I am once again having to edit the Office 365 update to accommodate for MS changing files silently throughout the week.
I noticed that all of the files are listed with SHA1 signatures only, is there any reason why these wouldnt be using SHA256? Would this be an issue for people that enforce Secure signatures only?
Example Fixlet ID 36509619 site patches for Windows
For anyone wondering the error seen frequently due to MS updates…
Download error: “Error processing completed download: Requested sha1 f68c215e0f8a669b6507b77348ae591cb952404f does not match actual sha1 e0cf869714c85672a76ca99e5f3bcf3278cfc198”
Download requested by client:
URL: http://officecdn.microsoft.com/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114/office/data/v64_16.0.13801.20960.cab
Hash: (sha1)f68c215e0f8a669b6507b77348ae591cb952404f
Size: 9785 bytes
Next retry: The download will be retried the next time it is requested. Retry now
I usually have to go and run a test before patching and validate all downloads. I attempted to try the option with no signature validation however the downloads go from 8 files for my locale to about 100 which includes every country and it take 1-2 hrs to download vs 2 mins.
MS frequently updates the .cab files which causes the issue, we are trying to update these files everyday but sometimes it causes the mismatch due to frequent releases.
and I believe SHA256 is an optional so it is not used in an action but SHA256 also gets changed everytime there is a modification. so adding it to the action remains the same.
I understand that choosing to deploy bigfix with required SHA256 download or not is optional; however if HCL chooses to deploy fixlets which do not support SHA256 hashes then enabling the enhanced download security will break several fixlets and overall reduces the value of the product.
I like many others would prefer to enforce the SHA256 only download requirement, however there is still alot of content in various sites which does not have SHA256 hashes.
The bigger issue for the O365 fixlet mentioned above is the fact that the action for no hash checking does not work the same as the others. I normally uses Action 5, it typically only downloads 5-7 files, when i choose Action 6 it downloads every single file reference in the action over 70 and covers every language over the globe.
It would be nice if the nohash check action downloaded only the limited number of files as the other actions.
Might be worth an enhancement request to allow for enforcement of SHA256 hash per site, so that custom sites and other sites which have been validated to only have SHA256 could have that level of enforcement while others dont break, and allow for a slow migration of the external sites to better signatures.