Create Binary Ninja package #1229
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
sreinhardt
force-pushed
the
binja
branch
3 times, most recently
from
5835d8d to
c461d41
Compare
There was a problem hiding this comment.
@sreinhardt thanks a lot for your contribution! 💐
As documented in the Coding Conventions page in our Wiki:
vm.common/vm.common.psm1 defines functions that start with
VM-to reuse code among packages and make package creation easier. TheVM-helper functions muss be used when possible.
You have used idafree.vm as an example. But it is not the best example, as it is a complicated package that can't use the VM-Install-With-Installer helper because we are in addition installing our own IDA launcher. I think in your case you should be able to use the VM-Install-With-Installer helper function. A good example to check is the package bindiff.vm, that uses that helper function (and consequently is much simpler).
The tool and id/package name should not include the free in this case as it is not included in the executable name (binaryninja.exe).
| packageName = ${Env:ChocolateyPackageName} | ||
| fileType = 'exe' | ||
| silentArgs = '/S /ALLUSERS=1' | ||
| url = 'https://cdn.binary.ninja/installers/binaryninja_free_win64.exe' |
There was a problem hiding this comment.
URLs that do not include the version are an issue as the hash changes when a new version is released breaking the package. We can still add this package, but depending how often the tool is updated, this is a blocker to add this package to the default FLARE-VM configuration, as broken packages confuse users. Do you know how often this tool is released? Is it possible to use a different URL that includes the version?
We verify some packages using SigCheck instead of hash verification because of this reason. At the moment we only do it for Google/Microsoft tools as documented in the Wiki. We are planing to extend this verification to Zimmerman tools in #1199
There was a problem hiding this comment.
I took a look at VM-assert-signature and signtool does validate the binary ninja installer properly. Right now, that looks like I would either void your suggestion of using VM-Install-With-Installer and manually recreate those steps again, or that functionality needs to be added to both zip and exe installations.
For now, I have altered the existing hash checking in an alternative but probably not desired way. It seems vm-packages has three categories: no hash or signature, sha256, or signtool. As I too prefer some form of validation, I wrote a small function in chocolatyinstall.ps1 to collect the current hash file, parse for whichever version you are deploying, and use it's output with VM-Install-With-Installer. If at any point the signtool functionality is added there as well, I'm happy to modify again.
|
Hi Ana, thanks for the suggestions! sreinhardt/VM-Packages@01de76f should resolve renaming away from "-free". Completely understand installer mismatches due to lack of version+hash, not a headache we want to deal with. As an ida user, I am somewhat unfamilliar with Binary Ninja's update schedule. I do see they offer a static json page with hashes that update per installer. This is a common pattern in other package managers, I'll have to look around and see if you have similar functionality. https://binary.ninja/js/hashes.json |
Loosely copied Ida package to support Binary Ninja install. My understanding is this is free for personal use and adding a license enables any additional features or commercial use, so not sure how applicable free is?