How insecure or troublesome are --ignore-hash and --ignore-checksums arguements when installing packages via package managers?


C

CSharpDev

Banned
Local time
3:58 PM
Posts
105
OS
Win11
I am using Chocolatey. Problem is that some packages don't install due to either a hash mismatch or a checksum mismatch or both. I have 3 options:

1) --ignore-hash

2) --ignore-checksums

3) just leave out the version eg choco install ea or choco install bethesda

On a non-enterprise system, how troublesome is passing these 2 arguements inside the script if I use sth like Chocolatey which is an open-source windows package manager? I also use Kaspersky Total Security
 

My Computer

System One

  • OS
    Win11
DO NOT ! If you use either, it is like saying: Install any malware on my system, I do not care.
 

My Computer

System One

  • OS
    Windows 11 Home
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 5 8600G (07/24)
    Motherboard
    ASROCK B650M-HDV/M.2 3.15 (07/24)
    Memory
    2x32GB Kingston FURY DDR5 5600 MHz CL36 @4800 CL40 (07/24)
    Graphics Card(s)
    ASROCK Radeon RX 6600 Challenger D 8G @60FPS (08/24)
    Sound Card
    Creative Sound BlasterX AE-5 Plus (05/24)
    Monitor(s) Displays
    24" Philips 24M1N3200ZS/00 (05/24)
    Screen Resolution
    1920×1080@165Hz via DP1.4
    Hard Drives
    Kingston KC3000 NVMe 2TB (05/24)
    ADATA XPG GAMMIX S11 Pro 512GB (07/19)
    PSU
    Seasonic Core GM 550 Gold (04/24)
    Case
    Fractal Design Define 7 Mini with 3x Noctua NF-P14s/12@555rpm (04/24)
    Cooling
    Noctua NH-U12S with Noctua NF-P12 (04/24)
    Keyboard
    HP Pavilion Wired Keyboard 300 (07/24) + Rabalux 76017 Parker (01/24)
    Mouse
    Logitech M330 Silent Plus (04/23)
    Internet Speed
    500/100 Mbps via RouterOS (05/21) & TCP Optimizer
    Browser
    Edge & Brave for YouTube & LibreWolf for FB
    Antivirus
    NextDNS
    Other Info
    Backup: Hasleo Backup Suite (PreOS)
    Headphones: Sennheiser RS170 (09/10)
    Phone: Samsung Galaxy Xcover 7 (02/24)
    Chair: Huzaro Force 4.4 Grey Mesh (05/24)
    Notifier: Xiaomi Mi Band 9 Milanese (10/24)
    2nd Monitor: AOC G2460VQ6 @75Hz (02/19)
Some Chocolatey packages won't install because they're using a static referrer URL, and the underlying download file has been replaced by the vendor. You have three options:

1. Wait for someone to resubmit this Chocolatey package, with an updated hash in the manifest.
2. If the software vendor provides static URL's for version builds, sometimes there will be a [product]-[version] package. Those are unlikely to have the source installer's hash change over time. This is the preferred option, but it may not always be available.
3. Ignore the manifest's current hash values.
 

My Computer

System One

  • OS
    Windows 7
garlin said:
Some Chocolatey packages won't install because they're using a static referrer URL, and the underlying download file has been replaced by the vendor. You have three options:

1. Wait for someone to resubmit this Chocolatey package, with an updated hash in the manifest.
2. If the software vendor provides static URL's for version builds, sometimes there will be a [product]-[version] package. Those are unlikely to have the source installer's hash change over time. This is the preferred option, but it may not always be available.
3. Ignore the manifest's current hash values.
Click to expand...
Yes that's exactly what I meant to say.

Regarding #3, do you mean I can pass --ignore-hash but I shouldn't use --ignore-checksums?
 

My Computer

System One

  • OS
    Win11
TairikuOkami said:
DO NOT ! If you use either, it is like saying: Install any malware on my system, I do not care.
Click to expand...
Wouldn't my AV catch them tho? The firewall built into the suite has these non-signed or not-validly-signed (so to speak maybe im wording it incorrectly) .exe's running with very few privileges for this exact reason
 

My Computer

System One

  • OS
    Win11
CSharpDev said:
Wouldn't my AV catch them tho?
Click to expand...
That is like 50:50, depending on your AV, AV would catch up eventually, but you might get infected in the meantime.
CCleaner owned by Avast/AVG/Norton AV was infected and distributed malware for months and no one had noticed.
www.bleepingcomputer.com

CCleaner Malware Incident - What You Need to Know and How to Remove

This article contains information and answers to frequently asked questions regarding the CCleaner malware incident and how to remove the malware-laced CCleaner version.
www.bleepingcomputer.com www.bleepingcomputer.com
 

My Computer

System One

  • OS
    Windows 11 Home
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 5 8600G (07/24)
    Motherboard
    ASROCK B650M-HDV/M.2 3.15 (07/24)
    Memory
    2x32GB Kingston FURY DDR5 5600 MHz CL36 @4800 CL40 (07/24)
    Graphics Card(s)
    ASROCK Radeon RX 6600 Challenger D 8G @60FPS (08/24)
    Sound Card
    Creative Sound BlasterX AE-5 Plus (05/24)
    Monitor(s) Displays
    24" Philips 24M1N3200ZS/00 (05/24)
    Screen Resolution
    1920×1080@165Hz via DP1.4
    Hard Drives
    Kingston KC3000 NVMe 2TB (05/24)
    ADATA XPG GAMMIX S11 Pro 512GB (07/19)
    PSU
    Seasonic Core GM 550 Gold (04/24)
    Case
    Fractal Design Define 7 Mini with 3x Noctua NF-P14s/12@555rpm (04/24)
    Cooling
    Noctua NH-U12S with Noctua NF-P12 (04/24)
    Keyboard
    HP Pavilion Wired Keyboard 300 (07/24) + Rabalux 76017 Parker (01/24)
    Mouse
    Logitech M330 Silent Plus (04/23)
    Internet Speed
    500/100 Mbps via RouterOS (05/21) & TCP Optimizer
    Browser
    Edge & Brave for YouTube & LibreWolf for FB
    Antivirus
    NextDNS
    Other Info
    Backup: Hasleo Backup Suite (PreOS)
    Headphones: Sennheiser RS170 (09/10)
    Phone: Samsung Galaxy Xcover 7 (02/24)
    Chair: Huzaro Force 4.4 Grey Mesh (05/24)
    Notifier: Xiaomi Mi Band 9 Milanese (10/24)
    2nd Monitor: AOC G2460VQ6 @75Hz (02/19)
CSharpDev said:
Wouldn't my AV catch them tho?
Click to expand...
Never count on your AV to catch anything, malware writers pay a lot of attention to make their malware undetectable!
If they can't do that they don't distribute it.
 

My Computer

System One

  • OS
    Windows 11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    MSI / MS-7B29
    CPU
    Intel i3 8100 @3.6Ghz
    Motherboard
    H310M PRO-VDH (MS-7B29)
    Memory
    1 x 16GB DDR4 @2400 MHz
    Graphics Card(s)
    Nvidia GeForce GT 1030 2GB SDDR4
    Sound Card
    Realtek VEN_10EC&DEV_0887 / NVIDIA VEN_10DE&DEV_0081
    Monitor(s) Displays
    Acer V226HQL
    Screen Resolution
    1920 x 1080
    Hard Drives
    SSD 500 GB Crucial MX500 / HDD 1 TB TOSHIBA DT01ACA100
    PSU
    ATX, details unknown
    Case
    Everest 551B
    Cooling
    details unknown
    Keyboard
    Mechanical Gaming Hydra R7 - Rampage
    Mouse
    Logitech G703
    Internet Speed
    Down: 28Mbps / Up: 19Mbps
    Browser
    Microsoft Edge
    Antivirus
    Microsoft Defender Antivirus
    Other Info
    Bluetooth: TP Link 5.0 Nano USB adapter UB500
    WLAN: D-Link 150 Pico USB adapter, N standard
    Web camera: Logitech C270 HD 720p @30fps
    Microphone: Trust MICO, model 23790
Indeed, what @zebal said. I keep a fire extinguisher in my kitchen, but I’d rather my kitchen not catch fire in the first place.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 24H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Intel Core i7-1260P, 2100 MHz
    Motherboard
    NUC12WSBi7
    Memory
    64 GB
    Graphics Card(s)
    Intel Iris Xe
    Sound Card
    built-in Realtek HD audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840x2160 @ 60Hz
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Keyboard
    CODE 104-Key Mechanical with Cherry MX Clears
    Antivirus
    Microsoft Defender
  • Operating System
    Linux Mint 21.2 (Cinnamon)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC8i5BEH
    CPU
    Intel Core i5-8259U CPU @ 2.30GHz
    Memory
    32 GB
    Graphics card(s)
    Iris Plus 655
    Keyboard
    CODE 104-Key Mechanical with Cherry MX Clears
pseymour said:
’d rather my kitchen not catch fire in the first place.
Click to expand...
Agree! To add to that I wouldn't want to knowingly leave a pan of grease on the stove and chance setting fire to my kitchen myself.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 24H2 26100.2314
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 nvme+256gb SKHynix m.2 nvme /External drives 512gb Samsung m.2 sata+1tb Kingston m2.nvme+ 4gb Solidigm nvme
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
You must log in or register to reply here.

Latest Support Threads

Latest Tutorials

Back
Top Bottom