fleet icon indicating copy to clipboard operation
fleet copied to clipboard

Published 20 hours ago verified publisher icon fleetdm

fleetd-base.msi can't be updated because the sha256 checksum is hardcoded in Fleet

Open roperzh opened this issue 1 year ago • 2 comments

Fleet version: 4.49.4

💥  Actual behavior

With #18194 we are able to ship updated fleetd-base.msi installers with each fleetd release, however we had to rollback the changes because the sha256 checksum of the file is hardcoded in Fleet.

🧑‍💻  Steps to reproduce

See https://github.com/fleetdm/fleet/issues/19105

🕯️ More info (optional)

The checksum is hardcoded here:

https://github.com/fleetdm/fleet/blob/ae24e6e698a27bf39a7cc27a174e9a5cd92709a4/server/service/microsoft_mdm.go#L1352-L1355

Documentation about the CSP is here: https://learn.microsoft.com/en-us/windows/client-management/mdm/enterprisedesktopappmanagement-csp

The fix will need to be backward compatible so that older versions of Fleet don't break.

roperzh avatar May 21 '24 14:05 roperzh

@getvictor: We also have a race condition. The base-fleetd file may be updated after the SHA was sent/downloaded to the device. We need a solution. Maybe MDM can check if install happened. If not, resend the command?

@roperzh good catch, the challenge there is that the MDM protocol always returns an "OK" for software installs, and then tries to actually install the software asynchronously afterwards.

without osquery on the host, getting the installed software is a bit challenging (we currently don't have any way to "ingest" data using the MDM protocol, IF we can even get that data)

maybe some heuristic, like "if you're not osquery enrolled after 15 minutes we retry"

getvictor avatar May 21 '24 16:05 getvictor

@roperzh As part of this effort, would you please include contributor docs explaining the manifest usage? Thanks!

lukeheath avatar May 21 '24 20:05 lukeheath

This is currently blocked by https://github.com/fleetdm/fleet/issues/19182, I left https://github.com/fleetdm/fleet/issues/19182#issuecomment-2153077228 outlining what we need.

roperzh avatar Jun 06 '24 17:06 roperzh

un-assigning myself from this as it can't be currently worked on.

roperzh avatar Jun 12 '24 16:06 roperzh

This is not blocked anymore, and it's ready to test. No special setup needed.

roperzh avatar Jul 05 '24 16:07 roperzh

checked the logs after turning on MDM for macOS and Windows hosts and verified the versions of orbit and osquery are the latest. Screenshot 2024-07-07 at 2 22 49 PM

*I'll need to test this for Azure enrolled hosts once it makes it over to Dogfood.

PezHub avatar Jul 07 '24 21:07 PezHub

Updating fleet's core, Checksum adapts like leaves, Old versions endure.

fleet-release avatar Jul 17 '24 23:07 fleet-release