Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(#1144) Add validation for package hash #3269

Merged
merged 3 commits into from
Apr 30, 2024
Merged

(#1144) Add validation for package hash #3269

merged 3 commits into from
Apr 30, 2024

Conversation

TheCakeIsNaOH
Copy link
Member

@TheCakeIsNaOH TheCakeIsNaOH commented Jul 16, 2023
edited
Loading

Description Of Changes

Add usePackageHashValidation feature

This feature is used to control if the checksum of the downloaded
.nupkg is checked against the checksum provided by the package
source. It is disabled by default, as it unknown if it works
correctly with all major NuGet v2 implementations.

Add HashConverter class

This class provides a method to convert base64 hashes into hex form,
returning the input if it is already in hex. It also returns the type
of the hash. Both are based on the length of the input hash. Sha1,
Sha256 and Sha512 are supported.

Implement usePackageHashValidation feature

This adds a check to both install and upgrade to validate that the
downloaded .nupkg file has the same hash as the source metadata.
The check is conducted before the package is installed. If the
source does not provide a sha512 checksum or if
usePackageHashValidation is disabled, then the check is skipped.

Only sha512 is supported because it is the only provided package
hash type after download. The provided hash is used because it
accounts for package signing correctly.

Motivation and Context

See #1144

Testing

.\choco install wget -n --debug 
#Check that the debug log has "skipping package hash validation"

.\choco feature enable -n usepackagehashvalidation
.\choco install wget -n --debug --source=C:\some\local\source 
# Check that the debug log has "Source does not provide a package hash"

.\choco install wget -n --debug --source=https://nuget/v3/api.json
# Check that the debug log has "Source does not provide a package hash"

.\choco install wget -n --verbose --debug --source=https://community.chocolatey.org/api/v2
# Check that the debug log has "Package hash matches expected hash."

# Open up fiddler, and modify the API response to change the returned hash
.\choco install wget -n --verbose --debug --source=https://community.chocolatey.org/api/v2
# Then check that the install fails with "did not match expected hash"

Operating Systems Testing

  • Windows 10 22H2

Change Types Made

  • Bug fix (non-breaking change).
  • Feature / Enhancement (non-breaking change).
  • Breaking change (fix or feature that could cause existing functionality to change).
  • Documentation changes.
  • PowerShell code changes.

Change Checklist

  • Requires a change to the documentation.
  • Documentation has been updated.
  • Tests to cover my changes, have been added.
  • All new and existing tests passed?
  • PowerShell code changes: PowerShell v2 compatibility checked?

Related Issue

Fixes #1144

@gep13
Copy link
Member

gep13 commented Sep 28, 2023

@TheCakeIsNaOH are you in a position to complete the template for this PR?

I have a couple questions about the implementation...

  1. Should there be a feature that can be toggled on/off for verifying the checksum of the package?
  2. Related to the above, should it be possible to enable/disable checksum validation on a per source basis?

@TheCakeIsNaOH
Copy link
Member Author

@gep13 I agree that a way to disable it would be appropriate. I think either a global switch, or a per source switch would be ideal, not both.

The implementation in code is not complete, so I can't completely fill in the template yet.

  • Non-sha512 should be explicitly handled via checking the hash type in the metadata and either ignoring and logging, or manually getting the checksum of the downloaded files in that other algorithm.
  • A way to disable the check, as mentioned above.
  • Handling for when a normal string, instead of base64, is provided by the server (Nexus provides a normal string instead of base64 I think).

@gep13
Copy link
Member

gep13 commented Dec 14, 2023

@TheCakeIsNaOH said...
I think either a global switch, or a per source switch would be ideal, not both.

Let's go with a feature called usePackageHashValidation, which is off by default, and folks can opt into it.

@TheCakeIsNaOH
Copy link
Member Author

Let's go with a feature called usePackageHashValidation, which is off by default, and folks can opt into it.

Sounds good, I'll get that added.

@TheCakeIsNaOH TheCakeIsNaOH force-pushed the gh1144-package-hash branch 2 times, most recently from 82f6f15 to 19d7089 Compare January 10, 2024 02:58
@gep13
Copy link
Member

gep13 commented Apr 26, 2024

@TheCakeIsNaOH I really like the idea of getting this added, and I have made some refactoring to the changes that you have here (created a ValidatePackageHash method, rather than duplicating the code, as well as some wording changes based on a conversation with @pauby).

Are you in a position to provide some testing steps in the PR template?

I have tried to take this for a spin, doing a normal choco install windirstat but the hash isn't being validated correctly. I haven't dug into this yet, as it is coming to the end of my day here. If you are in a position to take a look at it, that would be great, otherwise I will pick this up next week.

@TheCakeIsNaOH
Copy link
Member Author

It looks like wires got crossed somewhere, as the local package hash was not being normalized to hex, only the remote hash. It probably crept in during one of my rebases. I've fixed that up, and it should be working now. I've also added testing steps.

@TheCakeIsNaOH TheCakeIsNaOH marked this pull request as ready for review April 28, 2024 01:57
@TheCakeIsNaOH @gep13
(chocolatey#1144) Add usePackageHashValidation feature
08aee56 
This feature is used to control if the checksum of the downloaded
.nupkg is checked against the checksum provided by the package
source. It is disabled by default, as it unknown if it works
correctly with all major NuGet v2 implementations.
@TheCakeIsNaOH @gep13
(chocolatey#1144) Add HashConverter class
5553e92 
This class provides a method to convert base64 hashes into hex form,
returning the input if it is already in hex. It also returns the type
of the hash. Both are based on the length of the input hash. Sha1,
Sha256 and Sha512 are supported.
@TheCakeIsNaOH @gep13
(chocolatey#1144) Implement usePackageHashValidation feature
46bef06 
This adds a check to both install and upgrade to validate that the
downloaded .nupkg file has the same hash as the source metadata.
The check is conducted before the package is installed. If the
source does not provide a sha512 checksum or if
usePackageHashValidation is disabled, then the check is skipped.

Only sha512 is supported because it is the only provided package
hash type after download. The provided hash is used because it
accounts for package signing correctly.
gep13
gep13 approved these changes Apr 30, 2024
View reviewed changes
Copy link
Member

@gep13 gep13 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@gep13 gep13 merged commit 6f994e0 into chocolatey:develop Apr 30, 2024
5 checks passed
@gep13
Copy link
Member

gep13 commented Apr 30, 2024

@TheCakeIsNaOH thank you for getting this added!

@TheCakeIsNaOH TheCakeIsNaOH deleted the gh1144-package-hash branch April 30, 2024 19:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gep13 gep13 gep13 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Verify the checksum of a package before installation, and fail if not matched
2 participants
@TheCakeIsNaOH @gep13