search

microsoft / winget-cli

WinGet is the Windows Package Manager. This project includes a CLI (Command Line Interface), PowerShell modules, and a COM (Component Object Model) API (Application Programming Interface).
https://learn.microsoft.com/windows/package-manager/
MIT License
22.5k stars 1.39k forks source link

Cannot remove winget source without admin rights #4562

Closed masterflitzer closed 1 week ago

masterflitzer commented 1 week ago

Brief description of your issue

i'm on a corporate windows machine and have no admin rights, microsoft store is blocked and i cannot/am not allowed to agree to msstore package agreement

i want to install some apps from winget, but whenever winget finds something from msstore it fails, this results in always having to use -s winget for search and install subcommands

the issue is that it's currently not possible to remove a winget source such as msstore without admin rights

Steps to reproduce

winget source list # shows msstore and winget on fresh install
winget install python # fails because msstore package agreement was not agreed to
# Package agreements were not agreed to. Operation cancelled.
winget source remove msstore # fails because no admin rights
# This command requires administrator privileges to execute.

Expected behavior

removing winget source for the current user should be possible without admin rights, winget sources should be per user and not system wide

Actual behavior

currently not possible without admin rights

Environment

Windows Package Manager v1.7.11261
Copyright (c) Microsoft Corporation. All rights reserved.

Windows: Windows.Desktop v10.0.22631.3593
System Architecture: X64
Package: Microsoft.DesktopAppInstaller v1.22.11261.0

Winget Directories
-------------------------------------------------------------------------------------------------------------------------------
Logs                               %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\DiagOutputDir
User Settings                      %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\settings.json
Portable Links Directory (User)    %LOCALAPPDATA%\Microsoft\WinGet\Links
Portable Links Directory (Machine) C:\Program Files\WinGet\Links
Portable Package Root (User)       %LOCALAPPDATA%\Microsoft\WinGet\Packages
Portable Package Root              C:\Program Files\WinGet\Packages
Portable Package Root (x86)        C:\Program Files (x86)\WinGet\Packages
Installer Downloads                %USERPROFILE%\Downloads

Links
---------------------------------------------------------------------------
Privacy Statement   https://aka.ms/winget-privacy
License Agreement   https://aka.ms/winget-license
Third Party Notices https://aka.ms/winget-3rdPartyNotice
Homepage            https://aka.ms/winget
Windows Store Terms https://www.microsoft.com/en-us/storedocs/terms-of-sale

Group Policy                                        State
------------------------------------------------------------
Enable Windows Package Manager                      Enabled
Enable Windows App Installer Experimental Features  Disabled
Enable Windows App Installer Hash Override          Disabled
Enable Windows App Installer Default Source         Enabled
Enable Windows App Installer Microsoft Store Source Enabled

Admin Setting                             State
--------------------------------------------------
LocalManifestFiles                        Disabled
BypassCertificatePinningForMicrosoftStore Disabled
InstallerHashOverride                     Disabled
LocalArchiveMalwareScanOverride           Disabled
github-actions[bot] commented 1 week ago

Hi I'm an AI powered bot that finds similar issues based off the issue title.

Please view the issues below to see if they solve your problem, and if the issue describes your problem please consider closing this one and thumbs upping the other issue to help us prioritize it. Thank you!

Open similar issues:

Note: You can give me feedback by thumbs upping or thumbs downing this comment.

denelon commented 1 week ago

Modifying WinGet sources requires administrator on the device.

IT organizations can disable the "msstore" source using Group Policy which effectively removes it from the search path.

Based on what I see in the output from winget --info the policy for the Microsoft Store Source is Enabled. With that policy enabled, I believe agreeing to the source policy should not be required on the individual device as the organization is accepting the agreement on behalf of the user.

Can you share output requesting source or package level agreements for something from the "msstore" source? Verbose logs would also help. You can append "--verbose-logs --logs" to enable verbose logging and open the directory where the logs are contained.

masterflitzer commented 1 week ago

afaik my company doesn't have a policy regarding winget configured at all

image

WinGet-2024-06-18-18-16-15.326.log

Selected installer InstallerType: msstore

this is the problem, if i could just disable/remove the source as user (without admin) there would be no problem

florelis commented 1 week ago

From the logs you shared:

2024-06-18 18:16:16.349 [CLI ] Source agreements satisfied. Source: msstore
...
2024-06-18 18:16:17.772 [CLI ] Prompting to accept package agreements
2024-06-18 18:16:17.772 [CLI ] Skipping prompt. Interactivity is disabled in settings.
2024-06-18 18:16:17.772 [CLI ] Package agreements were not agreed to.

So the source agreements are not an issue, but the package agreements are. You can accept them by passing the --accept-package-agreements flag. Normally you would get an interactive prompt when agreements are required, but you have that disabled in the settings.

If you want to install from the winget source without having to add -s winget, an alternative is to use the exact ID for Python so that there is no ambiguity. For example, Python.Python.3.13 instead of just python

masterflitzer commented 1 week ago

i didn't know there are 2 kinds of agreements in winget, but still i'm confused why do i have to agree to something when winget picks msstore source, but not when it picks winget source? when we use the analogy of the microsoft store gui, if i would click install it wouldn't prompt me to agree to something

also where can i inspect the package agreement i'm supposed to agree to? in my screenshot above i only see a link to an open source license of python (why would i need to explicitly agree to that through winget, i can download it with brew or apt without any prompts) and terms of transaction, seizure warning and store license terms, none of the 3 seem to be package specific

i know that i can provide the exact winget id (or even specify --id), but the point of this is not that i am unable to install it, but the usability is significantly worse, compare winget install python with winget install -s winget --accept-package-agreements --id Python.Python.3.11, it's a little exaggerated because i don't need all of these options in this case, but on the other hand i don't know them beforehand, so in the end i have to make myself some kind of wrapper script or need to invest more time with multiple commands because i need to do a search before etc., also after looking up the available settings for winget (settings.json), there is no option to prefer a source (winget over msstore) or always agree to package agreements, please correct me if i'm wrong

florelis commented 1 week ago

I believe in this case the agreements are the MS Store Terms of Transaction and License Terms. If you think of the GUI, you are agreeing to them when you click on Install. Since this is specific to the MS Store, you don't see it with the winget source. I don't know why the Store has those as package agreements and not source agreements, though. (Speculating: maybe a legal requirement to show the terms at the time of installation?)

In the winget source some packages may have agreements in the future, but that will depend on each package publisher.

winget install -s winget --accept-package-agreements --id Python.Python.3.11

You can do just winget install Python.Python.3.11, although that is still a bit longer than winget install python

there is no option to prefer a source (winget over msstore) or always agree to package agreements, please correct me if i'm wrong

Correct

masterflitzer commented 1 week ago

maybe a legal requirement to show the terms at the time of installation

well on all the corporate machines Microsoft Store App is blocked (if you open it it says the app is blocked by admin), so i shouldn't download anything from there anyway

this brings me back to the initial point, why is admin required to execute winget source remove msstore?

allowing users to choose their sources is a good thing no? i mean i could go to python website and download & install it manually as long as it doesn't require admin, in this case the source would be a website, how is it differently or more dangerous to add/remove a source in winget? it seems to me that winget imposes an artificial barrier that is unnecessary upon it's user, why not add the sources to the settings.json to be edited by user (for user scoped installs)?

is there room for consideration to improve this usability wise or is this a dead end and i have to bite the bullet in the future?

florelis commented 1 week ago

why is admin required to execute winget source remove msstore? is there room for consideration to improve this usability wise or is this a dead end and i have to bite the bullet in the future?

Adding a source can be dangerous because it could make it so that winget install python actually downloads and installs from https://evil.example.com/evil.exe. So you need admin to do it.

I don't know the argument to have removing a source require admin. @denelon ? But if we were to allow it, it would allow you to shoot yourself in the foot by removing a source that you cannot add back, which isn't great.

Although in your case it wouldn't matter because you have a Group Policy set to always enable the msstore source, and that overrides manual deletion. You can see it in the winget --info you shared at the top: Enable Windows App Installer Microsoft Store Source Enabled

masterflitzer commented 1 week ago

Adding a source can be dangerous because it could make it so that actually downloads and installs from it would allow you to shoot yourself in the foot by removing a source that you cannot add back

ok now i understand, thanks for taking the time to explain

Although in your case it wouldn't matter because you have a Group Policy set

i totally missed that, what a bummer, our it department seems to be a little clueless, because it enforces that i download from msstore using winget, but then blocks the msstore app and advises us to not install store apps...

anyway i will need to contact them and hope they can sort this out, i think this can be closed