choco icon indicating copy to clipboard operation
choco copied to clipboard
verified publisher icon chocolatey

Require checksums for HTTPS resources

Open ferventcoder opened this issue 9 years ago • 11 comments

With #112, we started requiring checksums for HTTP/FTP and provided an enabled feature to require checksums for HTTPS as well. If a checksum is missing in these scenarios, it would fail the package.

This switches the feature allowEmptyChecksumsSecure to disabled.

ferventcoder avatar Aug 07 '16 19:08 ferventcoder

Considering making this one an opt in feature

ferventcoder avatar Aug 10 '16 13:08 ferventcoder

This is up for discussion, please feel free to weigh in here.

ferventcoder avatar Aug 11 '16 21:08 ferventcoder

:+1: A checksum provides positive factors outside of ensuring the source. Just because a connection is secure doesn't mean the source file is the right one. With Let's Encrypt (which I love) means just about anyone can have HTTPS these days (which is a good thing).

  • Ensures corruption didn't happen during download
  • This also helps detect changes in sources that don't provide any kind of versioning in the package name (e.g.; amazon) and keep the same download path (e.g.; slack).

Just my two cents.

TheFynx avatar Aug 15 '16 14:08 TheFynx

@TheFynx thanks. One thing to consider is that you can turn it on now in 0.10.0 already. The feature is set to allow empty checksums for secure connections by default.

ferventcoder avatar Aug 15 '16 14:08 ferventcoder

Going to hold on this one for a little while - I think the plan is to turn this on, but provide a little more time for folks to get their packages in order.

ferventcoder avatar Sep 01 '16 13:09 ferventcoder

I'm in agreement with @TheFynx on this one. This is one of the things I came here to mention, because I definitely think this should not be enabled by default. That is, it should not allow empty checksums just because the source is HTTPS by default. Just because a file is downloaded from an HTTPS site doesn't mean it couldn't be corrupted (either on the site or during the download) or replaced with a malicious version (if the site were compromised). HTTPS isn't a guarantee of a file's integrity; all it "guarantees" is that your connection to the file is secure.

vertigo220 avatar May 10 '18 04:05 vertigo220

@vertigo220 we don't disagree with you here, and this is something that will get turned on by default.

gep13 avatar May 10 '18 09:05 gep13

I'm confused, because you say it will get turned on by default, but I read that as the option to allow empty checksums for HTTPS will be enabled by default, which is the opposite of what I'm saying. Do you mean the need for checksums will be turned on by default?

vertigo220 avatar May 10 '18 18:05 vertigo220

@vertigo220 apologies for the confusion - what was meant is that allowEmptyChecksumsSecure will be disabled by default at some point. https://github.com/chocolatey/choco/wiki/ChocolateyConfiguration#security

ferventcoder avatar May 10 '18 18:05 ferventcoder

@vertigo220 for features choco has the ability for us to switch a default for a newer edition and if a user has not explicitly set the value, it will adjust automatically when the default changes.

ferventcoder avatar May 10 '18 18:05 ferventcoder

This will need a change to package-validator, to enforce this rule for all new package submissions as well:

https://gitlab.com/chocolatey/community-infrastructure/package-validator/-/issues/143

gep13 avatar Jan 17 '22 21:01 gep13