Something needs to be done with software that have non-versioned url

[soredake]

Having non-versioned url's will inevitably lead to hash mismatch and something needs to be done with it, there are software that frequently updates like google drive or ea desktop and that leads to hash mismatch until manifest is updated or --ignore-security-hash is passed, but i don't think just using --ignore-security-hash forever for this software is good (wasting trying to install it without this option just to see hash mismatch is too).

Very bad from security perspective but good from usability is to add IgnoreHash: yes option to manifest schema to just skip manifest check for such software.

List of software with non-versioned url:
https://github.com/microsoft/winget-pkgs/blob/9378991ea1a91ad86042f28504579276ecb61a55/manifests/p/Parsec/Parsec/150-87d/Parsec.Parsec.installer.yaml#L15
https://github.com/microsoft/winget-pkgs/blob/7d9b8ebe1ad3eab1478efd99fc163025a4e86c7f/manifests/e/ElectronicArts/EADesktop/12.198.0.5455/ElectronicArts.EADesktop.installer.yaml#L21
https://github.com/microsoft/winget-pkgs/blob/4863cf70066336012f01f5069555732ba2bf2f74/manifests/v/Valve/Steam/2.10.91.91/Valve.Steam.installer.yaml#L18
https://github.com/microsoft/winget-pkgs/blob/0a9168e81c2b5f2802c5cb8f73aec3dfc697a42c/manifests/a/AppWork/JDownloader/2.0/AppWork.JDownloader.installer.yaml#L18
https://github.com/microsoft/winget-pkgs/blob/0a9168e81c2b5f2802c5cb8f73aec3dfc697a42c/manifests/g/Google/Drive/75.0.3.0/Google.Drive.installer.yaml#L22
https://github.com/microsoft/winget-pkgs/blob/0a9168e81c2b5f2802c5cb8f73aec3dfc697a42c/manifests/i/ItchIo/Itch/25.5.1/ItchIo.Itch.installer.yaml#L19
https://github.com/microsoft/winget-pkgs/blob/1a1cc5b7f103257e0c62082b227ef5c96bf6a6ea/manifests/g/Google/Chrome/114.0.5735.110/Google.Chrome.installer.yaml#L28

[soredake]

Ran into this again with ea app:

[denelon]

It's unlikely we would ignore the SHA256 check by default or specify that behavior in a manifest. We don't always know which packages have what we're calling a "vanity URL".

In some cases, even what appears to be a versioned URL will have a hash mismatch when a publisher updates the binary it's pointing to.

We've created a couple of related Issues, but they haven't received much attention in terms of 👍 to raise priority.

• Provide mechanism to report SHA256 mismatch #870
• Cannot override installer hash as admin. Even if EnableLua = 0 (UAC OFF) #715
• Use of installer hashes causes frequent errors. Instead, rely on signatures in binary. #714

We do perform daily scans for all installer URLs to detect and autocorrect where we can.

[timber-schroeder]

They don't get many 👍 because most people, like myself, are just going to control-click the link directly above the error and manually install the package in question without winget. Or use choco. I only looked up this issue after about the twentieth time of it occurring.

If you need more thumbs up votes to assign this internally, print a link to #714 right after the hash mismatch. You will get plenty. (Fun fact, this is what the Azure portal team does when they want another team to implement something...)

[blackgis]

Ok, bu what can we do now?
I deinstalled it completely, tried to reinstall via winget - so clearly the autocorrect is not working in this case as i get literally the same error message.
Pls give us an advice, i loved it so far.
Any chance to exclude it permanently?

[denelon]

You could create a request over at winget-pkgs for someone to update the manifest.

We've been having problems with the code we have to fix it automatically. We're testing the fix now, so it should be up and running again soon™️

[stephengillie]

On the approval end, there is awareness of these. If an action is decided, it can easily be implemented:

An example from the current log:

Timestmp	PR#	PackageIdentifier	prVersion	A	R	G	W	F	I	D	V	ManifestVer	OK
7:06:40	141808	Microsoft.PowerBI	2.126.1261.0	A	R	+	W	1	-	D	99	2.126.927.0	OK

The I check (between F and D) checks if the prVersion is in the InstallerUrl. In addition to changing the output I to a - (or + if it matches), it could block approval and add a PR comment.