(#153) Enable FIPS if required

If we detect that FIPS is enabled on a system when we install Chocolatey, we should also configure Chocolatey to use FIPs-compliant checksums. Without enabling this feature, package installations will fail as Chocolatey will not use a compliant hashing mechanism.
chocolatey · Oct 18, 2024 · fd86416 · fd86416
1 parent c446da8
commit fd86416
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 2 deletions.
diff --git a/OfflineInstallPreparation.ps1 b/OfflineInstallPreparation.ps1
@@ -60,8 +60,6 @@ $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 $LicensePath = Convert-Path $LicensePath
 
-Import-Module $PSScriptRoot\modules\C4B-Environment
-
 $ChocoInstallScript = Join-Path $PSScriptRoot "scripts\ChocolateyInstall.ps1"
 if (-not (Test-Path $ChocoInstallScript)) {
     Invoke-WebRequest -Uri 'https://chocolatey.org/install.ps1' -OutFile $ChocoInstallScript
@@ -80,6 +78,8 @@ if ($Signature.Status -eq 'Valid' -and $Signature.SignerCertificate.Subject -eq
     Write-Error "ChocolateyInstall.ps1 script signature is not valid. Please investigate." -ErrorAction Stop
 }
 
+Import-Module $PSScriptRoot\modules\C4B-Environment -Force
+
 # Initialize environment, ensure Chocolatey For Business, etc.
 $Licensed = ($($(choco.exe)[0] -match "^Chocolatey (?<Version>\S+)\s*(?<LicenseType>Business)?$") -and $Matches.LicenseType)
 $InstalledLicensePath = "$env:ChocolateyInstall\license\chocolatey.license.xml"

diff --git a/modules/C4B-Environment/C4B-Environment.psm1 b/modules/C4B-Environment/C4B-Environment.psm1
@@ -2319,4 +2319,14 @@ function Install-ChocolateyAgent {
 }
 #endregion
 
+# Check for and configure FIPS enforcement, if required.
+if (
+    (Get-ItemPropertyValue -Path "HKLM:\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy" -Name Enabled) -eq 1 -and
+    $env:ChocolateyInstall -and
+    -not [bool]::Parse(([xml](Get-Content $env:ChocolateyInstall\config\chocolatey.config)).chocolatey.features.feature.Where{$_.Name -eq 'useFipsCompliantChecksums'}.Enabled)
+) {
+    Write-Warning -Message "FIPS is enabled on this system. Ensuring Chocolatey uses FIPS compliant checksums"
+    Invoke-Choco feature enable --name='useFipsCompliantChecksums'
+}
+
 Export-ModuleMember -Function "*"
diff --git a/scripts/ClientSetup.ps1 b/scripts/ClientSetup.ps1
@@ -105,6 +105,13 @@ $script = $webClient.DownloadString("https://${hostAddress}/repository/choco-ins
 # Run the Chocolatey Install script with the parameters provided
 & ([scriptblock]::Create($script)) @params
 
+# If FIPS is enabled, configure Chocolatey to use FIPS compliant checksums
+$fipsStatus = Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy" -Name Enabled
+if ($fipsStatus.Enabled -eq 1) {
+    Write-Warning -Message "FIPS is enabled on this system. Ensuring Chocolatey uses FIPS compliant checksums"
+    choco feature enable --name='useFipsCompliantChecksums'
+}
+
 choco config set cacheLocation $env:ChocolateyInstall\choco-cache
 choco config set commandExecutionTimeoutSeconds 14400