search

microsoft / winget-cli

WinGet is the Windows Package Manager. This project includes a CLI (Command Line Interface), PowerShell modules, and a COM (Component Object Model) API (Application Programming Interface).
https://learn.microsoft.com/windows/package-manager/
MIT License
22.5k stars 1.39k forks source link

[Dependencies] - Manifest validation errors with msstore package identifier #3271

Open Trenly opened 1 year ago

Trenly commented 1 year ago

Brief description of your issue

Some packages may depend on programs from the Microsoft Store like Xbox Game Bar. Adding these packages as dependencies throws a manifest validation error. Ignoring the validation error, the dependencies install correctly

Steps to reproduce

Dependencies:
  PackageDependencies:
    - PackageIdentifier: 9NZKPSTSNW4P

Expected behavior

Manifest validation to succeed

Actual behavior

Manifest Error: Schema Error. [Schema validation failed.
Error context: <root>[Dependencies][PackageDependencies][0][PackageIdentifier] Description: Failed to match regex specified by 'pattern' constraint.
Error context: <root>[Dependencies][PackageDependencies][0] Description: Failed to validate against schema associated with property name 'PackageIdentifier'.
Error context: <root>[Dependencies][PackageDependencies] Description: Failed to validate item #0 in array.
Error context: <root>[Dependencies] Description: Failed to validate against schema associated with property name 'PackageDependencies'.
Error context: <root> Description: Failed to validate against schema associated with property name 'Dependencies'.
]

Environment

PS D:\Git\winget-pkgs> winget --info
Windows Package Manager (Preview) v1.5.1361-preview
Copyright (c) Microsoft Corporation. All rights reserved.

Windows: Windows.Desktop v10.0.19044.2965
System Architecture: X64
Package: Microsoft.DesktopAppInstaller v1.20.1361.0

Winget Directories
-------------------------------------------------------------------------------------------------------------------------------
Logs                               %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\DiagOutputDir
User Settings                      %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\settings.json
Portable Links Directory (User)    %LOCALAPPDATA%\Microsoft\WinGet\Links
Portable Links Directory (Machine) C:\Program Files\WinGet\Links
Portable Package Root (User)       %LOCALAPPDATA%\Microsoft\WinGet\Packages
Portable Package Root              C:\Program Files\WinGet\Packages
Portable Package Root (x86)        C:\Program Files (x86)\WinGet\Packages

Links
---------------------------------------------------------------------------
Privacy Statement   https://aka.ms/winget-privacy
License Agreement   https://aka.ms/winget-license
Third Party Notices https://aka.ms/winget-3rdPartyNotice
Homepage            https://aka.ms/winget
Windows Store Terms https://www.microsoft.com/en-us/storedocs/terms-of-sale

Admin Setting                             State
--------------------------------------------------
LocalManifestFiles                        Enabled
BypassCertificatePinningForMicrosoftStore Disabled
InstallerHashOverride                     Disabled
LocalArchiveMalwareScanOverride           Enabled
Trenly commented 1 year ago

@stephengillie - can I also request Dependencies and Area-Manifest labels?

denelon commented 1 year ago

We haven't really been considering "cross-source" dependencies. That's an area of complexity and security concerns. For now, we treat them as "same source only".

OfficialEsco commented 5 months ago

I got an interesting Cross-source issue then https://github.com/microsoft/winget-pkgs/pull/132856 Lenovo Vantage Service is a piece of silly software that you HAVE to install AFTER installing Lenovo Vantage, which is only available in the store... This creates a issue in InTune where your users are not Administrator as it requires Administrator to install this. (You could obv add a dependency to this in InTune but nevermind that)

Isn't the store repo a verified trusted source?

Trenly commented 5 months ago

I got an interesting Cross-source issue then microsoft/winget-pkgs#132856 Lenovo Vantage Service is a piece of silly software that you HAVE to install AFTER installing Lenovo Vantage, which is only available in the store... This creates a issue in InTune where your users are not Administrator as it requires Administrator to install this. (You could obv add a dependency to this in InTune but nevermind that)

Isn't the store repo a verified trusted source?

I think the main issue with Cross-Source dependencies is that they would fail if the user has removed the source. For example, I usually remove the msstore source on my dev machine since I don't need it, and when I query for packages it's usually to see whether or not they already exist in the repo and I don't like having to specify -s winget on every command