Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ignore Checksum for Signature Validated Files #1007

Closed
wants to merge 1 commit into from
Closed

Ignore Checksum for Signature Validated Files #1007

wants to merge 1 commit into from

Conversation

emtuls
Copy link
Member

@emtuls emtuls commented Apr 23, 2024
edited
Loading

This attempts to fix #1004

Issue and explanation copied here:
For some reason, it seems that when we don't pass in a checksum for certain choco functions, chocolatey automatically attempts to validate the checksum of the newly downloaded file against the checksum of the previous package stored in the cache in our sources.
image

Because we don't want to force all packages to ignore checksums, we can add $env:ChocolateyIgnoreChecksums = $true to the top of the code (inside the try-catch) and this will act as if we set --ignore-checksums for this specific package, allowing it to install correctly.

EDIT: This seems to not get pushed through unless we remove the current choco package in our myget cache.

@emtuls emtuls self-assigned this Apr 23, 2024
@emtuls emtuls requested a review from Ana06 April 23, 2024 16:07
@emtuls emtuls added 🐛 bug Something isn't working ❔ discussion Further discussion is needed 🌀 FLARE-VM A package or feature to be used by FLARE-VM labels Apr 23, 2024
@emtuls
Copy link
Member Author

emtuls commented Apr 23, 2024
edited
Loading

Hmmm. It seems that our test_upload uses the test_install.ps1 script which only does a forced upgrade rather than a forced install, which leads to the package not actually attempting to install the updated packed?

This first screenshot is the old package installing with failure locally:
image

Then here is the attempt with the update, using the test_install.ps1 script, which still fails:
image

But, if I pack it manually and force an install with choco install "regcool.vm" --source="C:\Users\Emtuls\FlareVM\VM-Packages\packages\regcool.vm" -y --force, then it works just fine:
image

@Ana06
Copy link
Member

Ana06 commented May 22, 2024

@emtuls

For some reason, it seems that when we don't pass in a checksum for certain choco functions, chocolatey automatically attempts to validate the checksum of the newly downloaded file against the checksum of the previous package stored in the cache in our sources.

I have checked the Chocolatey code and this is not the case. As explained in #1004 (comment), the problem with regcool.vm is that we decreased the package version without deleting the older versions from MyGet. The issue is fixed now.

But I do like some of the ideas in this PR, like checking or at least rending who is signing the package. I think we should discuss what part of this implementation we want to keep and adapt the other packages using signature validated files as well.

@Ana06 Ana06 mentioned this pull request May 29, 2024
Open
@Ana06
Copy link
Member

Ana06 commented Nov 6, 2024

#1157 improves how we verify the tools using signatures. So we can close this PR.

@Ana06 Ana06 closed this Nov 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Ana06 Ana06 Awaiting requested review from Ana06

Assignees

@emtuls emtuls

Labels
🐛 bug Something isn't working 🌀 FLARE-VM A package or feature to be used by FLARE-VM ❔ discussion Further discussion is needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

regcool uses URL without the version
2 participants
@emtuls @Ana06