It is done as you mentioned with, for example, the checksum.exe tool. The final point that I wanted to make clear is that the checksum is generated and placed into the package, at the point in time that the package is created, and submitted to. In this new package, you would include the new checksum value. The latter reason is unfortunate, and there isn't much that can be done, aside from generating a new package version, that would need to use the package fix version notation to create a new package version (this is due to a package version being immutable, meaning it can't change, once it is approved).įor the former, when there is actually a new application version, and the file at the end of the URL is actually a new one, then the request would be to create a new package version, with the updated version number. The second way that checksums will break is if vendor "change" the application installer once it has been published, without changing the version number. As a result, whenever Google push out a new version of Chrome, which happens quite frequently, the most recent package version of Chrome on is immediately broken. As a result, you can only ever download the Chrome installer from one location, namely.
Some of those reasons are covered in this blog post:įirstly, some packages (like Google Chrome) don't included versioned URL's for their application installer. There can be a number of reasons "why" the checksum is different.
This is a security feature, and when Chocolatey finds that the checksum differs between the file that is downloaded, and what was expected, it will not proceed with the installation.
Secondly, a checksum is used to ensure that the file that is downloaded at runtime is the same as the one that the package maintainer expected it to be when the package was created. In most cases, for new package submissions, Moderators (myself included) will request that checksums be added to package installation script, regardless of whether they happen over HTTP or HTTPS. With regard to checksums, the guidance is that checksums for an installer/zip/etc are required when the download happens over HTTP, and that checksums are recommended when the download happens over HTTPS. There are a couple of different topics being asked about here, so I wanted to make sure that each is covered.įirstly, Moderators of packages submitted to Chocolatey Community Repository make a number of checks.
0 kommentar(er)
