From 2a9526f79a0fa75e8257bee7cf521d9b630b5a3e Mon Sep 17 00:00:00 2001 From: AdmiringWorm Date: Fri, 11 Mar 2022 11:57:34 +0100 Subject: [PATCH] (#89) Remove cpack shims on package upgrades This commit updates the installation/upgrading of the package to remove the cpack shim if they are signed with the expected authenticode signature thumbprint. The thumbprint being checked against in the thumbprint used in Chocolatey v0.12.1. The code added makes it easy to extend it when needed for removal of other shims as well. --- nuget/chocolatey/tools/chocolateysetup.psm1 | 67 ++++++++++++++++++++- 1 file changed, 66 insertions(+), 1 deletion(-) diff --git a/nuget/chocolatey/tools/chocolateysetup.psm1 b/nuget/chocolatey/tools/chocolateysetup.psm1 index 581671bb59..cc68f23f82 100644 --- a/nuget/chocolatey/tools/chocolateysetup.psm1 +++ b/nuget/chocolatey/tools/chocolateysetup.psm1 @@ -30,13 +30,56 @@ param ( } } +function Remove-ShimWithAuthenticodeSignature { + param ( + [string] $filePath + ) + if (!(Test-Path $filePath)) { + return + } + + $signature = Get-AuthenticodeSignature $filePath -ErrorAction SilentlyContinue + + if (!$signature -or !$signature.SignerCertificate) { + Write-ChocolateyWarning "Shim found in $filePath, but was not signed. Ignoring removal..." + return + } + + $possibleSignatures = @( + 'RealDimensions Software, LLC' + 'Chocolatey Software, Inc\.' + ) + + $possibleSignatures | ForEach-Object { + if ($signature.SignerCertificate.Subject -match "$_") { + Write-Output "Removing shim $filePath" + $null = Remove-Item "$filePath" + + if (Test-Path "$filePath.ignore") { + $null = Remove-Item "$filePath.ignore" + } + + if (Test-Path "$filePath.old") { + $null = Remove-Item "$filePath.old" + } + } + } + + # This means the file was found, however did not get removed as it contained a authenticode signature that + # is not ours. + if (Test-Path $filePath) { + Write-ChocolateyWarning "Shim found in $filePath, but did not match our signature. Ignoring removal..." + return + } +} + function Initialize-Chocolatey { <# .DESCRIPTION This will initialize the Chocolatey tool by a) setting up the "chocolateyPath" (the location where all chocolatey nuget packages will be installed) b) Installs chocolatey into the "chocolateyPath" - c) Instals .net 4.0 if needed + c) Installs .net 4.0 if needed d) Adds Chocolatey to the PATH environment variable so you have access to the choco commands. .PARAMETER ChocolateyPath Allows you to override the default path of (C:\ProgramData\chocolatey\) by specifying a directory chocolatey will install nuget packages. @@ -142,6 +185,28 @@ You may need to shut down and restart powershell and/or consoles if (-not $allowInsecureRootInstall) { Remove-OldChocolateyInstall $defaultChocolateyPathOld } + + $possiblePaths = @( + $chocolateyExePath + Join-Path "$chocolateyPath" "redirects" + Join-Path "$thisScriptFolder" "chocolateyInstall\redirects" + ) + + $shimsToRemove = @("cpack.exe") + $possiblePaths | ForEach-Object { + $path = $_ + $shimsToRemove | ForEach-Object { Join-Path $path $_ } | Where-Object { Test-Path $_ } | ForEach-Object { + $path = $_ + Write-Debug "Removing shim from '$path'." + + try { + Remove-ShimWithAuthenticodeSignature -filePath $path + } + catch { + Write-ChocolateyWarning "Unable to remove '$path'. Please remove the file manually." + } + } + } } function Set-ChocolateyInstallFolder {