Hash verification will fail if a package updated without changing download path

[ChungZH]

Description of the new feature/enhancement

Now, I found a problem with winget. The installer downloaded by some software packages does not specify a version.

For example, the WeChat:

This installer does not specify a certain version like WeChatSetup-2.9.exe. Therefore, when this program is updated, the value of SHA256 changes and you cannot install it. You must wait for someone to update this SHA256.

AND, the problem isn't only on WeChat. There are many softwares does not provide a certain version of the installation package.

Proposed technical implementation details (optional)

[jamierocks]

Yep, this keeps coming up sadly :(

[LightDestory]

I agree, a lot of application that I would like to push uses a "latest" link option.
For now the user can only choose to continue the installation despite the hash missmatch, which is a very unsecure.
I tried to ask a software developer to provide a static download link to a fixed version but unfortunately it didn't work out.

[AgentK7]

Yeah, that would be a problem but as already said

many publishers are doing it this way. Unfortunatly any solution that comes up my mind would pose a risk one way or another.

[ChungZH]

Maybe winget can learn from apt or other package managers, store the installer itself.
When the software is updated, let the contributors update him in winget repo!

[jamierocks]

Maybe winget can learn from apt or other package managers, store the installer itself.
When the software is updated, let the contributors update him in winget repo!

The problem then becomes redistribution rights.

[AgentK7]

And an Automatic Rehashing and update of the Manifest would pose a security risk because Microsoft can't know IF a Installer was simply updated OR swapped aut with an malicious one.

[jamierocks]

And an Automatic Rehashing and update of the Manifest would pose a security risk because Microsoft can't know IF a Installer was simply updated OR swapped aut with an malicious one.

Could always handle this by creating proposed PRS on this repo, that would need manual verification to merge.

[ghost]

Some related issues: #278, #295, #627, microsoft/winget-cli#147, microsoft/winget-cli#307.

Also, as a suggestion, you may like to change the issue title to something more specific like "Hash verification will fail if a package updated without changing download path".

[denelon]

We've implemented some automation to check when installers have changed behind vanity URLs. We generate a new manifest and if it passes validation, it gets merged.

[ghost]

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 7 days. It will be closed if no further activity occurs within 7 days of this comment.

[lychichem]

We've implemented some automation to check when installers have changed behind vanity URLs. We generate a new manifest and if it passes validation, it gets merged.

I have made two PRs to update tencent.wechat, but all of them fails at hash verification. And the bot didn't update the manifest too. So I wonder how long the pipeline caches a certain version installer? Or the donload site will provide an old installer to the pipeline server?