Harliff
commented
1 year ago The implementation can be quite simple (using only one checksum and fail if it's wrong) and advanced (using the provided checksum as a fallback if the checksum provided by the package maintainer differs from the actual checksum of the download installer). Using the checksum as a fallback can be useful because a playbook/role will continue to work even when the installer publisher releases a new version and the Chocolatey package maintainer updates the checksum in the Chocolatey script.
matglas
vexx32
Checklist
Is Your Feature Request Related To A Problem? Please describe.
Sometimes we all need to install a chocolatey package for which the original installer package has been updated but the maintainer has not yet updated the checksum in the chocolatey script. Currently, the only way to install such Chocolatey package is to completely ignore the checksum (by seting "ignore_checksums = yes"), but this is not a very secure way. Ignoring the checksum can be dangerous: it makes users vulnerable to attacks such as MITM and "watering hole".
Can we mitigate it? Yes, we can!
Describe The Solution. Why is it needed?
The solution is to allow the user of the win_chocolatey module to provide the checksum themselves.
Implementing the use of the provided checksum to check the integrity of the downloaded installer does not seem like a difficult task, because the Chocolatey itself has an options to use a custom checksum.
Additional Context
Related documentation:
--checksumand--checksumtypearguments of the choco install commandRelated Issues
No response