PSResourceGet icon indicating copy to clipboard operation
PSResourceGet copied to clipboard
verified publisher icon PowerShell

Verify integrity of already installed resources

Open o-l-a-v opened this issue 1 year ago • 1 comments

Summary of the new feature / enhancement

Would be cool with the ability to verify the integrity of already installed resources, also if they aren't signed. As in, make sure no changes has been made to the <ModuleName>\<ModuleVersion> directory and all its' content.

Proposed technical implementation details (optional)

Cmdlet:

  • On scope: Verify-PSResource -Name '<name>' -Version '<version>' -Scope '<AllUsers|CurrentUser>'
  • With path: Verify-PSResource -Path 'C:\some\path\<ModuleName>\<ModuleVersion>'

Options/logic:

  • Create some comparison logic that checks that all files are present (and no other files are added) with correct checksum?
  • If any file is changed, added or is missing, nuke the directory and install it fresh with a switch -Remediate.
  • If no PS info XML file is found, require parameter -Repository to be specified in the cmdlet.

o-l-a-v avatar Apr 29 '24 11:04 o-l-a-v

Just adding some thoughts I just had:

  • One could enumerate files inside the .nupkg file, which is a ZIP file, then verify checksum against installed files. 
     [System.IO.Compression.ZipFile]::OpenRead(
     '{0}\Testin\microsoft.powershell.psresourceget.1.0.5.nupkg' -f [System.Environment]::GetFolderPath('Desktop')
 ).Entries.Where{
     -not $_.'FullName'.EndsWith('/')
 }.ForEach{
     [PSCustomObject]@{
         'Name'             = [string] $_.'Name'
         'FullName'         = [string] $_.'FullName'
         'Length'           = [uint32] $_.'Length'
         'CompressedLength' = [uint32] $_.'CompressedLength'
         'LastWriteTime'    = [datetimeoffset] $_.'LastWriteTime'.ToLocalTime()
         'CRC32'            = [string] '0x{0:X8}' -f $_.'Crc32'
     }
 }
  • Keep .nupkg files of installed modules, or at least cache them for a while.
  • Integrity of the .nupkg file should be verifiable against resource repository.
    • PSGallery does not output checksum of the .nupkg file AFAIK.
      • Maybe PSResourceGet publish command could add checksum as a tag? sha256:<checksum>.
    • MAR outputs checksum as sha256 in property digest.
    • NuGet v3 includes sha512, but could not find it in pwsh.gallery.

o-l-a-v avatar Jul 29 '25 12:07 o-l-a-v