug was found in a stable release. #g-mdm MDM product group #g-endpoint-ops Endpoint ops product group :incoming New issue in triage process. labels May 21, 2024
@getvictor getvictor mentioned this issue May 21, 2024
Closed
@getvictor
Copy link
Member

@getvictor:
We also have a race condition. The base-fleetd file may be updated after the SHA was sent/downloaded to the device. We need a solution. Maybe MDM can check if install happened. If not, resend the command?

@roperzh
good catch, the challenge there is that the MDM protocol always returns an "OK" for software installs, and then tries to actually install the software asynchronously afterwards.

without osquery on the host, getting the installed software is a bit challenging (we currently don't have any way to "ingest" data using the MDM protocol, IF we can even get that data)

maybe some heuristic, like "if you're not osquery enrolled after 15 minutes we retry"

@roperzh roperzh removed the #g-endpoint-ops Endpoint ops product group label May 21, 2024
@lukeheath
Copy link
Member

@roperzh As part of this effort, would you please include contributor docs explaining the manifest usage? Thanks!

@lukeheath lukeheath added this to the 4.51.0-tentative milestone May 22, 2024
@georgekarrv georgekarrv removed their assignment May 28, 2024
@roperzh roperzh self-assigned this Jun 5, 2024
@roperzh
Copy link
Member Author

roperzh commented Jun 6, 2024

This is currently blocked by #19182, I left #19182 (comment) outlining what we need.

@roperzh roperzh mentioned this issue Jun 6, 2024
Closed
8 tasks
@roperzh
Copy link
Member Author

roperzh commented Jun 12, 2024

un-assigning myself from this as it can't be currently worked on.

@roperzh roperzh removed their assignment Jun 12, 2024
@roperzh roperzh mentioned this issue Jun 17, 2024
Closed
6 tasks
@lukeheath lukeheath modified the milestones: 4.53.0, 4.54.0-tentative Jun 24, 2024
roperzh added a commit that referenced this issue Jun 27, 2024
@roperzh
use the latest fleetd-base version for MDM commands
7db2b11 
for #19176
@roperzh roperzh mentioned this issue Jun 27, 2024
Merged
3 tasks
roperzh added a commit that referenced this issue Jun 27, 2024
@roperzh
use the latest fleetd-base version for MDM commands
710a5fb 
for #19176
@roperzh roperzh self-assigned this Jun 28, 2024
roperzh added a commit that referenced this issue Jun 28, 2024
@roperzh
use the latest fleetd-base version for MDM commands
3033776 
for #19176
roperzh added a commit that referenced this issue Jun 28, 2024
@roperzh
use the latest fleetd-base version for MDM commands (#20078)
196f761 
for #19176

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
@roperzh
Copy link
Member Author

roperzh commented Jul 5, 2024

This is not blocked anymore, and it's ready to test. No special setup needed.

@PezHub
Copy link
Contributor

PezHub commented Jul 7, 2024

checked the logs after turning on MDM for macOS and Windows hosts and verified the versions of orbit and osquery are the latest.
Screenshot 2024-07-07 at 2 22 49 PM

*I'll need to test this for Azure enrolled hosts once it makes it over to Dogfood.

@georgekarrv georgekarrv added :demo and removed :demo labels Jul 12, 2024
@fleet-release
Copy link
Contributor

Updating fleet's core,
Checksum adapts like leaves,
Old versions endure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@roperzh roperzh

Labels
bug Something isn't working as documented #g-mdm MDM product group :incoming New issue in triage process. :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~released bug This bug was found in a stable release.
Projects
None yet
Milestone
4.54.0
Development

No branches or pull requests
7 participants
@georgekarrv @lukeheath @getvictor @roperzh @fleet-release @sharon-fdm @PezHub