From 5eeeff1cadf9d1ec45e9db9229a250efcf67ebab Mon Sep 17 00:00:00 2001
From: Stephen Valdinger <stephen@chocolatey.io>
Date: Fri, 6 Sep 2024 10:37:09 -0400
Subject: [PATCH] (#247) Enable packageHashValidation feature

With Chocolatey 2.3.0 we introduced a feature
which will validate the checksum of a downloaded
nupkg with the SHA512 checksum that the repository
reports.

This increases confidence that the nupkg you are
installing is in fact the nupkg you expect.

This change enables the feature on the server as
it is being setup, and adds the command to turn on
the feature to the ClientSetup script.
---
 Start-C4bSetup.ps1      | 1 +
 scripts/ClientSetup.ps1 | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/Start-C4bSetup.ps1 b/Start-C4bSetup.ps1
index 7b729d0..dd31323 100644
--- a/Start-C4bSetup.ps1
+++ b/Start-C4bSetup.ps1
@@ -140,6 +140,7 @@ try {
 
     # Set Choco Server Chocolatey Configuration
     Invoke-Choco feature enable --name="'excludeChocolateyPackagesDuringUpgradeAll'"
+    Invoke-Choco feature enable --name="'usePackageHashValidation'"
 
     # Convert license to a "choco-license" package, and install it locally to test
     Write-Host "Creating a 'chocolatey-license' package, and testing install." -ForegroundColor Green
diff --git a/scripts/ClientSetup.ps1 b/scripts/ClientSetup.ps1
index 2371808..9b12a73 100644
--- a/scripts/ClientSetup.ps1
+++ b/scripts/ClientSetup.ps1
@@ -145,6 +145,9 @@ choco feature enable --name="'useBackgroundServiceWithNonAdministratorsOnly'"
 choco feature enable --name="'allowBackgroundServiceUninstallsFromUserInstallsOnly'"
 choco config set --name="'backgroundServiceAllowedCommands'" --value="'install,upgrade,uninstall'"
 
+# Enable Package Hash Validation (Good security practice)
+choco feature enable --name="'usePackageHashValidation'"
+
 # CCM Check-in Configuration
 choco config set CentralManagementServiceUrl "https://${hostName}:24020/ChocolateyManagementService"
 if ($ClientSalt) {