Checksum requirement and enhancements

[ferventcoder]

Give the user more options when dealing with downloads

• Allow user to pass their own checksum (and checksum type)
• --ignore-checksums (done with Checksumming can not be turned off by the feature flag #33)
• Provide pending requirement for checksums for packages missing them (allows community to let maintainers know they need to update their packages).
• Do not allow installs from downloaded binaries that are not checksummed from the package by default.
• Create feature allowEmptyChecksums set to false by default.
• Allow passing switch --allow-empty-checksums, --require-checksums at runtime to override default behavior.
• Create feature allowEmptyChecksumsSecure set to true by default (for HTTPS).

Choco v1 will not allow package installs without checksums by default. For folks to be insecure, they will need to explicitly ignore checksumming or be more secure by providing their own. This has been moved up to 0.10.0.

Bumping up the priority on this after a recent incident - see https://twitter.com/ferventcoder/status/760892254542102528 and http://us8.campaign-archive1.com/?u=86a6d80146a0da7f2223712e4&id=f2fe8dbe6b for details.

NOTE: We decided to relax the checksum missing failure to only HTTP for now, but will require it for HTTPS as well when #895 releases.

Running into this issue?

Option 1 - Pass the checksums through

You can pass the checksums through to the install / upgrade:

choco install somepackage --download-checksum cheksumvalue --download-checksum-type checksumtypehere

NOTE: For best security, you may wish to manually download the installer and check it with VirusTotal first, then using the checksum that VT shows on its page to pass with the choco install command. Nothing will be saved in time here, but hopefully the time savings occurs in reporting and future upgrades of the package. Reasoning: The checksum could change if the link to download resources is non-specific (not tied to a specific version). But if it is a version specific download, one should really be asking themselves why this occurred rather than simply ignoring a built-in security mechanism. It could be because the software vendor doesn't adhere to the idea of not changing a released version once offered, but it could be due to the distribution site getting hacked and offering a bad version just waiting for unsuspecting folks to download the hacked software. Without using some other method of verification when checksums fail, you are hoping that your anti-virus software would protect you in a hacked situation.

See https://chocolatey.org/docs/commands-install / https://chocolatey.org/docs/commands-upgrade:

    --checksum, --downloadchecksum, --download-checksum=VALUE
     Download Checksum - a user provided checksum for downloaded resources 
       for the package. Overrides the package checksum (if it has one).  
       Defaults to empty. Available in 0.10.0+.

     --checksum64, --checksumx64, --downloadchecksumx64, --download-checksum-x64=VALUE
     Download Checksum 64bit - a user provided checksum for 64bit downloaded 
       resources for the package. Overrides the package 64-bit checksum (if it 
       has one). Defaults to same as Download Checksum. Available in 0.10.0+.

     --checksumtype, --checksum-type, --downloadchecksumtype, --download-checksum-type=VALUE
     Download Checksum Type - a user provided checksum type. Overrides the 
       package checksum type (if it has one). Used in conjunction with Download 
       Checksum. Available values are 'md5', 'sha1', 'sha256' or 'sha512'. 
       Defaults to 'md5'. Available in 0.10.0+.

     --checksumtype64, --checksumtypex64, --checksum-type-x64, --downloadchecksumtypex64, --download-checksum-type-x64=VALUE
     Download Checksum Type 64bit - a user provided checksum for 64bit 
       downloaded resources for the package. Overrides the package 64-bit 
       checksum (if it has one). Used in conjunction with Download Checksum 
       64bit. Available values are 'md5', 'sha1', 'sha256' or 'sha512'. 
       Defaults to same as Download Checksum Type. Available in 0.10.0+.

Option 2 - Fix the package to download over HTTPS if possible, and use checksums

Update the package accordingly so it complies with the new security enhancements.

Option 3 - If the package is internal, embed the resources in the package (or put on an internal share)

Many organizations using Chocolatey internally will create packages that use internal or embedded resources. They also go through a process called recompiling to download an existing package and recompile it to use internal resources - https://chocolatey.org/docs/how-to-recompile-packages

Option 4 - Accept the risk

Now we are into the non-recommended options. So if you want to use this package and you are fine with the risks over a package downloading over HTTP without verifying the integrity of the binaries then you can use the following:

choco install somepackage --allow-empty-checksums

If you are using a tool that is using an older version of Chocolatey, like Boxstarter or ChocolateyGUI, but you've upgraded your local Chocolatey to v0.10.0, you may want to use:

choco install somepackage --ignore-checksums

See https://chocolatey.org/docs/commands-install / https://chocolatey.org/docs/commands-upgrade:

     --ignorechecksum, --ignore-checksum, --ignorechecksums, --ignore-checksums
     IgnoreChecksums - Ignore checksums provided by the package. Overrides 
       the default feature 'checksumFiles' set to 'True'. Available in 0.9.9.9+.

     --allowemptychecksum, --allowemptychecksums, --allow-empty-checksums
     Allow Empty Checksums - Allow packages to have empty/missing checksums 
       for downloaded resources from non-secure locations (HTTP, FTP). Use this 
       switch is not recommended if using sources that download resources from 
       the internet. Overrides the default feature 'allowEmptyChecksums' set to 
       'False'. Available in 0.10.0+.

     --allowemptychecksumsecure, --allowemptychecksumssecure, --allow-empty-checksums-secure
     Allow Empty Checksums Secure - Allow packages to have empty checksums 
       for downloaded resources from secure locations (HTTPS). Overrides the 
       default feature 'allowEmptyChecksumsSecure' set to 'True'. Available in 
       0.10.0+.

     --requirechecksum, --requirechecksums, --require-checksums
     Require Checksums - Requires packages to have checksums for downloaded 
       resources (both non-secure and secure). Overrides the default feature 
       'allowEmptyChecksums' set to 'False' and 'allowEmptyChecksumsSecure' set 
       to 'True'. Available in 0.10.0+.

Option 5 - Accept the risk for everything

You can turn off the behavior by running an exec that will turn on the feature allowEmptyChecksums. This is a nuclear option and subverts the protections brought in by this feature. You can also turn off the feature checksumFiles to turn off checksumming entirely.

Option 6 - Downgrade Chocolatey

Downgrading to an older version doesn't remove the risk that is there in downloading resources from the internet. 0.10.0 is more upfront about those issues so you can make an informed, aware decision on what you are installing.

[dtgm]

Is the feature choco feature disable -n=checksumFiles intended to be the equivalent of always passing --ignore-checksum?

[ferventcoder]

@dtgm yes and that is #33 - note that right now that feature is ignored. It was only left in configuration because previous choco had it.