From fd86416e635aef393d6e0f673f5399824447bdd2 Mon Sep 17 00:00:00 2001 From: Stephen Valdinger Date: Wed, 9 Oct 2024 15:09:50 -0400 Subject: [PATCH 1/2] (#153) Enable FIPS if required If we detect that FIPS is enabled on a system when we install Chocolatey, we should also configure Chocolatey to use FIPs-compliant checksums. Without enabling this feature, package installations will fail as Chocolatey will not use a compliant hashing mechanism. --- OfflineInstallPreparation.ps1 | 4 ++-- modules/C4B-Environment/C4B-Environment.psm1 | 10 ++++++++++ scripts/ClientSetup.ps1 | 7 +++++++ 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/OfflineInstallPreparation.ps1 b/OfflineInstallPreparation.ps1 index 733f4f6..e574079 100644 --- a/OfflineInstallPreparation.ps1 +++ b/OfflineInstallPreparation.ps1 @@ -60,8 +60,6 @@ $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" $LicensePath = Convert-Path $LicensePath -Import-Module $PSScriptRoot\modules\C4B-Environment - $ChocoInstallScript = Join-Path $PSScriptRoot "scripts\ChocolateyInstall.ps1" if (-not (Test-Path $ChocoInstallScript)) { Invoke-WebRequest -Uri 'https://chocolatey.org/install.ps1' -OutFile $ChocoInstallScript @@ -80,6 +78,8 @@ if ($Signature.Status -eq 'Valid' -and $Signature.SignerCertificate.Subject -eq Write-Error "ChocolateyInstall.ps1 script signature is not valid. Please investigate." -ErrorAction Stop } +Import-Module $PSScriptRoot\modules\C4B-Environment -Force + # Initialize environment, ensure Chocolatey For Business, etc. $Licensed = ($($(choco.exe)[0] -match "^Chocolatey (?\S+)\s*(?Business)?$") -and $Matches.LicenseType) $InstalledLicensePath = "$env:ChocolateyInstall\license\chocolatey.license.xml" diff --git a/modules/C4B-Environment/C4B-Environment.psm1 b/modules/C4B-Environment/C4B-Environment.psm1 index f462014..04ff72e 100644 --- a/modules/C4B-Environment/C4B-Environment.psm1 +++ b/modules/C4B-Environment/C4B-Environment.psm1 @@ -2319,4 +2319,14 @@ function Install-ChocolateyAgent { } #endregion +# Check for and configure FIPS enforcement, if required. +if ( + (Get-ItemPropertyValue -Path "HKLM:\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy" -Name Enabled) -eq 1 -and + $env:ChocolateyInstall -and + -not [bool]::Parse(([xml](Get-Content $env:ChocolateyInstall\config\chocolatey.config)).chocolatey.features.feature.Where{$_.Name -eq 'useFipsCompliantChecksums'}.Enabled) +) { + Write-Warning -Message "FIPS is enabled on this system. Ensuring Chocolatey uses FIPS compliant checksums" + Invoke-Choco feature enable --name='useFipsCompliantChecksums' +} + Export-ModuleMember -Function "*" \ No newline at end of file diff --git a/scripts/ClientSetup.ps1 b/scripts/ClientSetup.ps1 index 5f37979..2371808 100644 --- a/scripts/ClientSetup.ps1 +++ b/scripts/ClientSetup.ps1 @@ -105,6 +105,13 @@ $script = $webClient.DownloadString("https://${hostAddress}/repository/choco-ins # Run the Chocolatey Install script with the parameters provided & ([scriptblock]::Create($script)) @params +# If FIPS is enabled, configure Chocolatey to use FIPS compliant checksums +$fipsStatus = Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy" -Name Enabled +if ($fipsStatus.Enabled -eq 1) { + Write-Warning -Message "FIPS is enabled on this system. Ensuring Chocolatey uses FIPS compliant checksums" + choco feature enable --name='useFipsCompliantChecksums' +} + choco config set cacheLocation $env:ChocolateyInstall\choco-cache choco config set commandExecutionTimeoutSeconds 14400 From 12b2c0ea827e57f4a383fc92121bc799765ad5f9 Mon Sep 17 00:00:00 2001 From: James Ruskin Date: Fri, 18 Oct 2024 10:52:43 +0100 Subject: [PATCH 2/2] (fix) Pester Package is Broken by Internalization The Pester package breaks when you internalize it, due to the added code at the top of the chocolateyInstall script. This commit ensures the package is not internalized. --- files/chocolatey.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/chocolatey.json b/files/chocolatey.json index 25e177e..ebf4f14 100644 --- a/files/chocolatey.json +++ b/files/chocolatey.json @@ -24,7 +24,7 @@ { "name": "KB3035131", "internalize": false }, { "name": "microsoft-edge" }, { "name": "nexus-repository" }, - { "name": "pester" }, + { "name": "pester", "internalize": false }, { "name": "sql-server-express" }, { "name": "temurin21jre" }, { "name": "vcredist140" }