Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add and Validate NestedInstallerSha256 #2545

Open
Trenly opened this issue Sep 23, 2022 · 3 comments
Open

Add and Validate NestedInstallerSha256 #2545

Trenly opened this issue Sep 23, 2022 · 3 comments
Labels
Area-Manifest This may require a change to the manifest Issue-Feature This is a feature request for the Windows Package Manager client.

Comments

@Trenly
Copy link
Contributor

Trenly commented Sep 23, 2022

Description of the new feature / enhancement

Some applications distributed through zip files or other archive types are no longer in active development. In other cases, these installers may not be available from the original publisher, but may still be safe. Although hash collisions are rare in any scenario, a malicious actor with sufficient knowledge of compression algorithms can force a hash collision much easier on an archive type installer than on other types of installers. This creates a scenario where it may be beneficial in some cases, but certainly not all cases, that having and verifying the hash of the nested installer would provide an additional layer of security.

One great example of this is Universal Silent Switch Finder (USSF). The software is no longer under active development and is only available from insecure sites. However, the application is known to be safe with the current hash. Being able to add the nested installer hash for an additional verification would make me as a user feel more secure knowing that both the file being downloaded and the file being installed are being verified.

I am aware of the InstallationMetadata which allows for an optional hash to be supplied for ensuring the install is detected correctly, but this doesn't seem to be related to validation before install.

Proposed technical implementation details

Add an optional NestedInstallerSha256 key, valid when installer type is Zip
@Trenly Trenly added the Issue-Feature This is a feature request for the Windows Package Manager client. label Sep 23, 2022
@ghost ghost added the Needs-Triage Issue need to be triaged label Sep 23, 2022
@Trenly
Copy link
Contributor Author

Trenly commented Sep 23, 2022

@denelon @ryfu-msft - I understand that I'm asking for a bit of scope creep here, but is it possible this could be pulled into the initial 1.4 release? I'm no expert on implementation details, but given that infrastructure is already in place for validating hashes, I'm assuming this would be as "simple" as adding a WorkflowTask to validate files between extraction and install, and a small bit of additional logic in manifest validation.

Pipeline validation of nested hashes could be left as a separate enhancement request since they aren't currently being validated.

@denelon denelon removed the Needs-Triage Issue need to be triaged label Sep 23, 2022
@denelon
Copy link
Contributor

denelon commented Sep 23, 2022

Related to:

@Trenly Trenly mentioned this issue Nov 7, 2022
Closed
2 tasks
@Trenly
Copy link
Contributor Author

Trenly commented Jun 16, 2023

[Policy] Area-Manifest

@microsoft-github-policy-service microsoft-github-policy-service bot added the Area-Manifest This may require a change to the manifest label Jun 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area-Manifest This may require a change to the manifest Issue-Feature This is a feature request for the Windows Package Manager client.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Trenly @denelon