-
Notifications
You must be signed in to change notification settings - Fork 903
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(#1144) Add validation for package hash #3269
Conversation
c37c03e
to
b0dc2b1
Compare
@TheCakeIsNaOH are you in a position to complete the template for this PR? I have a couple questions about the implementation...
|
@gep13 I agree that a way to disable it would be appropriate. I think either a global switch, or a per source switch would be ideal, not both. The implementation in code is not complete, so I can't completely fill in the template yet.
|
Let's go with a feature called |
Sounds good, I'll get that added. |
82f6f15
to
19d7089
Compare
src/chocolatey/infrastructure.app/builders/ConfigurationBuilder.cs
Outdated
Show resolved
Hide resolved
19d7089
to
1f9ffd3
Compare
@TheCakeIsNaOH I really like the idea of getting this added, and I have made some refactoring to the changes that you have here (created a ValidatePackageHash method, rather than duplicating the code, as well as some wording changes based on a conversation with @pauby). Are you in a position to provide some testing steps in the PR template? I have tried to take this for a spin, doing a normal |
1f9ffd3
to
16148f7
Compare
It looks like wires got crossed somewhere, as the local package hash was not being normalized to hex, only the remote hash. It probably crept in during one of my rebases. I've fixed that up, and it should be working now. I've also added testing steps. |
16148f7
to
8086050
Compare
This feature is used to control if the checksum of the downloaded .nupkg is checked against the checksum provided by the package source. It is disabled by default, as it unknown if it works correctly with all major NuGet v2 implementations.
This class provides a method to convert base64 hashes into hex form, returning the input if it is already in hex. It also returns the type of the hash. Both are based on the length of the input hash. Sha1, Sha256 and Sha512 are supported.
This adds a check to both install and upgrade to validate that the downloaded .nupkg file has the same hash as the source metadata. The check is conducted before the package is installed. If the source does not provide a sha512 checksum or if usePackageHashValidation is disabled, then the check is skipped. Only sha512 is supported because it is the only provided package hash type after download. The provided hash is used because it accounts for package signing correctly.
8086050
to
46bef06
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
@TheCakeIsNaOH thank you for getting this added! |
Description Of Changes
Add usePackageHashValidation feature
This feature is used to control if the checksum of the downloaded
.nupkg is checked against the checksum provided by the package
source. It is disabled by default, as it unknown if it works
correctly with all major NuGet v2 implementations.
Add HashConverter class
This class provides a method to convert base64 hashes into hex form,
returning the input if it is already in hex. It also returns the type
of the hash. Both are based on the length of the input hash. Sha1,
Sha256 and Sha512 are supported.
Implement usePackageHashValidation feature
This adds a check to both install and upgrade to validate that the
downloaded .nupkg file has the same hash as the source metadata.
The check is conducted before the package is installed. If the
source does not provide a sha512 checksum or if
usePackageHashValidation is disabled, then the check is skipped.
Only sha512 is supported because it is the only provided package
hash type after download. The provided hash is used because it
accounts for package signing correctly.
Motivation and Context
See #1144
Testing
Operating Systems Testing
Change Types Made
Change Checklist
Related Issue
Fixes #1144