search

git-tfs / git-tfs

A Git/TFS bridge, similar to git-svn
http://git-tfs.com/
Apache License 2.0
1.92k stars 715 forks source link

Add checksum to chocolatey package #984

Open spraints opened 8 years ago

spraints commented 8 years ago

Excerpts from the most recent newsletter:

Checksums Required For All Future Package Approvals tl;dr - Moving forward packages will not be approved without checksums if they download remote resources (exact date to be determined). This includes trusted packages.

How can I calculate checksums?

  1. Install checksum - choco install checksum
  2. Download the binaries you want to use with the package.
  3. Call checksum -t sha256 -f path\to\file. Add that to your function arguments. See PowerShell Function Reference to learn how to pass those to the function you are using (another method is to use choco new pkgname from newest version of choco and using output to update your package). NOTE: Checksums should be calculated during package build time where the result of the checksum is added to the package, not calculated at runtime. Calculating at runtime defeats the purpose of checksumming as a measure of protection.

How do I calculate checksums with automatic packaging? That's a great question. One of our community maintainers and moderators maintains over 900 packages using automatic packaging and does exactly this. He has provided examples and the code for hooking into the auto updating is at @dtgm's Chocolatey Packages - Ketarin Checksum Settings.

Another tool up and coming for automatic packaging is AU, https://github.com/majkinetor/au. AU uses a PowerShell module to run and doesn't require any templating. When used with packaging, it uses an Update.ps1 file to determine what to replace in the package files. Miodrag, the author of AU, just added automatic checksumming to AU this week so it will pull down x86/x64 urls and provide sha256 checksums automatically to be used for replacement in packages.

We will be adding better instructions on how to do this in the Automatic Packaging documentation.

Actions Moving Forward

  • Choco tools default to safety - the next version of Chocolatey due out early next week won't allow empty checksums by default. They will have switches and a feature to adjust this behavior. See chocolatey/choco#112 and chocolatey/choco#895.
  • Choco tools will include a consumer override for checksums (consumer provides checksum instead of using package checksum).
  • The validator will require checksums when downloading from the internet. choco pack will include validation (subset of the package validator used on the community repository).
  • VirusTotal checks will become part of automated moderation and findings will flag a package for human review.
  • Some validator findings may flag a package for human review. This will hold a trusted package for some additional safety checks.
ferventcoder commented 8 years ago

@spraints We are spending more time considering whether checksums for HTTPS is really required to be a default "on" setting or if folks could switch it on for more security. Feel free to provide comments on 895.