(chocolatey#247) Enable packageHashValidation feature

With Chocolatey 2.3.0 we introduced a feature which will validate the checksum of a downloaded nupkg with the SHA512 checksum that the repository reports. This increases confidence that the nupkg you are installing is in fact the nupkg you expect. This change enables the feature on the server as it is being setup, and adds the command to turn on the feature to the ClientSetup script.
steviecoaster · Oct 18, 2024 · 5eeeff1 · 5eeeff1
1 parent ff4cfc0
commit 5eeeff1
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 0 deletions.
diff --git a/Start-C4bSetup.ps1 b/Start-C4bSetup.ps1
@@ -140,6 +140,7 @@ try {
 
     # Set Choco Server Chocolatey Configuration
     Invoke-Choco feature enable --name="'excludeChocolateyPackagesDuringUpgradeAll'"
+    Invoke-Choco feature enable --name="'usePackageHashValidation'"
 
     # Convert license to a "choco-license" package, and install it locally to test
     Write-Host "Creating a 'chocolatey-license' package, and testing install." -ForegroundColor Green

diff --git a/scripts/ClientSetup.ps1 b/scripts/ClientSetup.ps1
@@ -145,6 +145,9 @@ choco feature enable --name="'useBackgroundServiceWithNonAdministratorsOnly'"
 choco feature enable --name="'allowBackgroundServiceUninstallsFromUserInstallsOnly'"
 choco config set --name="'backgroundServiceAllowedCommands'" --value="'install,upgrade,uninstall'"
 
+# Enable Package Hash Validation (Good security practice)
+choco feature enable --name="'usePackageHashValidation'"
+
 # CCM Check-in Configuration
 choco config set CentralManagementServiceUrl "https://${hostName}:24020/ChocolateyManagementService"
 if ($ClientSalt) {