Allow hashing files for checksums with FIPS compliant algorithms #446
Comments
ferventcoder
changed the title
|
Hi there, We are having this issue at our organization. Is there any chance that this will be fixed to be a FIPS compliant hashing algorithm in the future? |
|
Note the milestone on the right. Note that is the next version. :) |
|
In 0.9.10, set feature flag
|
|
This was not made a default as it could have undesirable effects. Since everything choco is doing is related to setting and verifying checksums, it really isn't part of what FIPS was meant to combat and isn't out of compliance in doing what it does. However, it's still a good idea to allow folks to have a stronger checksum algorithm. https://blogs.technet.microsoft.com/secguide/2014/04/07/why-were-not-recommending-fips-mode-anymore/
|
Opt out the checksum.exe tool from FIPS algorithm policy because it is not in violation of the standard - because it doesn't do anything with encryption or crypto, other than hash a file to determine a way to uniquely identify it. Unfortunately the .NET Framework doesn't have a good way to verify this is the case and the Managed cryptos (SHA256Managed vs SHA256Cng) were never submitted to NIST, so they are not considered compliant. That's somewhat beside the point - it doesn't matter what is used for checksumming, it doesn't violate FIPS because it is only checksumming. "The .NET Framework's enforcement of FIPS mode cannot tell whether any particular use of a cryptographic class is not for security purposes and thus not in violation of standards." - Aaron Margosis, MSFT, "Why We're Not Recommending 'FIPS Mode' Anymore" - https://blogs.technet.microsoft.com/secguide/2014/04/07/why-were-not-recommending-fips-mode-anymore/
Chocolatey should function in organizations that require FIPS compliant algorithms. Although most of what Chocolatey does with the Crytpo provider is about hashing files and checksums, in the future that could change, so choco needs to have a feature flip to use a compliant algorithm. Provide a helpful warning and error message when the exception detected is about FIPS. This will help folks running into this error have a helpful path forward to getting it enabled. Unfortunately, enabling it by default could have unintended side effects for existing choco installs that have been tracking current package files, plus it does have a bit more of a performance consideration (although still really fast) because it needs to use P/Invoke methods to use the native Windows systems calls. To turn it on, run the following command in 0.9.10+: `choco feature enable -n useFipsCompliantChecksums`
|
Please how can I fix this error: "The registered delegate for type IXmlService threw an exception. The registered delegate for type IHashProvider threw an exce |
https://groups.google.com/d/msgid/chocolatey/b5ce3f6e-228e-4947-be17-0dd201e05716%40googlegroups.com?utm_medium=email&utm_source=footer
You may see this with the error:
Error deserializing response of type chocolatey.infrastructure.app.configuration.ConfigFileSettings.The text was updated successfully, but these errors were encountered: