Merge pull request #3577 from corbob/fix-authed-package-download

chocolatey · Nov 29, 2024 · b584326 · b584326
2 parents a71108c + 8741836
commit b584326
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 17 deletions.
diff --git a/nuspec/chocolatey/chocolatey/tools/chocolateysetup.psm1 b/nuspec/chocolatey/chocolatey/tools/chocolateysetup.psm1
@@ -48,6 +48,7 @@ function Remove-ShimWithAuthenticodeSignature {
   $possibleSignatures = @(
     'RealDimensions Software, LLC'
     'Chocolatey Software, Inc\.'
+    'Chocolatey Software, Inc'
   )
 
   $possibleSignatures | ForEach-Object {

diff --git a/src/chocolatey/infrastructure.app/nuget/ChocolateyNugetCredentialProvider.cs b/src/chocolatey/infrastructure.app/nuget/ChocolateyNugetCredentialProvider.cs
@@ -111,7 +111,10 @@ public ICredentials GetCredentials(Uri uri, IWebProxy proxy, CredentialType cred
                     .Where(s => !string.IsNullOrWhiteSpace(s.Username)
                         && !string.IsNullOrWhiteSpace(s.EncryptedPassword)
                         && Uri.TryCreate(s.Key.TrimEnd('/'), UriKind.Absolute, out var trimmedSourceUri)
-                        && Uri.Compare(trimmedSourceUri, trimmedTargetUri, UriComponents.HttpRequestUrl, UriFormat.Unescaped, StringComparison.OrdinalIgnoreCase) == 0)
+                        && (Uri.Compare(trimmedSourceUri, trimmedTargetUri, UriComponents.HttpRequestUrl, UriFormat.Unescaped, StringComparison.OrdinalIgnoreCase) == 0
+                            // If the target starts with a machine source, we're in a scenario where NuGet is now trying to download the package.
+                            // For whatever reason NuGet sometimes forgets the credentials between discovering the package and downloading the package.
+                            || trimmedTargetUri.ToString().StartsWith(trimmedSourceUri.ToString(), StringComparison.OrdinalIgnoreCase)))
                     .ToList();
 
                 if (candidateSources.Count == 1)

diff --git a/tests/pester-tests/BundledApplications.Tests.ps1 b/tests/pester-tests/BundledApplications.Tests.ps1
@@ -8,8 +8,6 @@ Describe 'Ensuring correct version of <Name> is installed' -Tag BundledApplicati
         BeforeAll {
             # Because we're not modifying the install in any way, there is no need to Initialize-ChocolateyTestInstall
             $ToolPath = "$env:ChocolateyInstall/tools/$Name.exe"
-            # TODO: Encapsulate in an environment variable once kitchen-pester has new version - https://github.com/chocolatey/choco/issues/2692
-            $Thumbprint = '83AC7D88C66CB8680BCE802E0F0F5C179722764B'
         }
 
         It 'Should be in Chocolatey tools directory' {
@@ -18,8 +16,17 @@ Describe 'Ensuring correct version of <Name> is installed' -Tag BundledApplicati
 
         It 'Should be appropriately signed' -Skip:(-not $IsSigned) {
             $signature = Get-AuthenticodeSignature -FilePath $ToolPath
-            $signature.Status | Should -Be 'Valid'
-            $signature.SignerCertificate.Thumbprint | Should -Be $Thumbprint
+
+            # For non production builds, the official signing certificate is not in play, so need to
+            # alter the assestion slightly, to account for the fact that UnknownError, is making the
+            # underlying problem, i.e. "A certificate chain processed, but terminated in a root
+            # certificate which is not trusted by the trust provider"
+            if ($signature.SignerCertificate.Issuer -match 'Chocolatey Software, Inc') {
+                $signature.Status | Should -Be 'UnknownError'
+            }
+            elseif ($signature.SignerCertificate.Issuer -match 'DigiCert') {
+                $signature.Status | Should -Be 'Valid'
+            }
         }
 
         It 'Should be version <Version>' {

diff --git a/tests/pester-tests/chocolatey.Tests.ps1 b/tests/pester-tests/chocolatey.Tests.ps1
@@ -1,4 +1,4 @@
-Import-Module helpers/common-helpers
+Import-Module helpers/common-helpers
 
 Describe "Ensuring Chocolatey is correctly installed" -Tag Environment, Chocolatey {
     BeforeDiscovery {
@@ -23,8 +23,7 @@ Describe "Ensuring Chocolatey is correctly installed" -Tag Environment, Chocolat
     }
 
     BeforeAll {
-        # TODO: Both this thumbprint and strong name key should be in an environment variable. Update when new kitchen-pester is available. - https://github.com/chocolatey/choco/issues/2692
-        $ChocolateyThumbprint = '83AC7D88C66CB8680BCE802E0F0F5C179722764B'
+        # TODO: This strong name key should be in an environment variable. Update when new kitchen-pester is available. - https://github.com/chocolatey/choco/issues/2692
         $ChocolateyStrongNameKey = '79d02ea9cad655eb'
         # These lines are part of testing the issue
         # https://github.com/chocolatey/choco/issues/2233
@@ -112,14 +111,20 @@ Describe "Ensuring Chocolatey is correctly installed" -Tag Environment, Chocolat
     # This is skipped when not run in CI because it requires signed executables.
     Context "File signing (<_.FullName>)" -Foreach @($PowerShellFiles; $ExecutableFiles; $StrongNamingKeyFiles) -Skip:((-not $env:TEST_KITCHEN) -or (-not (Test-ChocolateyVersionEqualOrHigherThan "1.0.0"))) {
         BeforeAll {
+            # Due to changes in the signing setup, the certificate used to sign PS1 files and the Chocolatey CLI executable MIGHT be different. This ensures that the both certificates are trusted.
             $FileUnderTest = $_
-            $SignerCert = (Get-AuthenticodeSignature (Get-ChocoPath)).SignerCertificate
+            $Ps1Cert = (Get-AuthenticodeSignature (Join-Path (Split-Path (Split-Path (Get-ChocoPath))) 'helpers/chocolateyScriptRunner.ps1')).SignerCertificate
+            $ExeCert = (Get-AuthenticodeSignature (Get-ChocoPath)).SignerCertificate
             $Cert = "$PWD\cert.cer"
-            # Write out the certificate
-            [IO.File]::WriteAllBytes($Cert, $SignerCert.export([security.cryptography.x509certificates.x509contenttype]::cert))
+            # Write out the exe certificate
+            [IO.File]::WriteAllBytes($Cert, $ExeCert.export([security.cryptography.x509certificates.x509contenttype]::cert))
             # Trust the certificate
             Import-Certificate -FilePath $Cert -CertStoreLocation 'Cert:\CurrentUser\TrustedPublisher\'
             Remove-Item -Path $Cert -Force -ErrorAction Ignore
+            # Write out the ps1 certificate
+            [IO.File]::WriteAllBytes($Cert, $Ps1Cert.export([security.cryptography.x509certificates.x509contenttype]::cert))
+            # Trust the certificate
+            Import-Certificate -FilePath $Cert -CertStoreLocation 'Cert:\CurrentUser\TrustedPublisher\'
         }
 
         AfterAll {
@@ -128,8 +133,17 @@ Describe "Ensuring Chocolatey is correctly installed" -Tag Environment, Chocolat
 
         It "Should be signed with our certificate" -Skip:($_.Name -like 'package*.exe') {
             $authenticodeSignature = Get-AuthenticodeSignature $FileUnderTest
-            $authenticodeSignature.Status | Should -Be 'Valid'
-            $authenticodeSignature.SignerCertificate.Thumbprint | Should -Be $ChocolateyThumbprint
+
+            # For non production builds, the official signing certificate is not in play, so need to
+            # alter the assestion slightly, to account for the fact that UnknownError, is making the
+            # underlying problem, i.e. "A certificate chain processed, but terminated in a root
+            # certificate which is not trusted by the trust provider"
+            if ($authenticodeSignature.SignerCertificate.Issuer -match 'Chocolatey Software, Inc') {
+                $authenticodeSignature.Status | Should -Be 'UnknownError'
+            }
+            elseif ($authenticodeSignature.SignerCertificate.Issuer -match 'DigiCert') {
+                $authenticodeSignature.Status | Should -Be 'Valid'
+            }
         }
 
         It "Should be strongly named with our strong name key" -Skip:($_ -notin $StrongNamingKeyFilesToCheck) {

diff --git a/tests/pester-tests/commands/choco-push.Tests.ps1 b/tests/pester-tests/commands/choco-push.Tests.ps1
@@ -56,10 +56,11 @@ Describe "choco push" -Tag Chocolatey, PushCommand, ProxySkip -Skip:($null -eq $
         }
 
         It "Should Report the actual cause of the error" {
-            $Output.Lines | Should -Contain "Attempting to push $PackageUnderTest.$VersionUnderTest.nupkg to $RepositoryToUse"
-            $Output.Lines | Should -Contain "An error has occurred. It's possible the package version already exists on the repository or a nuspec element is invalid. See error below..."
-            $Output.String | Should -Match "Failed to process request. '"
-            $Output.Lines | Should -Contain "The remote server returned an error: (409) Conflict.."
+            $Output.Lines | Should -Contain "Attempting to push $PackageUnderTest.$VersionUnderTest.nupkg to $RepositoryToUse" -Because $Output.String
+            # The output seen in Team City differs from when run locally. The following strings are
+            # consistent between both output messages, and should be sufficient to identify issues.
+            $Output.String | Should -Match "An error has occurred. "
+            $Output.String | Should -Match "package version already exists on the repository"
         }
     }