VM-Packages icon indicating copy to clipboard operation
VM-Packages copied to clipboard

Published 20 hours ago verified publisher icon mandiant

Ignore Checksum for Signature Validated Files

Open emtuls opened this issue 10 months ago • 2 comments

This attempts to fix https://github.com/mandiant/VM-Packages/issues/1004

Issue and explanation copied here: For some reason, it seems that when we don't pass in a checksum for certain choco functions, chocolatey automatically attempts to validate the checksum of the newly downloaded file against the checksum of the previous package stored in the cache in our sources. image

Because we don't want to force all packages to ignore checksums, we can add $env:ChocolateyIgnoreChecksums = $true to the top of the code (inside the try-catch) and this will act as if we set --ignore-checksums for this specific package, allowing it to install correctly.

EDIT: This seems to not get pushed through unless we remove the current choco package in our myget cache.

emtuls avatar Apr 23 '24 16:04 emtuls

Hmmm. It seems that our test_upload uses the test_install.ps1 script which only does a forced upgrade rather than a forced install, which leads to the package not actually attempting to install the updated packed?

This first screenshot is the old package installing with failure locally: image

Then here is the attempt with the update, using the test_install.ps1 script, which still fails: image

But, if I pack it manually and force an install with choco install "regcool.vm" --source="C:\Users\Emtuls\FlareVM\VM-Packages\packages\regcool.vm" -y --force, then it works just fine: image

emtuls avatar Apr 23 '24 16:04 emtuls

@emtuls

For some reason, it seems that when we don't pass in a checksum for certain choco functions, chocolatey automatically attempts to validate the checksum of the newly downloaded file against the checksum of the previous package stored in the cache in our sources.

I have checked the Chocolatey code and this is not the case. As explained in https://github.com/mandiant/VM-Packages/issues/1004#issuecomment-2124413300, the problem with regcool.vm is that we decreased the package version without deleting the older versions from MyGet. The issue is fixed now.

But I do like some of the ideas in this PR, like checking or at least rending who is signing the package. I think we should discuss what part of this implementation we want to keep and adapt the other packages using signature validated files as well.

Ana06 avatar May 22 '24 10:05 Ana06