Incorrectly flagging msstore zoom as upgradable

[lunacd]

Brief description of your issue

winget expects a version string like 5.15.7.20303 but sees a version string of 5.15.7 (20303). winget then incorrectly flags this package as upgradable.

Steps to reproduce

1. Install Zoom from msstore (XP99J3KP4XZ4VV)
2. Run winget upgrade
3. winget returns:

   Name                  Id               Version        Available    Source
   -------------------------------------------------------------------------
   Zoom                  XP99J3KP4XZ4VV   5.15.7 (20303) 5.15.7.20303 winget

4. Notice the two version strings should mean the same thing.

Expected behavior

winget should not flag zoom as upgradable.

Actual behavior

winget thinks zoom is not up to date.

Environment

Windows Package Manager v1.5.2201
Copyright (c) Microsoft Corporation. All rights reserved.

Windows: Windows.Desktop v10.0.22621.2134
System Architecture: X64
Package: Microsoft.DesktopAppInstaller v1.20.2201.0

Winget Directories
-----------------------------------------------------------------------------------------------------------------------
Logs                               %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\Diag…
User Settings                      %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\sett…
Portable Links Directory (User)    %LOCALAPPDATA%\Microsoft\WinGet\Links
Portable Links Directory (Machine) C:\Program Files\WinGet\Links
Portable Package Root (User)       %LOCALAPPDATA%\Microsoft\WinGet\Packages
Portable Package Root              C:\Program Files\WinGet\Packages
Portable Package Root (x86)        C:\Program Files (x86)\WinGet\Packages

Links
---------------------------------------------------------------------------
Privacy Statement   https://aka.ms/winget-privacy
License Agreement   https://aka.ms/winget-license
Third Party Notices https://aka.ms/winget-3rdPartyNotice
Homepage            https://aka.ms/winget
Windows Store Terms https://www.microsoft.com/en-us/storedocs/terms-of-sale

Admin Setting                             State
--------------------------------------------------
LocalManifestFiles                        Disabled
BypassCertificatePinningForMicrosoftStore Disabled
InstallerHashOverride                     Disabled
LocalArchiveMalwareScanOverride           Disabled

[Trenly]

@denelon - This is especially interesting since the manifest over at winget-pkgs does include AppsAndFeaturesEntries with the display version as 5.15.7 (20303), along with the Display Name, Product Code, and Upgrade Code (for the msi).

It seems that the msstore installs the exe version, which writes the exact same AppsAndFeatures data of the x64 exe that is in the manifest at winget-pkgs.

msstore API response

```json { "$type": "Microsoft.Marketplace.Storefront.StoreEdgeFD.BusinessLogic.Response.PackageManifest.PackageManifestResponse, StoreEdgeFD", "Data": { "$type": "Microsoft.Marketplace.Storefront.StoreEdgeFD.BusinessLogic.Response.PackageManifest.PackageManifestData, StoreEdgeFD", "PackageIdentifier": "XP99J3KP4XZ4VV", "Versions": [ { "$type": "Microsoft.Marketplace.Storefront.StoreEdgeFD.BusinessLogic.Response.PackageManifest.PackageManifestVersion, StoreEdgeFD", "PackageVersion": "Unknown", "DefaultLocale": { "$type": "Microsoft.Marketplace.Storefront.StoreEdgeFD.BusinessLogic.Response.PackageManifest.DefaultLocale, StoreEdgeFD", "PackageLocale": "en", "Publisher": "Zoom Video Communications, Inc.", "PublisherUrl": "https://zoom.us/", "PrivacyUrl": "https://zoom.us/privacy", "PublisherSupportUrl": "https://support.zoom.us/", "PackageName": "Zoom - One Platform to Connect", "License": "https://zoom.us/terms", "Copyright": "(c) 2021, Zoom and the Zoom logo are trademarks of Zoom Video Communications, Inc.", "ShortDescription": "Zoom is for you. We're here to help you connect, communicate, and express your ideas so you can get more done together. We're proud to be trusted by millions of enterprises, small businesses, and individuals, just like you.", "Description": "Start or join a secure meeting with flawless video and audio, instant screen sharing, and cross-platform instant messaging - for free! \n\nIt's super easy! Install the free Zoom app, click on \"\"New Meeting,\"\" and invite up to 100 people to join you on video. Connect with anyone on Windows, Mac, mobile devices, Zoom Rooms, H.323/SIP room systems, and telephones.\n\nVIDEO MEETINGS FROM ANYWHERE\n-Best video meeting quality\n-Easily join a meeting or start an instant meeting with phone, email, or company contacts\n\nUNLIMITED MESSAGING (WITH PHOTOS, FILES, AND MORE)\n-Reach people instantly to easily send messages, files, images, links, and gifs\n-Quickly respond or react to threaded conversations with emojis\n-Create or join public and private chat channels\n\nMAKE, RECEIVE, AND MANAGE PHONE CALLS\n-Effortlessly make or receive calls with your business number\n-Get voicemail and call recording with transcripts\n-Use call delegation to make/receive calls on behalf of others\n-Setup auto-receptionists to autonomously answer and route calls\n\nZOOM LICENSE INFORMATION:\n-Any free or paid license can be used with the app\n-Zoom Phone is an add-on to paid Zoom licenses\n-A paid Zoom subscription is required for certain product features\n\nFollow us on social @zoom!\n\nHave a question? Contact us at http://support.zoom.us.", "Tags": [ "Video conferencing", "video meetings", "cloud meetings" ], "Agreements": [ { "$type": "Microsoft.Marketplace.Storefront.StoreEdgeFD.BusinessLogic.Response.PackageManifest.AgreementDetail, StoreEdgeFD", "AgreementLabel": "Category", "Agreement": "Productivity" }, { "$type": "Microsoft.Marketplace.Storefront.StoreEdgeFD.BusinessLogic.Response.PackageManifest.AgreementDetail, StoreEdgeFD", "AgreementLabel": "Pricing", "Agreement": "Freemium" }, { "$type": "Microsoft.Marketplace.Storefront.StoreEdgeFD.BusinessLogic.Response.PackageManifest.AgreementDetail, StoreEdgeFD", "AgreementLabel": "Free Trial", "Agreement": "No" }, { "$type": "Microsoft.Marketplace.Storefront.StoreEdgeFD.BusinessLogic.Response.PackageManifest.AgreementDetail, StoreEdgeFD", "AgreementLabel": "Terms of Transaction", "AgreementUrl": "https://aka.ms/microsoft-store-terms-of-transaction" }, { "$type": "Microsoft.Marketplace.Storefront.StoreEdgeFD.BusinessLogic.Response.PackageManifest.AgreementDetail, StoreEdgeFD", "AgreementLabel": "Seizure Warning", "AgreementUrl": "https://aka.ms/microsoft-store-seizure-warning" }, { "$type": "Microsoft.Marketplace.Storefront.StoreEdgeFD.BusinessLogic.Response.PackageManifest.AgreementDetail, StoreEdgeFD", "AgreementLabel": "Store License Terms", "AgreementUrl": "https://aka.ms/microsoft-store-license" } ] }, "Locales": [], "Installers": [ { "$type": "Microsoft.Marketplace.Storefront.StoreEdgeFD.BusinessLogic.Response.PackageManifest.SparkInstaller, StoreEdgeFD", "InstallerSha256": "a7e18ae75208b2db677039aef4e1beb03cf002f54d1d6f4946067d2947c9cf6d", "InstallerUrl": "https://sparkcdnwus2.azureedge.net/cachedpackages/8e376d36-34a3-46aa-93a1-e82709b19566_a7e18ae75208b2db677039aef4e1beb03cf002f54d1d6f4946067d2947c9cf6d", "InstallerLocale": "en", "MinimumOSVersion": "0.0.0.0", "InstallerSwitches": { "$type": "Microsoft.Marketplace.Storefront.StoreEdgeFD.BusinessLogic.Response.PackageManifest.InstallerSwitch, StoreEdgeFD" }, "InstallerSuccessCodes": [ 0 ], "ExpectedReturnCodes": [], "Architecture": "x86", "InstallerType": "exe", "Markets": { "$type": "Microsoft.Marketplace.Storefront.StoreEdgeFD.BusinessLogic.Response.PackageManifest.Markets, StoreEdgeFD", "AllowedMarkets": [ "US" ] } }, { "$type": "Microsoft.Marketplace.Storefront.StoreEdgeFD.BusinessLogic.Response.PackageManifest.SparkInstaller, StoreEdgeFD", "InstallerSha256": "97bc057dee083684ba09841bf262ed9082765ae3bd2c58b7fb99e470121bf86a", "InstallerUrl": "https://sparkcdnwus2.azureedge.net/cachedpackages/8e376d36-34a3-46aa-93a1-e82709b19566_97bc057dee083684ba09841bf262ed9082765ae3bd2c58b7fb99e470121bf86a", "InstallerLocale": "en", "MinimumOSVersion": "0.0.0.0", "InstallerSwitches": { "$type": "Microsoft.Marketplace.Storefront.StoreEdgeFD.BusinessLogic.Response.PackageManifest.InstallerSwitch, StoreEdgeFD" }, "InstallerSuccessCodes": [ 0 ], "ExpectedReturnCodes": [], "Architecture": "x64", "InstallerType": "exe", "Markets": { "$type": "Microsoft.Marketplace.Storefront.StoreEdgeFD.BusinessLogic.Response.PackageManifest.Markets, StoreEdgeFD", "AllowedMarkets": [ "US" ] } }, { "$type": "Microsoft.Marketplace.Storefront.StoreEdgeFD.BusinessLogic.Response.PackageManifest.SparkInstaller, StoreEdgeFD", "InstallerSha256": "9bb865b7d14b6db48a9d8ff4c2efc9015859bef6ac3709a834d41a353d99aec7", "InstallerUrl": "https://sparkcdnwus2.azureedge.net/cachedpackages/8e376d36-34a3-46aa-93a1-e82709b19566_9bb865b7d14b6db48a9d8ff4c2efc9015859bef6ac3709a834d41a353d99aec7", "InstallerLocale": "en", "MinimumOSVersion": "0.0.0.0", "InstallerSwitches": { "$type": "Microsoft.Marketplace.Storefront.StoreEdgeFD.BusinessLogic.Response.PackageManifest.InstallerSwitch, StoreEdgeFD" }, "InstallerSuccessCodes": [ 0 ], "ExpectedReturnCodes": [], "Architecture": "arm64", "InstallerType": "exe", "Markets": { "$type": "Microsoft.Marketplace.Storefront.StoreEdgeFD.BusinessLogic.Response.PackageManifest.Markets, StoreEdgeFD", "AllowedMarkets": [ "US" ] } } ] } ] } } ```

PS C:\Windows\system32> winget install XP99J3KP4XZ4VV -s msstore
Found Zoom - One Platform to Connect [XP99J3KP4XZ4VV] Version Unknown
This application is licensed to you by its owner.
Microsoft is not responsible for, nor does it grant any licenses to, third-party packages.
| <Package agreements - Accepted>
Downloading https://sparkcdnwus2.azureedge.net/cachedpackages/8e376d36-34a3-46aa-93a1-e82709b19566_97bc057dee083684ba09841bf262ed9082765ae3bd2c58b7fb99e470121bf86a
  ██████████████████████████████  69.7 MB / 69.7 MB
Successfully verified installer hash
Starting package install...
Successfully installed

PS C:\Windows\system32> Get-ARPTable

DisplayName                   DisplayVersion Publisher                       ProductCode
-----------                   -------------- ---------                       -----------
Microsoft Edge                92.0.902.67    Microsoft Corporation           Microsoft Edge
Microsoft Edge Update         1.3.147.37                                     Microsoft Edge Update
Zoom                          5.15.7 (20303) Zoom Video Communications, Inc. ZoomUMX

Here is the log from winget upgrade --verbose - WinGet-2023-08-18-12-40-43.883.log

It's very odd that even though the AppsAndFeaturesEntries are specified, and are an exact match, it still isn't preventing the upgrade (regardless of the switch in source).

• Possibly related to #2366

[JohnMcPMS]

Based on the manifests in winget-pkgs, the parenthetical may be some form of build number, but it isn't required to differentiate between two released versions. That is the good part.

The version comparison code explicitly orders an empty non-numeric portion of a version field higher than a non-empty one. That is to say 5.15.7 (20303) will be ordered lower than 5.15.7 because there is no non-numeric portion of the field after the 7. This is the bad part, and it was done explicitly to prevent cases where the non-numeric portion was a modifier (like a locale) from looking like upgrades to the base version (but that was a band-aid).

I think that the next investigation step is to see why the display version code didn't kick in here, although I'm probably not remembering something about the design of that.

One thing that we could do here with a code change is to treat parentheticals in versions as empty (ie 5.15.7 (20303) is equivalent to 5.15.7). That would require the winget-pkgs manifests to drop the 4th version field as well. We might have enough data to determine whether this is safe, but it would probably take some digging to get it.

[Trenly]

I think that the next investigation step is to see why the display version code didn't kick in here, although I'm probably not remembering something about the design of that.

Interestingly, when manually installing the exe outside of winget using the URL in the winget-pkgs manifest, the issue doesn't occur. However, I copied the download URL from the store API response and visited it in a browser. After downloading the package, I renamed it with the .exe extension - but the hash is different from any of the hashes in the winget manifests. Installing this exe manually does cause the issue, although the product code remains ZoomUMX, the ID does show as XP99J3KP4XZ4VV despite being installed from outside of winget.

I decided to dig a little deeper and inspected the contents of the exe files - both the renamed one from the msstore package and the one from the winget-pkgs url. Each downloaded package contains two files - Installer.exe and ZoomFull_Sip.cab. Comparing the two, both installer files have the same hash and both cab files have the same hash. So why is the hash of the overall package different? It seems the version downloaded from the msstore has an extra 8 bytes which directly correlate to the automatic inclusion of the /silent switch when calling the embedded installer.exe.

So, I rebooted into a clean sandbox, downloaded the package using the URL in the winget-pkgs manifest, and then used 7-zip to extract the installer.exe and ZoomFull_Sip.cab into a new folder. I then double clicked to run the installer.exe, and it ran without issue. Opened up PowerShell, and ran winget upgrade, this did cause the issue described above. The ID showed as the msstore ID, but upgrade showed a version available from the winget source.

I'm not sure why the packaged installers seem to impact the end result of how Winget detects the packages - but it does, even though the AppsAndFeaturesEntries appear to be the same.

---

TL;DR -

• Manually installed using the packaged installer from the winget-pkgs url - Issue did not occur
• Manually installed using the packaged installer from the msstore url - Issue occurred
• Took the packaged installer from the winget-pkgs url, extracted the contents, and ran the embedded installer.exe - Issue occurred