Skip to content

Commit

Permalink
(chocolatey#89) Remove cpack shims on package upgrades
Browse files Browse the repository at this point in the history
This commit updates the installation/upgrading of
the package to remove the cpack shim if they are
signed with the expected authenticode signature
thumbprint.

The thumbprint being checked against in the thumbprint
used in Chocolatey v0.12.1.

The code added makes it easy to extend it when needed
for removal of other shims as well.
  • Loading branch information
AdmiringWorm committed Mar 14, 2022
1 parent ee6047a commit 2a9526f
Showing 1 changed file with 66 additions and 1 deletion.
67 changes: 66 additions & 1 deletion nuget/chocolatey/tools/chocolateysetup.psm1
Original file line number Diff line number Diff line change
Expand Up @@ -30,13 +30,56 @@ param (
}
}

function Remove-ShimWithAuthenticodeSignature {
param (
[string] $filePath
)
if (!(Test-Path $filePath)) {
return
}

$signature = Get-AuthenticodeSignature $filePath -ErrorAction SilentlyContinue

if (!$signature -or !$signature.SignerCertificate) {
Write-ChocolateyWarning "Shim found in $filePath, but was not signed. Ignoring removal..."
return
}

$possibleSignatures = @(
'RealDimensions Software, LLC'
'Chocolatey Software, Inc\.'
)

$possibleSignatures | ForEach-Object {
if ($signature.SignerCertificate.Subject -match "$_") {
Write-Output "Removing shim $filePath"
$null = Remove-Item "$filePath"

if (Test-Path "$filePath.ignore") {
$null = Remove-Item "$filePath.ignore"
}

if (Test-Path "$filePath.old") {
$null = Remove-Item "$filePath.old"
}
}
}

# This means the file was found, however did not get removed as it contained a authenticode signature that
# is not ours.
if (Test-Path $filePath) {
Write-ChocolateyWarning "Shim found in $filePath, but did not match our signature. Ignoring removal..."
return
}
}

function Initialize-Chocolatey {
<#
.DESCRIPTION
This will initialize the Chocolatey tool by
a) setting up the "chocolateyPath" (the location where all chocolatey nuget packages will be installed)
b) Installs chocolatey into the "chocolateyPath"
c) Instals .net 4.0 if needed
c) Installs .net 4.0 if needed
d) Adds Chocolatey to the PATH environment variable so you have access to the choco commands.
.PARAMETER ChocolateyPath
Allows you to override the default path of (C:\ProgramData\chocolatey\) by specifying a directory chocolatey will install nuget packages.
Expand Down Expand Up @@ -142,6 +185,28 @@ You may need to shut down and restart powershell and/or consoles
if (-not $allowInsecureRootInstall) {
Remove-OldChocolateyInstall $defaultChocolateyPathOld
}

$possiblePaths = @(
$chocolateyExePath
Join-Path "$chocolateyPath" "redirects"
Join-Path "$thisScriptFolder" "chocolateyInstall\redirects"
)

$shimsToRemove = @("cpack.exe")
$possiblePaths | ForEach-Object {
$path = $_
$shimsToRemove | ForEach-Object { Join-Path $path $_ } | Where-Object { Test-Path $_ } | ForEach-Object {
$path = $_
Write-Debug "Removing shim from '$path'."

try {
Remove-ShimWithAuthenticodeSignature -filePath $path
}
catch {
Write-ChocolateyWarning "Unable to remove '$path'. Please remove the file manually."
}
}
}
}

function Set-ChocolateyInstallFolder {
Expand Down

0 comments on commit 2a9526f

Please sign in to comment.