Chrome manifest link does not reference a specific version about winget-pkgs HOT 10 CLOSED

I've suggested the feature here: microsoft/winget-cli#307

from winget-pkgs.

This is because in the manifest the updater is referenced. This will download the newest version and install it.

I will search if i can find the direct link to one specific version to insert it into the manifest file. Then the hash will not change after download.

from winget-pkgs.

Honestly I don't understand why that would even be allowed in the repository. It explicitly mentions a version number and hash only to then point to whatever happens to be the latest version. Essentially training the user to just ignore the hash verification whenever it complains.
The hash verification shouldn't even allow the installation to continue if it fails but that's another issue

from winget-pkgs.

Yes exactly. This could be complicated for many "newer" Softwareproducts. It is difficult to get the direct links and be sure you always will get the mentioned version. Even if you get the direct link to version X, then you download and install Chrome will start directly to download version Y.

from winget-pkgs.

@maxmichels

You probably need to use the alternate chrome installer. The page is listed here under the collapsed "Install chrome offline" section: https://support.google.com/chrome/answer/95346

from winget-pkgs.

Yes @dmex but this changes also every time a new version is released. I guess only solution would be to store it at some other download location like selfhosted publicly accessible to make sure the mentioned version is downloaded. But this would require that this community package relies on someone’s hosted version of the software not provided by the software maintainer.

from winget-pkgs.

his changes also every time a new version is released

Either way the chrome package for winget should use the url for the full installer instead of the url to download the launcher which then downloads the full installer.

I guess only solution would be to store it at some other download location like selfhosted

If it was selfhosted you would have to validate the digital signature to ensure its legitimate and validating the signature instead of the hash fixes the issue with the hashes changing with each update.

The chrome binaries are digitally signed and winget can easily validate the thumbprint and/or common name of the embedded signature using the WinVerifyTrust function instead of the hash so this won't be an issue.

from winget-pkgs.

If it was selfhosted you would have to validate the digital signature to ensure its legitimate and validating the signature instead of the hash fixes the issue with the hashes changing with each update.

but currently this is not implemented. also then the maintainers need to specify when to check the hash and when to check the certificate or both.

i think this is something which should be considered generally for winget in the future.

from winget-pkgs.

We now have automation for packages at vanity URLs to generate a PR with the updated hash.

from winget-pkgs.

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 7 days. It will be closed if no further activity occurs within 7 days of this comment.

from winget-pkgs.