fleetd-base.msi can't be updated because the sha256 checksum is hardcoded in Fleet

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)

https://fleetdm.com

Other

3k stars 416 forks source link

fleetd-base.msi can't be updated because the sha256 checksum is hardcoded in Fleet #19176

Closed roperzh closed 2 months ago

roperzh commented 4 months ago

Fleet version: 4.49.4

💥 Actual behavior

With #18194 we are able to ship updated fleetd-base.msi installers with each fleetd release, however we had to rollback the changes because the sha256 checksum of the file is hardcoded in Fleet.

🧑‍💻 Steps to reproduce

See https://github.com/fleetdm/fleet/issues/19105

🕯️ More info (optional)

The checksum is hardcoded here:

https://github.com/fleetdm/fleet/blob/ae24e6e698a27bf39a7cc27a174e9a5cd92709a4/server/service/microsoft_mdm.go#L1352-L1355

Documentation about the CSP is here: https://learn.microsoft.com/en-us/windows/client-management/mdm/enterprisedesktopappmanagement-csp

The fix will need to be backward compatible so that older versions of Fleet don't break.

getvictor commented 4 months ago

@getvictor: We also have a race condition. The base-fleetd file may be updated after the SHA was sent/downloaded to the device. We need a solution. Maybe MDM can check if install happened. If not, resend the command?

@roperzh good catch, the challenge there is that the MDM protocol always returns an "OK" for software installs, and then tries to actually install the software asynchronously afterwards.

without osquery on the host, getting the installed software is a bit challenging (we currently don't have any way to "ingest" data using the MDM protocol, IF we can even get that data)

maybe some heuristic, like "if you're not osquery enrolled after 15 minutes we retry"

lukeheath commented 4 months ago

@roperzh As part of this effort, would you please include contributor docs explaining the manifest usage? Thanks!

roperzh commented 4 months ago

This is currently blocked by https://github.com/fleetdm/fleet/issues/19182, I left https://github.com/fleetdm/fleet/issues/19182#issuecomment-2153077228 outlining what we need.

roperzh commented 3 months ago

un-assigning myself from this as it can't be currently worked on.

roperzh commented 3 months ago

This is not blocked anymore, and it's ready to test. No special setup needed.

PezHub commented 3 months ago

checked the logs after turning on MDM for macOS and Windows hosts and verified the versions of orbit and osquery are the latest. Screenshot 2024-07-07 at 2 22 49 PM

*I'll need to test this for Azure enrolled hosts once it makes it over to Dogfood.

fleet-release commented 2 months ago

Updating fleet's core, Checksum adapts like leaves, Old versions endure.