Skip to content

Commit

Permalink
(chocolatey#89) Remove cpack shims on package upgrades
Browse files Browse the repository at this point in the history
This commit updates the installation/upgrading of
the package to remove the cpack shim if they are
signed with the an authenticode signature with
the subject set to one of our previously used
authenticode signatures.

The code added makes it easy to extend it when needed
for removal of other shims as well.
  • Loading branch information
AdmiringWorm committed Mar 14, 2022
1 parent ee6047a commit e7aa2c7
Showing 1 changed file with 73 additions and 1 deletion.
74 changes: 73 additions & 1 deletion nuget/chocolatey/tools/chocolateysetup.psm1
Original file line number Diff line number Diff line change
Expand Up @@ -30,13 +30,77 @@ param (
}
}

function Remove-ShimWithAuthenticodeSignature {
param (
[string] $filePath
)
if (!(Test-Path $filePath)) {
return
}

$signature = Get-AuthenticodeSignature $filePath -ErrorAction SilentlyContinue

if (!$signature -or !$signature.SignerCertificate) {
Write-ChocolateyWarning "Shim found in $filePath, but was not signed. Ignoring removal..."
return
}

$possibleSignatures = @(
'RealDimensions Software, LLC'
'Chocolatey Software, Inc\.'
)

$possibleSignatures | ForEach-Object {
if ($signature.SignerCertificate.Subject -match "$_") {
Write-Output "Removing shim $filePath"
$null = Remove-Item "$filePath"

if (Test-Path "$filePath.ignore") {
$null = Remove-Item "$filePath.ignore"
}

if (Test-Path "$filePath.old") {
$null = Remove-Item "$filePath.old"
}
}
}

# This means the file was found, however did not get removed as it contained a authenticode signature that
# is not ours.
if (Test-Path $filePath) {
Write-ChocolateyWarning "Shim found in $filePath, but did not match our signature. Ignoring removal..."
return
}
}

function Remove-UnsupportedShimFiles {
param([string[]]$Paths)

$shims = @('cpack.exe')

$Paths | ForEach-Object {
$path = $_
$shims | ForEach-Object { Join-Path $path $_ } | Where-Object { Test-Path $_ } | ForEach-Object {
$path = $_
Write-Debug "Removing shim from '$path'."

try {
Remove-ShimWithAuthenticodeSignature -filePath $path
}
catch {
Write-ChocolateyWarning "Unable to remove '$path'. Please remove the file manually."
}
}
}
}

function Initialize-Chocolatey {
<#
.DESCRIPTION
This will initialize the Chocolatey tool by
a) setting up the "chocolateyPath" (the location where all chocolatey nuget packages will be installed)
b) Installs chocolatey into the "chocolateyPath"
c) Instals .net 4.0 if needed
c) Installs .net 4.0 if needed
d) Adds Chocolatey to the PATH environment variable so you have access to the choco commands.
.PARAMETER ChocolateyPath
Allows you to override the default path of (C:\ProgramData\chocolatey\) by specifying a directory chocolatey will install nuget packages.
Expand Down Expand Up @@ -107,6 +171,12 @@ Creating Chocolatey folders if they do not already exist.
Create-DirectoryIfNotExists $chocolateyExePath
Create-DirectoryIfNotExists $chocolateyLibPath

$possibleShimPaths = @(
Join-Path "$chocolateyPath" "redirects"
Join-Path "$thisScriptFolder" "chocolateyInstall\redirects"
)
Remove-UnsupportedShimFiles -Paths $possibleShimPaths

Install-ChocolateyFiles $chocolateyPath
Ensure-ChocolateyLibFiles $chocolateyLibPath

Expand Down Expand Up @@ -142,6 +212,8 @@ You may need to shut down and restart powershell and/or consoles
if (-not $allowInsecureRootInstall) {
Remove-OldChocolateyInstall $defaultChocolateyPathOld
}

Remove-UnsupportedShimFiles -Paths $chocolateyExePath
}

function Set-ChocolateyInstallFolder {
Expand Down

0 comments on commit e7aa2c7

Please sign in to comment.