Closed aboutte closed 5 months ago
chtof
commented
1 year ago You can't generate the checksum on the fly during the installation. The checksum is to ensure the binary scanned by the antivirus during the Chocolatey review is the same than the one installed.
aboutte
commented
1 year ago I got this idea from another project. Is generating the checksum on the fly something that will fail in this review process you mention or is it more of "this isn't best practice"?
chtof
commented
5 months ago Ok, this project checks the checksum from the publisher website so it ensures the software is really the one provided on the website. But, it's a no sense to check the checksum on the fly in the chocolatey script, calculating the checksum on the fly as it will always work even if the download software is not the same for various reasons.
From: https://docs.chocolatey.org/en-us/create/functions/get-checksumvalid Checksums are used to provide as a means of cryptographically ensuring the contents of a file have not been changed. While some cryptographic algorithms, including MD5 and SHA1, are no longer considered secure against attack, the goal of a checksum algorithm is to make it extremely difficult (near impossible with better algorithms) to alter the contents of a file (whether by accident or for malicious reasons) and still result in the same checksum signature.
The currently hardcoded value for
checksumis outdated (correct value as of today is24f8bef55aeea8d6f778381989dcfa4c7bc3b26a4a82afeeefe62cb5d1da10ff) which causes package install to fail. I have updated the logic to get the current checksum from this SHA256SUMS file hosted by Perforce.