Choco: Checksum comparisons for Install-ChocolateyInstallPackage

Created on 3 Sep 2018 · 8Comments · Source: chocolatey/choco

Whilst _Install-ChocolateyPackage_ includes the ability to check file hashes for software
_Install-ChocolateyInstallPackage_ currently does not. As I understand it, this stemmed from design whereby use of _Install-ChocolateyInstallPackage_ assumed that you are embedding the installer into the nupkg and that to install without downloading first implied that it was coming from a trusted local source.

However there are circumstances where:

It may not be assumed there hasn't been tampering/malware with a file storage areas within a large organisation
It may be desirable to directly install a large setup file without embedding and without downloading/caching.

As a workaround, it is of course possible to use _Get-Filehash_ within _ChocolateyInstall.ps1_ against the intended file, but ideally the ability to validate checksums within chocolatey would be desirable.

As some larger local installations may not be just a single file, it may also be desirable to have it recursively check a folder of dependencies.

0 - Backlog Enhancement

Source

gsmitheidw

All 8 comments

(Funny, I came to Issues to place a feature request related to Install-ChocolateyInstallPackage also.)

@gsmitheidw You can use Install-ChocolateyPackage for your needs. Install-ChocolateyPackage calls Install-ChocolateyInstallPackage using URLs (HINT: URL can be a file) and checksums. You can also optionally use the -UseOriginalLocation parameter.

REF: From Install-ChocolateyPackage.ps1

.PARAMETER UseOriginalLocation
Do not download the resources. This is typically passed if Url/Url64bit
are pointed to local files or files on a share and those files should
be used in place. Available in 0.10.1+.

You can look at the chocolateyInstall.ps1 from https://chocolatey.org/packages/RocketDock for one such example.

bcurran3 on 5 Sep 2018

This isn't quite the same because InstallChocolateyInstallpackage installs directly from the URL path but the other will download the file first and install from local storage cache, which isn't always desirable.

gsmitheidw on 5 Sep 2018

RE: -useOriginalLocation

Take a look at lines 310-342 of Install-ChocolateyPackage.ps1

If I'm reading the parameter description and code right, using -useOriginalLocation skips the download via Get-ChocolateyWebFile and jumps to Install-ChocolateyInstallPackage

[string]$filePath = $downloadFilePath
  if ($useOriginalLocation) {
    $filePath = $url
    if (Get-ProcessorBits 64) {
      $forceX86 = $env:chocolateyForceX86
      if ($forceX86) {
        Write-Debug "User specified '-x86' so forcing 32-bit"
      } else {
        if ($url64bit -ne $null -and $url64bit -ne '') {
          $filePath = $url64bit
        }
      }
    }
  } else {
    $filePath = Get-ChocolateyWebFile -PackageName $packageName `
                                      -FileFullPath $downloadFilePath `
                                      -Url $url `
                                      -Url64bit $url64bit `
                                      -Checksum $checksum `
                                      -ChecksumType $checksumType `
                                      -Checksum64 $checksum64 `
                                      -ChecksumType64 $checksumType64 `
                                      -Options $options `
                                      -GetOriginalFileName
  }

  Install-ChocolateyInstallPackage -PackageName $packageName `
                                   -FileType $fileType `
                                   -SilentArgs $silentArgs `
                                   -File $filePath `
                                   -ValidExitCodes $validExitCodes `
                                   -UseOnlyPackageSilentArguments:$useOnlyPackageSilentArguments

bcurran3 on 5 Sep 2018

That's very interesting, never even knew that was there - that wasn't at all clear from any of the main online documentation. It looks like this is more an issue of documentation than code if that works as you suggest.

gsmitheidw on 5 Sep 2018

👍1

@bcurran3 let's be clear here...

Using the UseOriginalLocation flag will instruct Chocolatey to by-pass the download step as you mentioned, however, it will then as a result, also skip the only part of the code that uses the checksum values in the first place. As a result, the suggestion to use Install-ChocolateyPackage instead of Install-ChocolateyInstallPackage when you want to apply checksums and also don't want to download the installer, doesn't actually do what you are suggesting.

I agree that changing the Install-ChocolateyInstallPackage to additional verify checksum's makes sense, but I don't think suggesting to use on function in the place of another one is a good idea.

Install-ChocolateyPackage is intended to be used when you are downloading and installing an application.

Install-ChocolateyInstallPackage (yes, I agree, naming is hard) is intended to be used when you already have the application installer locally, in the case of an embedded package. Doing it in any other way leads to ambiguity in the intention of your package, and also can result in additional work occurring that isn't required.

gep13 on 7 Sep 2018

👍1

Sorry @gsmitheidw I got hyper-focused on bullet point 2 which was already solved by the function existing itself. Looks like you need to use Install-ChocolateyInstallPackage and do your own file verifications until checksum checking is possibly added to Install-ChocolateyInstallPackage in the future.

bcurran3 on 7 Sep 2018

No problem, to be fair some as @gep says - the naming is a shade confusing. It might be possible (eventually) to merge both into one command and just use switches to determine the desired functionality.

Possibly the standard variables $file or $url probably could be standardised too? Something more generic like $source - seeing as either may be appropriate. Anyway lots of food for thought.

gsmitheidw on 7 Sep 2018

👍1

@gsmitheidw thanks for filing this. I've added it to the backlog.