Chocolatey and security

I decided to use Chocolatey to install applications to my freshly installed Windows 10 machine. My original idea was to use OneGet, which is the new package-manager manager introduced in Windows 10, and which has a preview Chocolatey provider, however I didn’t have much success with it, so I stepped back and used Chocolatey directly.

The first step is to install Chocolatey, which is very simple, just run the 1-line script from the homepage in an admin command prompt:

C:\> @powershell -NoProfile -ExecutionPolicy Bypass -Command "iex ((new-object net.webclient).DownloadString(‘’))" && SET PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin

With this single command you actually do three things:

  1. You download a PowerShell script.
  2. You run the downloaded script with administrative privileges.
  3. You extend your PATH environment variable.

I don’t know about you, but step 2 freaks me out. And this can be a good time to take a deep breath and think through what you are going to do: you will install applications from unknown source to your machine! When you execute a command like

choco install adobereader

you have no idea what it will download and install to your computer.

So what can you do?

First, install only those choco packages that are approved by moderators. Moderation is a manual process, and it may have human errors, but it is a validation after all. In the detail page of a package that was approved by a moderator, for example the Adobe Reader package, you can see this in a green box:

This package was approved by moderator gep13 on 6/11/2015.

If a package was not checked by a moderator, for example Notepad2, you can see this in a red box:

This package was submitted prior to moderation and has not been approved. While it is likely safe for you, there is more risk involved.

If you already opened the detail page of a package, you better read everything you can find there. For example in the 7-zip package page you can find this warning:

NOTE: The installer for 7-Zip is known to close the explorer process. This means you may lose current work.

Here you can also find useful options too, for example the Firefox package allows you to specify the language of the application to install:

choco install Firefox -packageParameters "l=en-US"

If you scroll down, you can find references in the comments which may make you choose not to install a certain package. For example OpenCandy is mentioned in the comments of the CDBurnerXP package, and you can probably also recall installers that install unwanted software if you just blindly go through them with next-next-finish.

In the middle of the page you can find the installer PowerShell script as well, which might be worth to take a look at, because there you can see, what EXE or MSI is downloaded and from what server. In case of the Adobe Reader package this script is only 6 lines, you can clearly see the URL in the middle, and you can very easily understand what is actually happening. One cannot say the same about the 117-line script of the Firefox package, or the script of the Node.js package which is only 1 line, but refers to two other packages.

In summary, I don’t feel Chocolatey can be used securely, it is all about trust. You can do these manual checks, you can update your operating system, install antivirus and antimalware, deny access to unwanted hosts, but at the end of the day you will run code from an unknown source, which – at least from security perspective – doesn’t seem to be a good idea.

I installed these packages, and they didn’t burn down the house (yet):

firefox -packageParameters "l=en-US"

So what do you think, do you use similar tools, are you brave enough to use Chocolatey, and if yes, what other packages do you install?


Technorati-címkék: ,,

4 thoughts on “Chocolatey and security

  1. ferventcoder

    So let’s fix your terminology a bit so we can talk about whether you can use Chocolatey securely. is the community feed. choco CLI / ChocolateyGUI are the main client tools for the Chocolatey framework. I believe when you state you cannot use Chocolatey securely, you are actually stating that you cannot use the community feed ( securely. And we agree with this statement. You cannot use the internet in general in a secure manner. You can only trust what you have pulled local and vetted. That said, many organizations do not use the community feed, they instead use the Chocolatey framework in a secure manner by never reaching out to the internet.

    1. Balássy György Post author

      Thank you for the clarification, you are absolutely right, and we agree.

      What I see as an issue here is that user-friendly tools, like the one we are talking about here, which you can download and work like a charm immediately, completely hide the security questions in favor of convenience. If you know what you are doing, it is awesome, otherwise it is blind trust.

      I’m a big fan of the Chocolatey concept and the tools, so thank you very much for working on it.

  2. György Balássy Post author

    I agree, Piers. However if you download something from a vendor’s HTTPS website, and the installer is signed with the signature of the vendor, you have to trust “only” in the vendor. But if the installer is wrapped by someone you know nothing about but only his/her nickname, the game gets more tricky.

    Don’t misunderstand me: I like Chocolatey, and I’m really grateful to their creators for creating it, and checking the packages. It is an awesome tool for professionals, but can be risky for people who are not security conscious.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s