Trenly
commented
1 year ago @denelon @ryfu-msft - I understand that I'm asking for a bit of scope creep here, but is it possible this could be pulled into the initial 1.4 release? I'm no expert on implementation details, but given that infrastructure is already in place for validating hashes, I'm assuming this would be as "simple" as adding a WorkflowTask to validate files between extraction and install, and a small bit of additional logic in manifest validation.
Pipeline validation of nested hashes could be left as a separate enhancement request since they aren't currently being validated.
denelon
Description of the new feature / enhancement
Some applications distributed through zip files or other archive types are no longer in active development. In other cases, these installers may not be available from the original publisher, but may still be safe. Although hash collisions are rare in any scenario, a malicious actor with sufficient knowledge of compression algorithms can force a hash collision much easier on an archive type installer than on other types of installers. This creates a scenario where it may be beneficial in some cases, but certainly not all cases, that having and verifying the hash of the nested installer would provide an additional layer of security.
One great example of this is Universal Silent Switch Finder (USSF). The software is no longer under active development and is only available from insecure sites. However, the application is known to be safe with the current hash. Being able to add the nested installer hash for an additional verification would make me as a user feel more secure knowing that both the file being downloaded and the file being installed are being verified.
I am aware of the
InstallationMetadatawhich allows for an optional hash to be supplied for ensuring the install is detected correctly, but this doesn't seem to be related to validation before install.Proposed technical implementation details
Add an optional
NestedInstallerSha256key, valid when installer type is Zip