Comments (10)
I've suggested the feature here: microsoft/winget-cli#307
from winget-pkgs.
This is because in the manifest the updater is referenced. This will download the newest version and install it.
I will search if i can find the direct link to one specific version to insert it into the manifest file. Then the hash will not change after download.
from winget-pkgs.
Honestly I don't understand why that would even be allowed in the repository. It explicitly mentions a version number and hash only to then point to whatever happens to be the latest version. Essentially training the user to just ignore the hash verification whenever it complains.
The hash verification shouldn't even allow the installation to continue if it fails but that's another issue
from winget-pkgs.
Yes exactly. This could be complicated for many "newer" Softwareproducts. It is difficult to get the direct links and be sure you always will get the mentioned version. Even if you get the direct link to version X, then you download and install Chrome will start directly to download version Y.
from winget-pkgs.
You probably need to use the alternate chrome installer. The page is listed here under the collapsed "Install chrome offline" section: https://support.google.com/chrome/answer/95346
from winget-pkgs.
Yes @dmex but this changes also every time a new version is released. I guess only solution would be to store it at some other download location like selfhosted publicly accessible to make sure the mentioned version is downloaded. But this would require that this community package relies on someone’s hosted version of the software not provided by the software maintainer.
from winget-pkgs.
his changes also every time a new version is released
Either way the chrome package for winget should use the url for the full installer instead of the url to download the launcher which then downloads the full installer.
I guess only solution would be to store it at some other download location like selfhosted
If it was selfhosted you would have to validate the digital signature to ensure its legitimate and validating the signature instead of the hash fixes the issue with the hashes changing with each update.
The chrome binaries are digitally signed and winget can easily validate the thumbprint and/or common name of the embedded signature using the WinVerifyTrust function instead of the hash so this won't be an issue.
from winget-pkgs.
If it was selfhosted you would have to validate the digital signature to ensure its legitimate and validating the signature instead of the hash fixes the issue with the hashes changing with each update.
but currently this is not implemented. also then the maintainers need to specify when to check the hash and when to check the certificate or both.
i think this is something which should be considered generally for winget in the future.
from winget-pkgs.
We now have automation for packages at vanity URLs to generate a PR with the updated hash.
from winget-pkgs.
This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 7 days. It will be closed if no further activity occurs within 7 days of this comment.
from winget-pkgs.
Related Issues (20)
- cannot install packages HOT 1
- ASIO4ALL flagging my antivirus?? HOT 6
- [Update Request]: gstreamerproject.gstreamer 1.22.8 HOT 1
- [Package Issue]: DBeaver.DBeaver not respecting machine install scope defined in settings.json HOT 3
- [Update Request]: Microsoft Power BI HOT 5
- [Update Request]: GPXSee 13.15 HOT 1
- [Update Request]: Mozilla.Firefox 122.0.0 HOT 1
- Access denied when trying to start globally installed syncthing as a normal user HOT 3
- [Update Request]: Hydrogen-Music.Hydrogen 1.2.3 HOT 1
- Zoom.Zoom - Machine scope install issue HOT 3
- [Update Request]: Update package identifier of `lars-berger.GlazeWM` HOT 2
- [Update Request]: Roblox
- [Update Request]: RoyalTS 7.02.50111.0
- [Update Request]: Podman Desktop HOT 1
- [Update Request]: Podman
- [Update Request]: ctrl-f.userdiag 24.1.17 HOT 4
- [Package Request]: 3dslicer (aka slicer)
- [Package Issue]: ASIO4ALL - incorrect/invalid installer URL
- [Update Request]: Malwarebytes.Malwarebytes showing the wrong version HOT 2
- [Update Request]: gmsh.gmsh 4.12.2 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from winget-pkgs.