-
Notifications
You must be signed in to change notification settings - Fork 908
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not treat unknown checksum types as MD5 #932
Comments
And how do you propose we fix that older version? |
More information - We can fix this going forward, but the message is already there in the older versions, where we would want the to be. But we can't put it in the older versions so they would need to upgrade to take advantage of that. A slight chicken and egg problem if you get where I'm going with this. |
In retrospect, it was likely a bad idea not to bubble that up as a warning. And possibly to do that at all. |
I guess it used to be worse -
This is representative of what those older clients are doing, not even a warning or a debug message. |
In all fairness, at least the error message mentions the wrong type -
|
It's still wrong though, and we should handle it. As a workaround, I think we'll suggest folks take a dependency on at least the version of Chocolatey that is necessary to support the package. Although that may not fix the current install chain (until choco reloads during the current install chain when it is brought in as a dependency). |
Yes, there is nothing we can do about the older versions, we can only prevent this from occurring in the future (in case a new hash algorithm gains popularity). I like the dependency on a minimum Chocolatey version. Perhaps it could be made an official moderation requirement and a check for it could even be implemented in the validator? The issue of choco upgrade not affecting the current install brings back memories: chocolatey-archive/chocolatey#460 |
@jberezanski with upgrade, all module files are reimported, but the rest of Chocolatey (exe parts) still runs under the old process during upgrade. This can lead to an undesired situation. For instance - if I called an install for something that needed 0.10.0, which has the new checksum requirement and it brought the module files along with it, the install will fail for something that takes a dependency but doesn't have checksums in it. Plus you can't pass The above situation is about impossible to expect it to ever pass, but I can imagine there may be a situation where one thing is required to be passed from the exe to the PowerShell modules that could fail spectacularly. |
Agreed. |
Let the checksum stay as whatever unrecognized version it is and throw an error when it is not a recognized type. Mention that the value may be supported in a newer version of Choolatey.
* stable: (24 commits) (GH-839) Switch to apply package parameters to dependent packages (maint) formatting methods / parameters in calls (GH-958) If SSLv3 in Posh v2 Fails, Use Original (GH-746) Use HTTPS if available when HTTP url (GH-957) Skip Get-WebFileName When FTP (GH-948) Ensure passwords / keys are not logged (GH-952) Get-ChocolateyWebFile enhancements (doc) update generated docs (maint) formatting (docs) move GenerateDocs.ps1 / update (GH-932) Do not set unknown checksum to 'md5' (GH-719) Reset ServerCertificateValidationCallback (GH-305) add MSP/MSU installer types (GH-305) update exitcodes to long (GH-954) Pending fails when lib does not exist (GH-950) Install-ChocolateyPackage - UseOriginalLocation (maint) formatting (GH-922) Automatically determine checksum type (maint) fixes for shimgen (GH-948) Do not log sensitive arguments ...
Currently, when a package passes a checksum type unknown to Chocolatey, Chocolatey treats it as MD5. This is suboptimal, as it leads to misleading error messages about checksum verification failures, such as here.
Upon encountering an unknown checksum type, Chocolatey should stop the installation with a clear error: "Checksum type '$checksumType' is unsupported. Please upgrade your Chocolatey client."
sha256
/sha512
were added in 0.9.9.9 - #113The text was updated successfully, but these errors were encountered: