Packages created with choco v2.2.2 are incompatible with choco v1.4.0 if the included data contains special characters

[Schroedingers-Cat]

Checklist

• [X] I confirm there are no unresolved issues reported on the Chocolatey Status page.
• [X] I have verified this is the correct repository for opening this issue.
• [X] I have verified no other issues exist related to my problem.
• [X] I have verified this is not an issue for a specific package.
• [X] I have verified this issue is not security related.
• [X] I confirm I am using official, and not unofficial, or modified, Chocolatey products.

What You Are Seeing?

Packages created with the current chocolatey version 2.2.2 are incompatible with chocolatey 1.4.0 if the included data contains a special character like { or }. Packages affected by this won't install because "The package was not found with the source(s) listed."

What is Expected?

I'd expect packages created with chocolatey v2.2.2 to also work with chocolatey v1.4.0 if the dependencies are met.

How Did You Get This To Happen?

1. Build this package with v2.2.2: choco-140-incompat-source.zip
2. Then install it with chocolatey v1.4.0 (for instance from a docker image) with a file based source (-s "." for the current directory). Choco won't find the package.
3. Rebuild the package with choco v1.4.0
4. Installing with choco v1.4.0 and v2.2.2 works fine

For reference, here are the packages build with the respective choco versions: choco-140-incompat-created-with-140.zip choco-140-incompat-created-with-222.zip

System Details

• Operating System: Win 10 (choco v2.2.2) / official choco docker image (choco downgraded to v1.4.0)
• Windows PowerShell version: 5.1
• Chocolatey CLI Version: 2.2.2 / 1.4.0
• Chocolatey Licensed Extension version: -
• Chocolatey License type: just a user
• Terminal/Emulator: "Terminal" app

Installed Packages

Doesn't matter for this issue

Output Log

choco install choco-140-incompat -s "'.'" -yd
Chocolatey v1.4.0
Chocolatey is running on Windows v 10.0.17763.0
Command line: "C:\ProgramData\chocolatey\choco.exe" install choco-140-incompat -s '.' -yd
Received arguments: install choco-140-incompat -s '.' -yd
Performing validation checks.
Global Configuration Validation Checks:
 - Package Exit Code / Exit On Reboot = Checked
System State Validation Checks:
 Reboot Requirement Checks:
 - Pending Computer Rename = Checked
 - Pending Component Based Servicing = Checked
 - Pending Windows Auto Update = Checked
 - Pending File Rename Operations = Checked
 - Pending Windows Package Installer = Checked
 - Pending Windows Package Installer SysWow64 = Checked
The source '.' evaluated to a 'normal' source type

NOTE: Hiding sensitive configuration data! Please double and triple
 check to be sure no sensitive data is shown, especially if copying
 output to a gist for review.
Configuration: CommandName='install'|
CacheLocation='C:\Users\ContainerAdministrator\AppData\Local\Temp\chocolatey'|

ContainsLegacyPackageInstalls='True'|
CommandExecutionTimeoutSeconds='2700'|WebRequestTimeoutSeconds='30'|
Sources='.'|SourceType='normal'|Debug='True'|Verbose='False'|
Trace='False'|Force='False'|Noop='False'|HelpRequested='False'|
UnsuccessfulParsing='False'|RegularOutput='True'|QuietOutput='False'|
PromptForConfirmation='False'|DisableCompatibilityChecks='False'|
AcceptLicense='True'|AllowUnofficialBuild='False'|
Input='choco-140-incompat'|AllVersions='False'|
SkipPackageInstallProvider='False'|SkipHookScripts='False'|
PackageNames='choco-140-incompat'|Prerelease='False'|ForceX86='False'|
OverrideArguments='False'|NotSilent='False'|
ApplyPackageParametersToDependencies='False'|
ApplyInstallArgumentsToDependencies='False'|IgnoreDependencies='False'|
AllowMultipleVersions='False'|AllowDowngrade='False'|
ForceDependencies='False'|PinPackage='False'|
Information.PlatformType='Windows'|
Information.PlatformVersion='10.0.17763.0'|
Information.PlatformName='Windows Server 2016'|
Information.ChocolateyVersion='1.4.0.0'|
Information.ChocolateyProductVersion='1.4.0'|
Information.FullName='choco, Version=1.4.0.0, Culture=neutral, PublicKeyToken=79d02ea9cad655eb'|

Information.Is64BitOperatingSystem='True'|
Information.Is64BitProcess='True'|Information.IsInteractive='False'|
Information.UserName='ContainerAdministrator'|
Information.UserDomainName='User Manager'|
Information.IsUserAdministrator='True'|
Information.IsUserSystemAccount='False'|
Information.IsUserRemoteDesktop='False'|
Information.IsUserRemote='True'|
Information.IsProcessElevated='True'|
Information.IsLicensedVersion='False'|Information.LicenseType='Foss'|
Information.CurrentDirectory='C:\mnt\choco-plugins\choco-140-incompat'|

Features.AutoUninstaller='True'|Features.ChecksumFiles='True'|
Features.AllowEmptyChecksums='False'|
Features.AllowEmptyChecksumsSecure='True'|
Features.FailOnAutoUninstaller='False'|
Features.FailOnStandardError='False'|Features.UsePowerShellHost='True'|
Features.LogEnvironmentValues='False'|Features.LogWithoutColor='False'|
Features.VirusCheck='False'|
Features.FailOnInvalidOrMissingLicense='False'|
Features.IgnoreInvalidOptionsSwitches='True'|
Features.UsePackageExitCodes='True'|
Features.UseEnhancedExitCodes='False'|
Features.UseFipsCompliantChecksums='False'|
Features.ShowNonElevatedWarnings='True'|
Features.ShowDownloadProgress='True'|
Features.StopOnFirstPackageFailure='False'|
Features.UseRememberedArgumentsForUpgrades='False'|
Features.IgnoreUnfoundPackagesOnUpgradeOutdated='False'|
Features.SkipPackageUpgradesWhenNotInstalled='False'|
Features.RemovePackageInformationOnUninstall='False'|
Features.ExitOnRebootDetected='False'|
Features.LogValidationResultsOnWarnings='True'|
Features.UsePackageRepositoryOptimizations='True'|
ListCommand.LocalOnly='False'|ListCommand.IdOnly='False'|
ListCommand.IncludeRegistryPrograms='False'|ListCommand.PageSize='25'|
ListCommand.Exact='False'|ListCommand.ByIdOnly='False'|
ListCommand.ByTagOnly='False'|ListCommand.IdStartsWith='False'|
ListCommand.OrderByPopularity='False'|ListCommand.ApprovedOnly='False'|
ListCommand.DownloadCacheAvailable='False'|
ListCommand.NotBroken='False'|
ListCommand.IncludeVersionOverrides='False'|
UpgradeCommand.FailOnUnfound='False'|
UpgradeCommand.FailOnNotInstalled='False'|
UpgradeCommand.NotifyOnlyAvailableUpgrades='False'|
UpgradeCommand.ExcludePrerelease='False'|
NewCommand.AutomaticPackage='False'|
NewCommand.UseOriginalTemplate='False'|SourceCommand.Command='unknown'|
SourceCommand.Priority='0'|SourceCommand.BypassProxy='False'|
SourceCommand.AllowSelfService='False'|
SourceCommand.VisibleToAdminsOnly='False'|
FeatureCommand.Command='unknown'|ConfigCommand.Command='unknown'|
ApiKeyCommand.Remove='False'|PinCommand.Command='unknown'|
OutdatedCommand.IgnorePinned='False'|
ExportCommand.IncludeVersionNumbers='False'|Proxy.BypassOnLocal='True'|
TemplateCommand.Command='unknown'|
_ Chocolatey:ChocolateyInstallCommand - Normal Run Mode _
Installing the following packages:
choco-140-incompat
By installing, you accept licenses for the packages.
Using '.'.
- Supports prereleases? 'True'.
- Is ServiceBased? 'False'.
choco-140-incompat not installed. The package was not found with the source(s) listed.
 Source(s): '.'
 NOTE: When you specify explicit sources, it overrides default sources.
If the package version is a prerelease and you didn't specify `--pre`,
 the package may not be found.
Please see https://docs.chocolatey.org/en-us/troubleshooting for more
 assistance.

Chocolatey installed 0/1 packages. 1 packages failed.
 See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).

Failures
 - choco-140-incompat - choco-140-incompat not installed. The package was not found with the source(s) listed.
 Source(s): '.'
 NOTE: When you specify explicit sources, it overrides default sources.
If the package version is a prerelease and you didn't specify `--pre`,
 the package may not be found.
Please see https://docs.chocolatey.org/en-us/troubleshooting for more
 assistance.

Enjoy using Chocolatey? Explore more amazing features to take your
experience to the next level at
 https://chocolatey.org/compare
Exiting with 1

Additional Context

Rebuilding packages affected by this with chocolatey v1.4.0 fixes the problem.

Also, replacing the special characters in [Content_Types].xml fixes the issue. For instance, from this:

<!-- this only works with chocolatey v2.2.2 -->
  <Override PartName="/bin/data/{111A11A1-1111-1111-A111-AA111111A111}" ContentType="application/octet" />

to this:

<!-- this works with both chocolatey v2.2.2 and v1.4.0 -->
  <Override PartName="/bin/data/%7B111A11A1-1111-1111-A111-AA111111A111%7D" ContentType="application/octet" />

[TheCakeIsNaOH]

To my understanding, this issue may lie in the System.IO.Packaging code that parses the .nupkg, where it cannot parse the special characters. Assuming that is the case, it may not be possible to easily fix on the v1 side. It may require escaping the text before the .nupkg is parsed by the packaging code, likely in the nuget-chocolatey assembly.

It should be possible to easily fix on v2 package creation side. I think all it would require is a call to html escape the filename for the override element in the package builder. This is because the newer NuGet assemblies are now more directly creating and parsing the packages instead of relying on System.IO.Packaging.

https://github.com/chocolatey/NuGet.Client/blob/fd581a266557b3891e16faf4652f28a37ba29685/src/NuGet.Core/NuGet.Packaging/PackageCreation/Authoring/PackageBuilder.cs#L1359-L1364

[pauby]

Thanks for raising this issue.

We only support the latest version of Chocolatey CLI for community users, which is currently 2.2.2. Version 1.x is only supported for customers.

Customers are likely to be using only one major version of Chocolatey CLI and not mixing them.

To encounter this, a customer would need to have a package with a filename containing special characters and be packing for Chocolatey CLI 1.x using Chocolatey CLI 2.x. This is a very niche issue.

The workaround (mentioned on Discord?) could be to zip up the files with the special characters and extract them from the package.

If a customer does encounter this, please reach out to the Chocolatey Support Team by running to choco support to find your options.