From e2231d3645ffdab839398f1124e065d3fb9a9198 Mon Sep 17 00:00:00 2001
From: AmirMS <104940545+AmelBawa-msft@users.noreply.github.com>
Date: Sat, 22 Oct 2022 20:44:39 -0700
Subject: [PATCH 1/4] Init group policy
---
doc/admx/DesktopAppInstaller.admx | 10 ++++++++
doc/admx/en-US/DesktopAppInstaller.adml | 2 ++
.../Shared/Strings/en-us/winget.resw | 3 +++
src/AppInstallerCLITests/GroupPolicy.cpp | 1 +
src/AppInstallerCLITests/TestSettings.h | 1 +
src/AppInstallerCommonCore/AdminSettings.cpp | 23 ++++++++++++++-----
src/AppInstallerCommonCore/GroupPolicy.cpp | 2 ++
.../Public/winget/GroupPolicy.h | 1 +
.../Public/winget/Resources.h | 1 +
9 files changed, 38 insertions(+), 6 deletions(-)
diff --git a/doc/admx/DesktopAppInstaller.admx b/doc/admx/DesktopAppInstaller.admx
index 44be8a54eb..d3dcbdf51a 100644
--- a/doc/admx/DesktopAppInstaller.admx
+++ b/doc/admx/DesktopAppInstaller.admx
@@ -53,6 +53,16 @@
+
+
+
+
+
+
+
+
+
+
diff --git a/doc/admx/en-US/DesktopAppInstaller.adml b/doc/admx/en-US/DesktopAppInstaller.adml
index 3c602c0307..7c3d73b4c6 100644
--- a/doc/admx/en-US/DesktopAppInstaller.adml
+++ b/doc/admx/en-US/DesktopAppInstaller.adml
@@ -31,6 +31,8 @@ If you disable this setting, users will not be able to enable experimental featu
If you enable or do not configure this setting, users will be able to install packages with local manifests using the Windows Package Manager.
If you disable this setting, users will not be able to install packages with local manifests using the Windows Package Manager.
+ Enable Bypass Certificate Pinning For Microsoft Store
+ TODO
Enable App Installer Hash Override
This policy controls whether or not the Windows Package Manager can be configured to enable the ability override the SHA256 security validation in settings.
diff --git a/src/AppInstallerCLIPackage/Shared/Strings/en-us/winget.resw b/src/AppInstallerCLIPackage/Shared/Strings/en-us/winget.resw
index 68fcd5cbea..dfe4d5cf02 100644
--- a/src/AppInstallerCLIPackage/Shared/Strings/en-us/winget.resw
+++ b/src/AppInstallerCLIPackage/Shared/Strings/en-us/winget.resw
@@ -885,6 +885,9 @@ They can be configured through the settings file 'winget settings'.
Enable Windows App Installer Local Manifest Files
+
+ Enable Windows App Installer Bypass Certificate Pinning for Microsoft Store
+
Field:
diff --git a/src/AppInstallerCLITests/GroupPolicy.cpp b/src/AppInstallerCLITests/GroupPolicy.cpp
index 1b7f714bf8..121b4ec60d 100644
--- a/src/AppInstallerCLITests/GroupPolicy.cpp
+++ b/src/AppInstallerCLITests/GroupPolicy.cpp
@@ -372,6 +372,7 @@ TEST_CASE("GroupPolicy_AllEnabled", "[groupPolicy]")
SetRegistryValue(policiesKey.get(), MSStoreSourcePolicyValueName, 1);;
SetRegistryValue(policiesKey.get(), AdditionalSourcesPolicyValueName, 1);
SetRegistryValue(policiesKey.get(), AllowedSourcesPolicyValueName, 1);
+ SetRegistryValue(policiesKey.get(), BypassCertificatePinningForMicrosoftStoreValueName, 1);
GroupPolicy groupPolicy{ policiesKey.get() };
for (const auto& policy : TogglePolicy::GetAllPolicies())
diff --git a/src/AppInstallerCLITests/TestSettings.h b/src/AppInstallerCLITests/TestSettings.h
index 24cbd15a5f..934feb9e6c 100644
--- a/src/AppInstallerCLITests/TestSettings.h
+++ b/src/AppInstallerCLITests/TestSettings.h
@@ -18,6 +18,7 @@ namespace TestCommon
const std::wstring MSStoreSourcePolicyValueName = L"EnableMicrosoftStoreSource";
const std::wstring AdditionalSourcesPolicyValueName = L"EnableAdditionalSources";
const std::wstring AllowedSourcesPolicyValueName = L"EnableAllowedSources";
+ const std::wstring BypassCertificatePinningForMicrosoftStoreValueName = L"EnableBypassCertificatePinningForMicrosoftStore";
const std::wstring SourceUpdateIntervalPolicyValueName = L"SourceAutoUpdateInterval";
const std::wstring SourceUpdateIntervalPolicyOldValueName = L"SourceAutoUpdateIntervalInMinutes";
diff --git a/src/AppInstallerCommonCore/AdminSettings.cpp b/src/AppInstallerCommonCore/AdminSettings.cpp
index 7d8457f2a4..2195b95535 100644
--- a/src/AppInstallerCommonCore/AdminSettings.cpp
+++ b/src/AppInstallerCommonCore/AdminSettings.cpp
@@ -193,16 +193,27 @@ namespace AppInstaller::Settings
adminSettingsInternal.SetAdminSetting(setting, false);
}
+ TogglePolicy::Policy GetAdminSettingPolicy(AdminSetting setting)
+ {
+ switch (setting)
+ {
+ case AdminSetting::LocalManifestFiles:
+ return TogglePolicy::Policy::LocalManifestFiles;
+ case AdminSetting::BypassCertificatePinningForMicrosoftStore:
+ return TogglePolicy::Policy::BypassCertificatePinningForMicrosoftStore;
+ default:
+ return TogglePolicy::Policy::None;
+ }
+ }
+
bool IsAdminSettingEnabled(AdminSetting setting)
{
// Check for a policy that overrides this setting.
- if (setting == AdminSetting::LocalManifestFiles)
+ auto policy = GetAdminSettingPolicy(setting);
+ auto policyState = GroupPolicies().GetState(policy);
+ if (policyState != PolicyState::NotConfigured)
{
- PolicyState localManifestFilesPolicy = GroupPolicies().GetState(TogglePolicy::Policy::LocalManifestFiles);
- if (localManifestFilesPolicy != PolicyState::NotConfigured)
- {
- return localManifestFilesPolicy == PolicyState::Enabled;
- }
+ return policyState == PolicyState::Enabled;
}
AdminSettingsInternal adminSettingsInternal;
diff --git a/src/AppInstallerCommonCore/GroupPolicy.cpp b/src/AppInstallerCommonCore/GroupPolicy.cpp
index 2861e3d69b..66a9b5a381 100644
--- a/src/AppInstallerCommonCore/GroupPolicy.cpp
+++ b/src/AppInstallerCommonCore/GroupPolicy.cpp
@@ -281,6 +281,8 @@ namespace AppInstaller::Settings
return TogglePolicy(policy, "EnableAdditionalSources"sv, String::PolicyAdditionalSources);
case TogglePolicy::Policy::AllowedSources:
return TogglePolicy(policy, "EnableAllowedSources"sv, String::PolicyAllowedSources);
+ case TogglePolicy::Policy::BypassCertificatePinningForMicrosoftStore:
+ return TogglePolicy(policy, "EnableBypassCertificatePinningForMicrosoftStore"sv, String::PolicyEnableBypassCertificatePinningForMicrosoftStore);
default:
THROW_HR(E_UNEXPECTED);
}
diff --git a/src/AppInstallerCommonCore/Public/winget/GroupPolicy.h b/src/AppInstallerCommonCore/Public/winget/GroupPolicy.h
index 2ac085a009..ce840fc13f 100644
--- a/src/AppInstallerCommonCore/Public/winget/GroupPolicy.h
+++ b/src/AppInstallerCommonCore/Public/winget/GroupPolicy.h
@@ -41,6 +41,7 @@ namespace AppInstaller::Settings
MSStoreSource,
AdditionalSources,
AllowedSources,
+ BypassCertificatePinningForMicrosoftStore,
Max,
};
diff --git a/src/AppInstallerCommonCore/Public/winget/Resources.h b/src/AppInstallerCommonCore/Public/winget/Resources.h
index ec9e181e35..1d3c21ac04 100644
--- a/src/AppInstallerCommonCore/Public/winget/Resources.h
+++ b/src/AppInstallerCommonCore/Public/winget/Resources.h
@@ -35,6 +35,7 @@ namespace AppInstaller
WINGET_DEFINE_RESOURCE_STRINGID(PolicyAdditionalSources);
WINGET_DEFINE_RESOURCE_STRINGID(PolicyAllowedSources);
WINGET_DEFINE_RESOURCE_STRINGID(PolicySourceAutoUpdateInterval);
+ WINGET_DEFINE_RESOURCE_STRINGID(PolicyEnableBypassCertificatePinningForMicrosoftStore);
WINGET_DEFINE_RESOURCE_STRINGID(SettingsWarningInvalidFieldFormat);
WINGET_DEFINE_RESOURCE_STRINGID(SettingsWarningInvalidFieldValue);
From 21624c9665554da6f74258ee8a8f4a6365605dbe Mon Sep 17 00:00:00 2001
From: AmirMS <104940545+AmelBawa-msft@users.noreply.github.com>
Date: Sun, 23 Oct 2022 13:39:08 -0700
Subject: [PATCH 2/4] Added test
---
src/AppInstallerCLITests/Sources.cpp | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/src/AppInstallerCLITests/Sources.cpp b/src/AppInstallerCLITests/Sources.cpp
index 3eab22addb..6649751b22 100644
--- a/src/AppInstallerCLITests/Sources.cpp
+++ b/src/AppInstallerCLITests/Sources.cpp
@@ -1265,3 +1265,30 @@ TEST_CASE("RepoSources_RestoringWellKnownSource", "[sources]")
REQUIRE(storeAfterAdd.GetDetails().CertificatePinningConfiguration.IsEmpty());
}
}
+
+TEST_CASE("RepoSources_GroupPolicy_BypassCertificatePinningForMicrosoftStore", "[sources][groupPolicy]")
+{
+ SECTION("Not configured")
+ {
+ GroupPolicyTestOverride policies;
+ policies.SetState(TogglePolicy::Policy::BypassCertificatePinningForMicrosoftStore, PolicyState::NotConfigured);
+ Source source(WellKnownSource::MicrosoftStore);
+ REQUIRE_FALSE(source.GetDetails().CertificatePinningConfiguration.IsEmpty());
+ }
+
+ SECTION("Enabled")
+ {
+ GroupPolicyTestOverride policies;
+ policies.SetState(TogglePolicy::Policy::BypassCertificatePinningForMicrosoftStore, PolicyState::Enabled);
+ Source source(WellKnownSource::MicrosoftStore);
+ REQUIRE(source.GetDetails().CertificatePinningConfiguration.IsEmpty());
+ }
+
+ SECTION("Disabled")
+ {
+ GroupPolicyTestOverride policies;
+ policies.SetState(TogglePolicy::Policy::BypassCertificatePinningForMicrosoftStore, PolicyState::Disabled);
+ Source source(WellKnownSource::MicrosoftStore);
+ REQUIRE_FALSE(source.GetDetails().CertificatePinningConfiguration.IsEmpty());
+ }
+}
From f2b9a7f3120fc01718789a0a4dce89cb2e68919d Mon Sep 17 00:00:00 2001
From: Amir El Bawab <104940545+AmelBawa-msft@users.noreply.github.com>
Date: Tue, 25 Oct 2022 09:56:25 -0700
Subject: [PATCH 3/4] Updated TODO text
---
doc/admx/en-US/DesktopAppInstaller.adml | 8 ++++++--
.../Shared/Strings/en-us/winget.resw | 2 +-
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/doc/admx/en-US/DesktopAppInstaller.adml b/doc/admx/en-US/DesktopAppInstaller.adml
index 7c3d73b4c6..c0b73f12c2 100644
--- a/doc/admx/en-US/DesktopAppInstaller.adml
+++ b/doc/admx/en-US/DesktopAppInstaller.adml
@@ -31,8 +31,12 @@ If you disable this setting, users will not be able to enable experimental featu
If you enable or do not configure this setting, users will be able to install packages with local manifests using the Windows Package Manager.
If you disable this setting, users will not be able to install packages with local manifests using the Windows Package Manager.
- Enable Bypass Certificate Pinning For Microsoft Store
- TODO
+ Enable App Installer Microsoft Store Source Pinned Certificate Bypass
+ This policy controls whether the Windows Package Manager can be configured to disable the requirement to use a pinned certificate for the Microsoft Store source.
+
+If you enable or do not configure this setting, users will be able to bypass the pinned certificate used to validate the Microsoft Store source.
+
+If you disable this setting, users will not be able to bypass the pinned certificate used to validate the Microsoft Store source.
Enable App Installer Hash Override
This policy controls whether or not the Windows Package Manager can be configured to enable the ability override the SHA256 security validation in settings.
diff --git a/src/AppInstallerCLIPackage/Shared/Strings/en-us/winget.resw b/src/AppInstallerCLIPackage/Shared/Strings/en-us/winget.resw
index dfe4d5cf02..1923eb29fb 100644
--- a/src/AppInstallerCLIPackage/Shared/Strings/en-us/winget.resw
+++ b/src/AppInstallerCLIPackage/Shared/Strings/en-us/winget.resw
@@ -886,7 +886,7 @@ They can be configured through the settings file 'winget settings'.
Enable Windows App Installer Local Manifest Files
- Enable Windows App Installer Bypass Certificate Pinning for Microsoft Store
+ Enable Windows App Installer Microsoft Store Source Pinned Certificate Bypass
Field:
From 03b45ef1ad23194f81c9255e03a8f88038dd41cd Mon Sep 17 00:00:00 2001
From: Amir El Bawab <104940545+AmelBawa-msft@users.noreply.github.com>
Date: Tue, 25 Oct 2022 16:20:01 -0700
Subject: [PATCH 4/4] Fix test
---
src/AppInstallerCLITests/Sources.cpp | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/AppInstallerCLITests/Sources.cpp b/src/AppInstallerCLITests/Sources.cpp
index 6649751b22..f35ea9ed45 100644
--- a/src/AppInstallerCLITests/Sources.cpp
+++ b/src/AppInstallerCLITests/Sources.cpp
@@ -1268,6 +1268,8 @@ TEST_CASE("RepoSources_RestoringWellKnownSource", "[sources]")
TEST_CASE("RepoSources_GroupPolicy_BypassCertificatePinningForMicrosoftStore", "[sources][groupPolicy]")
{
+ TestHook_ClearSourceFactoryOverrides();
+
SECTION("Not configured")
{
GroupPolicyTestOverride policies;