Verify the checksum of a package before installation, and fail if not matched #1144
Comments
|
It already does this. |
|
But I get what you mean. Ensuring that the package coming down has an external verification that you can run client side. I like it. |
You wouldn't need to specify the type. That is determinable based on the value passed through and it's length. |
Sorry, what I meant there is that NuGet.Core already gets an expected package checksum and then verifies it received that same size automatically. Which isn't the same as this request. |
|
@donbecker Recently I reviewed how packagehash was being used locally, and it doesn't appear that is it being used for verifying what was received was what was thought to be received (instead it appears to be only used for checking that a cached version of the package is the same as the remote to choose to redownload the file or not). I think this issue stands then as something that should be addressed. |
|
This could play right into authenticode signatures we are looking at implementing as well. |
|
@ferventcoder Sounds great. I still think this would be a great feature for Chocolatey to have regarding integrity of packages. |
|
After the nuget library uplift, this should be able to be implemented for free as a side effect of implementing validating code signatures on packages, #504 |
This adds a check to both install and upgrade to validate that the downloaded .nupkg file has the same hash as the source metadata. The check is conducted before the package is installed. If the source does not provide a sha512 checksum or if usePackageHashValidation is disabled, then the check is skipped. Only sha512 is supported because it is the only provided package hash type after download. The provided hash is used because it accounts for package signing correctly.
|
I'd like to add on to the OP's comments here. There is a valid use case for this even with internal repositories. Particularly when you have systems that span trust boundaries (where you have some environments with higher or lower classification levels) and you don't want to duplicate infrastructure throughout each environment. In @TheCakeIsNaOH 's comments, you should "trust the infrastructure"--that's not entirely something that is true. Supply chain compromise, even internally, can be a risk in highly secure environments. Utilizing package checksums on the package download provides a really simple way for a critical system to trust packages retrieved from a system seen as less critical, often times because it could be run by an entirely different org within your company. I could, for example, deploy execution commands on more secure systems that downloads packages from say, a company's singular internal repository for all things repo downloads (think: Artifactory) while simultaneously guaranteeing, that no matter what, under any circumstance, under any compromise of that system, that my higher privileged environments won't execute code from a malicious package by simply providing a command line hash validation argument on the entire nupkg. Now, an attacker would have to both compromise the target system to modify the integrity check while simultaneously modifying the package--which renders utilizing the package as a privilege escalation or lateral movement scheme pretty much entirely invalid. There are compensating capabilities here that exist today in Windows--and that's using Windows Defender Application Control to validate code signatures of PowerShell scripts as well as binaries executing on the target system. While this is inarguably the more secure solution, with policies capable of being protected by the TPM and UEFI NVRAM and Hypervisor separation, it's a lot of work to get that capability going on a Windows platform and would require signing all individual scripts and package files (if you don't trust existing authenticode signatures by 3rd party providers). Implementing such a check in Chocolatey would provide a much lower barrier to entry for simple package validation rather than manually verifying the package prior to execution. As far as dependency management goes, I think this should absolutely be an opt-in feature, and I don't see anything wrong with providing an option for the end user to checksum all of the dependencies either. I think it's valid to say that if you can't include a checksum of each dependency in the nuspec file, then instruct the user when the command line argument is added that they must first install the dependencies (no automatic download). In this manner, it's up to the user whether they want to checksum the dependencies or not. My expectation is that users of course would. |
This feature is used to control if the checksum of the downloaded .nupkg is checked against the checksum provided by the package source. It is disabled by default, as it unknown if it works correctly with all major NuGet v2 implementations.
This class provides a method to convert base64 hashes into hex form, returning the input if it is already in hex. It also returns the type of the hash. Both are based on the length of the input hash. Sha1, Sha256 and Sha512 are supported.
This adds a check to both install and upgrade to validate that the downloaded .nupkg file has the same hash as the source metadata. The check is conducted before the package is installed. If the source does not provide a sha512 checksum or if usePackageHashValidation is disabled, then the check is skipped. Only sha512 is supported because it is the only provided package hash type after download. The provided hash is used because it accounts for package signing correctly.
This adds a check to both install and upgrade to validate that the downloaded .nupkg file has the same hash as the source metadata. The check is conducted before the package is installed. If the source does not provide a sha512 checksum or if usePackageHashValidation is disabled, then the check is skipped. Only sha512 is supported because it is the only provided package hash type after download. The provided hash is used because it accounts for package signing correctly.
This feature is used to control if the checksum of the downloaded .nupkg is checked against the checksum provided by the package source. It is disabled by default, as it unknown if it works correctly with all major NuGet v2 implementations.
This class provides a method to convert base64 hashes into hex form, returning the input if it is already in hex. It also returns the type of the hash. Both are based on the length of the input hash. Sha1, Sha256 and Sha512 are supported.
This adds a check to both install and upgrade to validate that the downloaded .nupkg file has the same hash as the source metadata. The check is conducted before the package is installed. If the source does not provide a sha512 checksum or if usePackageHashValidation is disabled, then the check is skipped. Only sha512 is supported because it is the only provided package hash type after download. The provided hash is used because it accounts for package signing correctly.
This feature is used to control if the checksum of the downloaded .nupkg is checked against the checksum provided by the package source. It is disabled by default, as it unknown if it works correctly with all major NuGet v2 implementations.
This class provides a method to convert base64 hashes into hex form, returning the input if it is already in hex. It also returns the type of the hash. Both are based on the length of the input hash. Sha1, Sha256 and Sha512 are supported.
This adds a check to both install and upgrade to validate that the downloaded .nupkg file has the same hash as the source metadata. The check is conducted before the package is installed. If the source does not provide a sha512 checksum or if usePackageHashValidation is disabled, then the check is skipped. Only sha512 is supported because it is the only provided package hash type after download. The provided hash is used because it accounts for package signing correctly.
(#1144) Add validation for package hash
In the next release, when possible, Chocolatey CLI will now include package hash validation to ensure that the package being installed is the one that the server thinks it is. This is a feature flag that needs to be toggled on. This commit adds tests to cover that hash validation is being attempted when it can be.
gep13
changed the title
In the next release, when possible, Chocolatey CLI will now include package hash validation to ensure that the package being installed is the one that the server thinks it is. This is a feature flag that needs to be toggled on. This commit adds tests to cover that hash validation is being attempted when it can be.
In the next release, when possible, Chocolatey CLI will now include package hash validation to ensure that the package being installed is the one that the server thinks it is. This is a feature flag that needs to be toggled on. This commit adds tests to cover that hash validation is being attempted when it can be.
pauby
changed the title
In the next release, when possible, Chocolatey CLI will now include package hash validation to ensure that the package being installed is the one that the server thinks it is. This is a feature flag that needs to be toggled on. This commit adds tests to cover that hash validation is being attempted when it can be.
In the next release, when possible, Chocolatey CLI will now include package hash validation to ensure that the package being installed is the one that the server thinks it is. This is a feature flag that needs to be toggled on. This commit adds tests to cover that hash validation is being attempted when it can be.
* release/2.3.0: (153 commits) (#23) Move call to SetRemotePackageNamesIfAllSpecified (#1901) Revert commit to display location (maint) Update Authenticode Signature (tests) Some minor tweaks for test consistency (#310) Set-EnvironmentVariable: delete values properly (tests) Remove v2 import tests (#310) Fix test issues (#310) Fixup v2 compatibility (tests) Working on tests during pairing session (#2050) Add Pester test for --ignore-pinned option (#3381) Add Pester tests for rule command (#1144) Add Pester test to cover hash validation (#72) Add Pester tests to cover new functionality (test) Update assertions for push commands (#1310) Add Pester test to validate output (#23) Add tests to handle install all (#2200) Add test for new enhanced exit code (#1764) Add test for new enhanced exit code (#1760) Add test for new enhanced exit code (#1759) Add test for new enhanced exit code ...
|
🎉 This issue has been resolved in version 2.3.0 🎉 The release is available on: Your GitReleaseManager bot 📦 🚀 |
* master: (37 commits) (#310) Fix path to chocolatey.lib files (maint) Corrected casing of file (#23) Move call to SetRemotePackageNamesIfAllSpecified (#1901) Revert commit to display location (maint) Update Authenticode Signature (tests) Some minor tweaks for test consistency (#310) Set-EnvironmentVariable: delete values properly (tests) Remove v2 import tests (#310) Fix test issues (#310) Fixup v2 compatibility (tests) Working on tests during pairing session (#2050) Add Pester test for --ignore-pinned option (#3381) Add Pester tests for rule command (#1144) Add Pester test to cover hash validation (#72) Add Pester tests to cover new functionality (test) Update assertions for push commands (#1310) Add Pester test to validate output (#23) Add tests to handle install all (#2200) Add test for new enhanced exit code (#1764) Add test for new enhanced exit code ...
What You Are Seeing?
The checksum options in "choco install" validate checksums of external package dependencies downloaded from the internet.
While this can ensure content of the external dependency, it does not ensure content of the package and it's files/content (and therefore does not ensure content of repackaged packages with all included dependencies).
What is Expected?
Suggest new options "packagechecksum" and "packagechecksumType" to validate the checksum of the entire nupkg file after chocolatey downloads it. Suggest supporting all checksum types supported by present external checksum types (md5, sha1, etc etc).
cinst chefdk --version 1.1.16 -y -packagechecksum 'ca1cbfe819128dbd252d53f31e3cfae7' -packagechecksumType 'md5'I searched quite a bit to determine if this was possible in present functionality. Apologies in advance if I've missed something.
The text was updated successfully, but these errors were encountered: