Merge pull request chocolatey#278 from steviecoaster/gh153

(chocolatey#153) Enable FIPs if required
steviecoaster · Oct 18, 2024 · ff4cfc0 · ff4cfc0
2 parents c446da8 + 12b2c0e
commit ff4cfc0
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 3 deletions.
diff --git a/OfflineInstallPreparation.ps1 b/OfflineInstallPreparation.ps1
@@ -60,8 +60,6 @@ $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 $LicensePath = Convert-Path $LicensePath
 
-Import-Module $PSScriptRoot\modules\C4B-Environment
-
 $ChocoInstallScript = Join-Path $PSScriptRoot "scripts\ChocolateyInstall.ps1"
 if (-not (Test-Path $ChocoInstallScript)) {
     Invoke-WebRequest -Uri 'https://chocolatey.org/install.ps1' -OutFile $ChocoInstallScript
@@ -80,6 +78,8 @@ if ($Signature.Status -eq 'Valid' -and $Signature.SignerCertificate.Subject -eq
     Write-Error "ChocolateyInstall.ps1 script signature is not valid. Please investigate." -ErrorAction Stop
 }
 
+Import-Module $PSScriptRoot\modules\C4B-Environment -Force
+
 # Initialize environment, ensure Chocolatey For Business, etc.
 $Licensed = ($($(choco.exe)[0] -match "^Chocolatey (?<Version>\S+)\s*(?<LicenseType>Business)?$") -and $Matches.LicenseType)
 $InstalledLicensePath = "$env:ChocolateyInstall\license\chocolatey.license.xml"

diff --git a/files/chocolatey.json b/files/chocolatey.json
@@ -24,7 +24,7 @@
         { "name": "KB3035131", "internalize": false },
         { "name": "microsoft-edge" },
         { "name": "nexus-repository" },
-        { "name": "pester" },
+        { "name": "pester", "internalize": false },
         { "name": "sql-server-express" },
         { "name": "temurin21jre" },
         { "name": "vcredist140" }

diff --git a/modules/C4B-Environment/C4B-Environment.psm1 b/modules/C4B-Environment/C4B-Environment.psm1
@@ -2319,4 +2319,14 @@ function Install-ChocolateyAgent {
 }
 #endregion
 
+# Check for and configure FIPS enforcement, if required.
+if (
+    (Get-ItemPropertyValue -Path "HKLM:\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy" -Name Enabled) -eq 1 -and
+    $env:ChocolateyInstall -and
+    -not [bool]::Parse(([xml](Get-Content $env:ChocolateyInstall\config\chocolatey.config)).chocolatey.features.feature.Where{$_.Name -eq 'useFipsCompliantChecksums'}.Enabled)
+) {
+    Write-Warning -Message "FIPS is enabled on this system. Ensuring Chocolatey uses FIPS compliant checksums"
+    Invoke-Choco feature enable --name='useFipsCompliantChecksums'
+}
+
 Export-ModuleMember -Function "*"
diff --git a/scripts/ClientSetup.ps1 b/scripts/ClientSetup.ps1
@@ -105,6 +105,13 @@ $script = $webClient.DownloadString("https://${hostAddress}/repository/choco-ins
 # Run the Chocolatey Install script with the parameters provided
 & ([scriptblock]::Create($script)) @params
 
+# If FIPS is enabled, configure Chocolatey to use FIPS compliant checksums
+$fipsStatus = Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy" -Name Enabled
+if ($fipsStatus.Enabled -eq 1) {
+    Write-Warning -Message "FIPS is enabled on this system. Ensuring Chocolatey uses FIPS compliant checksums"
+    choco feature enable --name='useFipsCompliantChecksums'
+}
+
 choco config set cacheLocation $env:ChocolateyInstall\choco-cache
 choco config set commandExecutionTimeoutSeconds 14400