Skip to content

SHA-256 collisions between different installer URLs, for different architectures, are not flagged as a manifest bug? #2852

New issue
New issue
Closed
Bug
#5233
Closed
SHA-256 collisions between different installer URLs, for different architectures, are not flagged as a manifest bug?#2852
Bug
#5233
Labels
In-PRIssue related to a PRIssue-BugIt either shouldn't be doing this or needs an investigation.
Milestone
1.11 Client
@R-Adrian

Description

@R-Adrian
R-Adrian
opened on Jan 13, 2023

Brief description of your issue

winget currently does not flag as a manifest warning /error when it encounters the same SHA-256 checksum for installers for different cpu architectures?

This can lead to 64-bit programs being "upgraded" to 32-bit versions.

Steps to reproduce

have something like this in a package manifest: (same checksum, different installer URLs, different architectures)

Installers:
- Architecture: x64
  InstallerUrl: https://edge.dropboxstatic.com/dbx-releng/client/Dropbox%20165.4.4300%20Offline%20Installer.exe
  InstallerSha256: 6AFE5324E7D2C18D565B2E5BBD98853C8CCD44DA3F0DCE03608B54DBBBCA6D1F
- Architecture: x86
  InstallerUrl: https://edge.dropboxstatic.com/dbx-releng/client/Dropbox%20165.4.4300%20Offline%20Installer.x86.exe
  InstallerSha256: 6AFE5324E7D2C18D565B2E5BBD98853C8CCD44DA3F0DCE03608B54DBBBCA6D1F

also, see issue microsoft/winget-pkgs#93678

Expected behavior

at least show a warning message in the console about the same checksum being present in the manifest file, but for different CPU architectures.

Actual behavior

because of the manifest specifying the same installer for different architectures, winget behaves "normally" and "upgrades" a 64-bit program to a 32-bit version.
This might be "normal" for some programs that detect the architecture directly in the installer, but not all of them do. Those that can detect this should have a warning-suppression flag in the manifest for it.

Case in point: the Dropbox installer from the manifest quoted above will happily "upgrade" a 64-bit version to a 32-bit one, because the winget manifest specifies the same file for both x86 and x64 architectures.

Environment

> winget --info
Windows Package Manager (Preview) v1.5.101-preview
Copyright (c) Microsoft Corporation. All rights reserved.

Windows: Windows.Desktop v10.0.19045.2486
System Architecture: X64
Package: Microsoft.DesktopAppInstaller v1.20.101.0

Logs: %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\DiagOutputDir

User Settings: %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\settings.json

Links
---------------------------------------------------------------------------
Privacy Statement   https://aka.ms/winget-privacy
License Agreement   https://aka.ms/winget-license
Third Party Notices https://aka.ms/winget-3rdPartyNotice
Homepage            https://aka.ms/winget
Windows Store Terms https://www.microsoft.com/en-us/storedocs/terms-of-sale

Metadata

Metadata

Assignees

No one assigned

    Labels

    In-PRIssue related to a PRIssue-BugIt either shouldn't be doing this or needs an investigation.

    Type

    Bug

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions