-
Notifications
You must be signed in to change notification settings - Fork 904
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Show remembered arguments for packages #1310
Comments
Thanks for filing - we just need some way of having folks opt into this, some arguments could contain sensitive data and we need to ensure that is not exposed. |
I understand. I am not sure how you can solve this. Maybe a second "remember-function". Like:
And an option to define with function should be default. |
An option to encrypt or not encrypt seems a reasonable solution to me. choco feature enable -n useRememberedArgumentsForUpgrades (Default=not encrypted) (That's already long to type!) |
This would be necessary to do something like this, to exactly replicate a chocolatey setup from one profile/computer to another. |
@jacktose - you could copy and paste that or save a lot of time and effort by using my package for that purpose :) (Which is why I have interest in this issue.) |
Has this issue been solved? I have
@ferventcoder I don't see no direct security concerns for hindering the export of remembered arguments. |
I also would appreciate the ability to show the arguments throug the security concerns raised in this issues are kind of moot when NugetEncryptionUtility uses the machine key for encrypting the arguments. anyone on the local computer who can read
|
@heldchen Thank you for the valuable input. Me too, would appreciate the ability to show the arguments through @ferventcoder the way to opt in with Conclusion (edited): administrators should be aware that in the current open source version the encryption does not protect their remembered installation secrets therefore they should set up access control to prevents users from reading them. See bcurran3/ChocolateyPackages#7 too. |
@stippingerm @heldchen That ability to unencrypt knowing a few bits is exactly why we're adding double encryption in C4B so that someone would not be able to decrypt the data at rest. |
Updated that last statement for clarification. |
so in other words, Chocolatey in the open source version could easily add a parameter to show the arguments, without any of the aforementioned concerns raised. personally, I doubt that this feature is relevant in a organizational use case anyway, as one expects things as "parameters used" to be documented in such a setting anyway. |
@heldchen fair statement |
I don't think there was argument that this feature was not valuable. There are loads of valuable feature adds in our backlog here (lots of tickets), being a year or more old doesn't mean we don't plan to address. Typically if we have a milestone on something, it's considered in our backlog. |
Maybe there doesn't need further motivation on why this is useful, but here's mine: Backing up installed packages, which are then exported and installed on a fresh computer with the same optional parameters. |
Another motivation: in trying to make And in order not to break the ability to upgrade with |
Here's a PowerShell one-liner based on @heldchen's solution Add-Type -AssemblyName System.Security
Get-ChildItem -Filter ".arguments" -Path "C:\ProgramData\chocolatey\.chocolatey" -Recurse | ForEach-Object { Write-Output ("{0}: {1}" -f $_.Directory.BaseName, [System.Text.Encoding]::UTF8.GetString([System.Security.Cryptography.ProtectedData]::Unprotect([System.Convert]::FromBase64String(($_ | Get-Content -Encoding UTF8)), [System.Text.Encoding]::UTF8.GetBytes("Chocolatey"), [System.Security.Cryptography.DataProtectionScope]::LocalMachine))) } |
This is especially important when one wants to find out, which packages were installed with |
This adds the listing of remembered arguments to the list/info commands It only grabs the arguments when --local-only is specified, then decrypts and outputs them. Requires --verbose to be listed on the command line.
This adds the listing of remembered arguments to the list/info commands It only grabs the arguments when --local-only is specified, then decrypts and outputs them. Requires --verbose to be listed on the command line.
Adds the ability for implementations of uninstall_run to reset the config in ChocolateyPackageService via the resetConfigAction. This will be required to prevent an issue similar to chocolatey#1443 for uninstall, once useRememberedArgumentsForUninstall is added in.
This renames the set_package_config_for_upgrade to a more generic name, and adds in another parameter to prepare for setting remembered args for uninstall as well as upgrade
This adds the listing of remembered arguments to the list/info commands It only grabs the arguments when --local-only is specified, then decrypts and outputs them. Requires --verbose to be listed on the command line.
This adds the listing of remembered arguments to the list/info commands It only grabs the arguments when --local-only is specified, then decrypts and outputs them. Requires --verbose to be listed on the command line.
This adds the listing of remembered arguments to the list/info commands It only grabs the arguments when --local-only is specified, then decrypts and outputs them. Requires --verbose to be listed on the command line.
This adds the listing of remembered arguments to the list/info commands It only grabs the arguments when --local-only is specified, then decrypts and outputs them. Requires --verbose to be listed on the command line.
This adds the listing of remembered arguments to the list/info commands It only grabs the arguments when --local-only is specified, then decrypts and outputs them. Requires --verbose to be listed on the command line.
This adds the listing of remembered arguments to the list/info commands It only grabs the arguments when --local-only is specified, then decrypts and outputs them. Requires --verbose to be listed on the command line.
This adds the listing of remembered arguments to the list/info commands It only grabs the arguments when --local-only is specified, then decrypts and outputs them. Requires --verbose to be listed on the command line.
This adds the listing of remembered arguments to the list/info commands It only grabs the arguments when --local-only is specified, then decrypts and outputs them. Requires --verbose to be listed on the command line.
This adds the listing of remembered arguments to the list/info commands It only grabs the arguments when --local-only is specified, then decrypts and outputs them. Requires --verbose to be listed on the command line.
This adds the listing of remembered arguments to the list/info commands It only grabs the arguments when --local-only is specified, then decrypts and outputs them. Requires --verbose to be listed on the command line.
This commit makes sure that no potentially sensitive arguments are displayed to the end user. This makes use of the same code that is currently being used in Chocolatey GUI, for providing the same function. Now that this code exists in Chocolatey CLI, at some point in the future, Chocolatey GUI can be updated to use it, rather than maintaining the code in two places. This new code makes use of the existing SensitiveArgumentsProvided method to establish whether the argument is deemed as sensitive, and if it is, "[REDACTED ARGUMENT]" is output, rather than the value itself. This new function has been created as a static method, so that it can be used easily in the Chocolatey GUI codebase.
nice, thanks everyone involved in getting this feature added! |
Remembered arguments can now be displayed when running the choco info command, using the --local-only option. This commit adds a test to verify that this is correctly shown.
Remembered arguments can now be displayed when running the choco info command, using the --local-only option. This commit adds a test to verify that this is correctly shown.
Remembered arguments can now be displayed when running the choco info command, using the --local-only option. This commit adds a test to verify that this is correctly shown.
Remembered arguments can now be displayed when running the choco info command, using the --local-only option. This commit adds a test to verify that this is correctly shown.
Remembered arguments can now be displayed when running the choco info command, using the --local-only option. This commit adds a test to verify that this is correctly shown.
* release/2.3.0: (153 commits) (#23) Move call to SetRemotePackageNamesIfAllSpecified (#1901) Revert commit to display location (maint) Update Authenticode Signature (tests) Some minor tweaks for test consistency (#310) Set-EnvironmentVariable: delete values properly (tests) Remove v2 import tests (#310) Fix test issues (#310) Fixup v2 compatibility (tests) Working on tests during pairing session (#2050) Add Pester test for --ignore-pinned option (#3381) Add Pester tests for rule command (#1144) Add Pester test to cover hash validation (#72) Add Pester tests to cover new functionality (test) Update assertions for push commands (#1310) Add Pester test to validate output (#23) Add tests to handle install all (#2200) Add test for new enhanced exit code (#1764) Add test for new enhanced exit code (#1760) Add test for new enhanced exit code (#1759) Add test for new enhanced exit code ...
🎉 This issue has been resolved in version 2.3.0 🎉 The release is available on: Your GitReleaseManager bot 📦 🚀 |
* master: (37 commits) (#310) Fix path to chocolatey.lib files (maint) Corrected casing of file (#23) Move call to SetRemotePackageNamesIfAllSpecified (#1901) Revert commit to display location (maint) Update Authenticode Signature (tests) Some minor tweaks for test consistency (#310) Set-EnvironmentVariable: delete values properly (tests) Remove v2 import tests (#310) Fix test issues (#310) Fixup v2 compatibility (tests) Working on tests during pairing session (#2050) Add Pester test for --ignore-pinned option (#3381) Add Pester tests for rule command (#1144) Add Pester test to cover hash validation (#72) Add Pester tests to cover new functionality (test) Update assertions for push commands (#1310) Add Pester test to validate output (#23) Add tests to handle install all (#2200) Add test for new enhanced exit code (#1764) Add test for new enhanced exit code ...
Like @ivanatpr posted here (#797), there should be a way to see wich arguments are remembered by choco.
The text was updated successfully, but these errors were encountered: