How insecure or troublesome are --ignore-hash and --ignore-checksums arguements when installing packages via package managers?


C

CSharpDev

Banned
Local time
6:15 AM
Posts
105
OS
Win11
I am using Chocolatey. Problem is that some packages don't install due to either a hash mismatch or a checksum mismatch or both. I have 3 options:

1) --ignore-hash

2) --ignore-checksums

3) just leave out the version eg choco install ea or choco install bethesda

On a non-enterprise system, how troublesome is passing these 2 arguements inside the script if I use sth like Chocolatey which is an open-source windows package manager? I also use Kaspersky Total Security
 

My Computer My Computer

At a glance

Win11
OS
Win11
DO NOT ! If you use either, it is like saying: Install any malware on my system, I do not care.
 

My Computer My Computer

At a glance

Home26H2CanAMD Ryzen 5 8600G (07/24)2x32GB Kingston FURY DDR5 5600 MHz CL36 @5200...ASROCK Radeon RX 6600 Challenger D 8G @48FPS ...
OS
Home26H2Can
Computer type
PC/Desktop
CPU
AMD Ryzen 5 8600G (07/24)
Motherboard
ASROCK B650M-HDV/M.2 (07/24) BIOS 4.21 AGESA ComboAM5 1.3.0.1 (04/26)
Memory
2x32GB Kingston FURY DDR5 5600 MHz CL36 @5200 CL36 (07/24)
Graphics Card(s)
ASROCK Radeon RX 6600 Challenger D 8G @48FPS (08/24)
Sound Card
Creative Sound BlasterX AE-5 Plus (05/24)
Monitor(s) Displays
24" Philips 24M1N3200ZS/00 (05/24)
Screen Resolution
1920×1080@165Hz via DP1.4
Hard Drives
Kingston KC3000 NVMe 2TB (05/24)
ADATA XPG GAMMIX S11 Pro 512GB (07/19)
PSU
Seasonic Core GM 550 Gold (04/24)
Case
Fractal Design Define 7 Mini with 3x Noctua NF-P14s/12@555rpm (04/24)
Cooling
Noctua NH-U12S with Noctua NF-P12 (04/24)
Keyboard
HP Pavilion Wired Keyboard 300 (07/24) + Rabalux 76017 Parker (01/24)
Mouse
Logitech M330 Silent Plus (01/26)
Internet Speed
500/100 Mbps via RouterOS (05/21) & TCP Optimizer
Browser
Edge, Brave for YouTube, LibreWolf for FB
Antivirus
NextDNS blocking 1/3 Traffic
Other Info
Phone: Motorola Moto G86 (02/26)
Backup: Hasleo Backup Suite (PreOS)
Headphones: Sennheiser RS170 (09/10)
Chair: Huzaro Force 4.4 Grey Mesh (05/24)
Notifier: Xiaomi Mi Band 9 Milanese (10/24)
FlexCore USB-C 3.2 Gen 1 (M) to LAN (F) (08/25)
Some Chocolatey packages won't install because they're using a static referrer URL, and the underlying download file has been replaced by the vendor. You have three options:

1. Wait for someone to resubmit this Chocolatey package, with an updated hash in the manifest.
2. If the software vendor provides static URL's for version builds, sometimes there will be a [product]-[version] package. Those are unlikely to have the source installer's hash change over time. This is the preferred option, but it may not always be available.
3. Ignore the manifest's current hash values.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
garlin said:
Some Chocolatey packages won't install because they're using a static referrer URL, and the underlying download file has been replaced by the vendor. You have three options:

1. Wait for someone to resubmit this Chocolatey package, with an updated hash in the manifest.
2. If the software vendor provides static URL's for version builds, sometimes there will be a [product]-[version] package. Those are unlikely to have the source installer's hash change over time. This is the preferred option, but it may not always be available.
3. Ignore the manifest's current hash values.
Click to expand...
Yes that's exactly what I meant to say.

Regarding #3, do you mean I can pass --ignore-hash but I shouldn't use --ignore-checksums?
 

My Computer My Computer

At a glance

Win11
OS
Win11
TairikuOkami said:
DO NOT ! If you use either, it is like saying: Install any malware on my system, I do not care.
Click to expand...
Wouldn't my AV catch them tho? The firewall built into the suite has these non-signed or not-validly-signed (so to speak maybe im wording it incorrectly) .exe's running with very few privileges for this exact reason
 

My Computer My Computer

At a glance

Win11
OS
Win11
CSharpDev said:
Wouldn't my AV catch them tho?
Click to expand...
That is like 50:50, depending on your AV, AV would catch up eventually, but you might get infected in the meantime.
CCleaner owned by Avast/AVG/Norton AV was infected and distributed malware for months and no one had noticed.
www.bleepingcomputer.com

CCleaner Malware Incident - What You Need to Know and How to Remove

This article contains information and answers to frequently asked questions regarding the CCleaner malware incident and how to remove the malware-laced CCleaner version.
www.bleepingcomputer.com www.bleepingcomputer.com
 

My Computer My Computer

At a glance

Home26H2CanAMD Ryzen 5 8600G (07/24)2x32GB Kingston FURY DDR5 5600 MHz CL36 @5200...ASROCK Radeon RX 6600 Challenger D 8G @48FPS ...
OS
Home26H2Can
Computer type
PC/Desktop
CPU
AMD Ryzen 5 8600G (07/24)
Motherboard
ASROCK B650M-HDV/M.2 (07/24) BIOS 4.21 AGESA ComboAM5 1.3.0.1 (04/26)
Memory
2x32GB Kingston FURY DDR5 5600 MHz CL36 @5200 CL36 (07/24)
Graphics Card(s)
ASROCK Radeon RX 6600 Challenger D 8G @48FPS (08/24)
Sound Card
Creative Sound BlasterX AE-5 Plus (05/24)
Monitor(s) Displays
24" Philips 24M1N3200ZS/00 (05/24)
Screen Resolution
1920×1080@165Hz via DP1.4
Hard Drives
Kingston KC3000 NVMe 2TB (05/24)
ADATA XPG GAMMIX S11 Pro 512GB (07/19)
PSU
Seasonic Core GM 550 Gold (04/24)
Case
Fractal Design Define 7 Mini with 3x Noctua NF-P14s/12@555rpm (04/24)
Cooling
Noctua NH-U12S with Noctua NF-P12 (04/24)
Keyboard
HP Pavilion Wired Keyboard 300 (07/24) + Rabalux 76017 Parker (01/24)
Mouse
Logitech M330 Silent Plus (01/26)
Internet Speed
500/100 Mbps via RouterOS (05/21) & TCP Optimizer
Browser
Edge, Brave for YouTube, LibreWolf for FB
Antivirus
NextDNS blocking 1/3 Traffic
Other Info
Phone: Motorola Moto G86 (02/26)
Backup: Hasleo Backup Suite (PreOS)
Headphones: Sennheiser RS170 (09/10)
Chair: Huzaro Force 4.4 Grey Mesh (05/24)
Notifier: Xiaomi Mi Band 9 Milanese (10/24)
FlexCore USB-C 3.2 Gen 1 (M) to LAN (F) (08/25)
CSharpDev said:
Wouldn't my AV catch them tho?
Click to expand...
Never count on your AV to catch anything, malware writers pay a lot of attention to make their malware undetectable!
If they can't do that they don't distribute it.
 

My Computer My Computer

At a glance

Windows 11 Pro 23H2Intel i3 8100 @3.6Ghz1 x 16GB DDR4 @2400 MHzNvidia GeForce GT 1030 2GB SDDR4
OS
Windows 11 Pro 23H2
Computer type
PC/Desktop
Manufacturer/Model
MSI / MS-7B29
CPU
Intel i3 8100 @3.6Ghz
Motherboard
H310M PRO-VDH (MS-7B29)
Memory
1 x 16GB DDR4 @2400 MHz
Graphics Card(s)
Nvidia GeForce GT 1030 2GB SDDR4
Sound Card
Realtek VEN_10EC&DEV_0887 / NVIDIA VEN_10DE&DEV_0081
Monitor(s) Displays
Acer V226HQL
Screen Resolution
1920 x 1080
Hard Drives
SSD 500 GB Crucial MX500 / HDD 1 TB TOSHIBA DT01ACA100
PSU
ATX, details unknown
Case
Everest 551B
Cooling
details unknown
Keyboard
Mechanical Gaming Hydra R7 - Rampage
Mouse
Logitech G703
Internet Speed
Down: 28Mbps / Up: 19Mbps
Browser
Microsoft Edge
Antivirus
Microsoft Defender Antivirus
Other Info
Bluetooth: TP Link 5.0 Nano USB adapter UB500
WLAN: D-Link 150 Pico USB adapter, N standard
Web camera: Logitech C270 HD 720p @30fps
Microphone: Trust MICO, model 23790
Indeed, what @zebal said. I keep a fire extinguisher in my kitchen, but I’d rather my kitchen not catch fire in the first place.
 

My Computer My Computer

At a glance

Windows 11 Pro 25H212th Gen Core i7-1260P64 GB Micron PC4-25600Intel Iris Xe Graphics
OS
Windows 11 Pro 25H2
Computer type
PC/Desktop
Manufacturer/Model
Intel NUC12WSHi7
CPU
12th Gen Core i7-1260P
Motherboard
NUC12WSBi7
Memory
64 GB Micron PC4-25600
Graphics Card(s)
Intel Iris Xe Graphics
Sound Card
on-board Realtek HD Audio
Monitor(s) Displays
Dell U3219Q
Screen Resolution
3840 x 2160
Hard Drives
Samsung SSD 990 PRO 1TB
Crucial MX500 2 TB
Antivirus
Microsoft Defender
pseymour said:
’d rather my kitchen not catch fire in the first place.
Click to expand...
Agree! To add to that I wouldn't want to knowingly leave a pan of grease on the stove and chance setting fire to my kitchen myself.
 

My Computers My Computers

System One System Two

  • At a glance

    Windows 11 Pro 25H2 26200.8655i9-10900 10 core 20 threads32 gbnone-Intel UHD Graphics 630
    OS
    Windows 11 Pro 25H2 26200.8655
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    2x1tb Solidigm m.2 nvme /External drives 512gb Samsung m.2 sata+2tb Kingston m2.nvme
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    #1 Edge #2 Firefox
    Antivirus
    Defender+MWB Premium

  • At a glance

    Windows 11 Pro 24H2 26200.8457AMD Ryzen 7 6800U32 gbintegrated
    Operating System
    Windows 11 Pro 24H2 26200.8457
    Computer type
    PC/Desktop
    Manufacturer/Model
    Beelink Mini PC SER5
    CPU
    AMD Ryzen 7 6800U
    Memory
    32 gb
    Graphics card(s)
    integrated
    Sound Card
    integrated
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Crucial nvme
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    still too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender
    Other Info
    System 3 is non compliant Dell 9020 i7-4770/24gb ram Win11 PRO 26200.8457
You must log in or register to reply here.

Latest Support Threads

Latest Tutorials

Back
Top Bottom