Update chocolatey verification file (Azure#29)

* Choco verification changes * Verification fixes
345paul · Sep 27, 2021 · ae5cc81 · ae5cc81
1 parent 700ec26
commit ae5cc81
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 5 deletions.
diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml
@@ -91,13 +91,14 @@ jobs:
         shell: bash
         run: |         
           cp ./LICENSE ./${{ env.OUTPUT_DIR }}/${{ env.CHOCO_SRC_DIR }}/LICENSE.txt
-          verificationFile=./${{ env.OUTPUT_DIR }}/${{ env.CHOCO_SRC_DIR }}/VERIFICATION.txt
-          touch $verificationFile
+          cp ./VERIFICATION ./${{ env.OUTPUT_DIR }}/${{ env.CHOCO_SRC_DIR }}/VERIFICATION.txt
+          echo "Checksums for the files in the package are:" >> ./${{ env.OUTPUT_DIR }}/${{ env.CHOCO_SRC_DIR }}/VERIFICATION.txt
           find ${{ env.OUTPUT_DIR }}/${{ env.CHOCO_SRC_DIR }} -type f  | 
           while read f
           do
-            filename="$basename -- $f"
-            echo $filename >> $verificationFile
+            filename="$(basename $f) [$f]"
+            filehash=$(sha256sum $f | awk '{print $1}')
+            echo "$filename -- $filehash" >> ./${{ env.OUTPUT_DIR }}/${{ env.CHOCO_SRC_DIR }}/VERIFICATION.txt
           done
 
       - name: Create the Chocolatey packages

diff --git a/VERIFICATION b/VERIFICATION
@@ -0,0 +1,21 @@
+VERIFICATION
+Verification is intended to assist Chocolatey moderators and the Chocolatey community
+in verifying that this package's contents are trustworthy.
+
+This package contains a number of assemblies (DLL) files, along with dependent files.
+This file lists their SHA256 checksums.
+
+There is no other source for installation of these files, other than Chocolatey: 
+The files are built and packaged and uploaded to Chocolatey; other than referenced files (e.g. .NET Core), they do not currently reside in any other public source.
+Therefore, it is not possible to download an installer to compare checksums.
+
+However, the checksums in here are generated as part of the build process,
+and reflect the files that are packaged and submitted to Chocolatey.
+
+It is still worthwhile comparing the checksums in this file to the ones for the files that have been installed by Chocolatey on your local system.
+
+You can use one of the following methods to obtain the checksum from a local file:
+  - Use powershell function 'Get-Filehash'
+  - Use chocolatey utility 'checksum.exe'
+
+File 'LICENSE.txt' is obtained from <https://github.com/Azure/aimtool/blob/main/LICENSE>
diff --git a/build/chocolatey/biztalkmigrator-cli/biztalkmigrator-cli.nuspec b/build/chocolatey/biztalkmigrator-cli/biztalkmigrator-cli.nuspec
@@ -4,10 +4,11 @@
     <id>biztalkmigrator-cli</id>
     <!-- Note This version will be overriden by the command line. -->
     <version>0.0.1-beta</version>
-    <packageSourceUrl>https://github.com/azure/aimtool</packageSourceUrl>
+    <packageSourceUrl>https://github.com/Azure/aimtool/blob/main/build/chocolatey/biztalkmigrator-cli/biztalkmigrator-cli.nuspec</packageSourceUrl>
     <projectSourceUrl>https://github.com/azure/aimtool</projectSourceUrl>
     <bugTrackerUrl>https://github.com/azure/aimtool/issues</bugTrackerUrl>
     <title>BizTalk Migrator Dependency - Core CLI</title>
+    <owners>probertdaniel,345paul,valrobb</owners>
     <authors>Microsoft</authors>
     <projectUrl>https://github.com/azure/aimtool</projectUrl>
     <licenseUrl>https://github.com/azure/aimtool/blob/master/LICENSE</licenseUrl>