- BuildMaster
- Getting Started with BuildMaster
- Builds and Continuous Integration
- What is a "Build" in BuildMaster?
- Git and Source Control
- Git Pipelines and Workflows
- Build Scripts & Templates
- Packages & Dependencies
- Build Artifacts
- Automated Testing & Verification
- Deployment & Continuous Delivery
- What is a “Pipeline” in BuildMaster?
- CI Server (Jenkins, TeamCity, etc.) Integration
- Deployment Scripts & Templates
- Automatic Checks & Approval Gates
- Manual Deployment Steps and Tasks
- Databases
- Configuration Files
- Rollbacks
- Advanced CD Patterns
- Applications & Releases
- Connecting to your Servers with BuildMaster
- Scripting in BuildMaster
- Configuring for Your Team
- Docker/Containers
- Development Platforms
- Deployment Targets
- Tools & Service Integrations
- Reference
- BuildMaster API Endpoints & Methods
- Extending BuildMaster
- Built-in Functions & Variables
- Applications
- Builds
- Configuration Files
- Containers
- Credentials
- Databases
- Deployables
- Environments
- Executions
- Files
- General
- JSON
- Linux
- Lists
- Maps
- Math
- Nuget
- Packages
- Pipelines
- PowerShell
- Python
- Releases
- Servers
- Strings
- XML
- Built-in Operations
- Batch
- BuildMaster
- Configuration Files
- Databases
- DotNet
- Files
- Firewall
- General
- Apply-Template
- Attach Package
- Build
- Checkout-Code
- Close-Issue
- Concatenate-Files
- Copy-Files
- Create-Directory
- Create-File
- Create-Issue
- Create-Issue
- Create-IssueComment
- Create-Package
- Create-ZipFile
- Delete-Files
- Download-Asset
- Download-Http
- Ensure-Directory
- Ensure-File
- Ensure-HostsEntry
- Ensure-Metadata
- Ensure-Milestone
- Ensure-Package
- Ensure-Release
- Ensure-Tag
- Exec
- Execute Python Script
- Execute VSTest Tests
- Get-Http
- Install-Package
- OSCall
- OSExec
- Post-Http
- Push-PackageFile
- PYCall
- PYEnsure
- Query-Package
- Remediate-Drift
- Rename-File
- Repackage
- Replace-Text
- Send-Email
- Set-FileAttributes
- Set-Variable
- SHEnsure
- Sleep
- Transfer-Files
- Transition-Issues
- Upload-Assets
- Upload-Http
- Upload-ReleaseAssets
- Git
- IIS
- Nuget
- PowerShell
- ProGet
- Python
- Registry
- Servers
- Services
- Shell
- Windows
- Administration
- Installation & Upgrading
- ProGet
- Getting Started with ProGet
- Packages: Managing & Tracking
- Feeds Types & Third-Party Packages
- What is a "Feed" in ProGet?
- What is a "Connector" in ProGet?
- NuGet (.NET)
- PowerShell
- Chocolatey (Windows/Machine)
- RubyGems (ruby)
- Visual Studio Extension (.vsix)
- Maven (Java)
- npm (Node.js)
- Bower (JavaScript)
- Debian (Apt)
- Helm (Kubernetes)
- PyPI (Python)
- Conda (Python)
- RPM (Yum)
- Alpine (APK)
- CRAN (R)
- pub (Dart/Flutter)
- Cargo (Rust)
- Terraform Modules
- Other Feed Types
- Universal Packages & Feeds
- UPack Overview
- Universal Packages
- Virtual Packages
- Tools and Libraries
- Universal Package Registry
- Downloads & Source Code
- Universal Feed API
- Asset Directories & File Storage
- Docker and Containers
- Replication & Feed Mirroring
- Software Composition Analysis (SCA)
- Security and Access Controls
- Cloud Storage (Amazon S3, Azure Blob)
- Administration
- Installation & Upgrading
- API Endpoints & Methods
- Otter
- Getting Started with Otter
- Orchestration & Server Automation
- Connecting to your Servers with Otter
- Collecting & Verifying Configuration
- Drift Remediation / Configuration as Code
- Scripting in Otter
- Configuring for Your Team
- Installation & Upgrading
- Administration & Maintenance
- Reference
- Otter API Reference
- OtterScript Reference
- Built-in Functions & Variables
- Executions
- Files
- General
- JSON
- Linux
- Lists
- Maps
- Math
- PowerShell
- Python
- Servers
- Strings
- XML
- Built-in Operations
- Batch
- Docker
- DotNet
- Files
- Firewall
- General
- Apply-Template
- Collect Debian Packages
- Collect RPM Packages
- Collect-InstalledPackages
- Concatenate-Files
- Copy-Files
- Create-Directory
- Create-File
- Create-Package
- Create-ZipFile
- Delete-Files
- Download-Asset
- Download-Http
- Ensure-Directory
- Ensure-File
- Ensure-HostsEntry
- Ensure-Metadata
- Ensure-Package
- Exec
- Execute Python Script
- Get-Http
- Install-Package
- OSCall
- OSExec
- Post-Http
- Push-PackageFile
- PYCall
- PYEnsure
- Query-Package
- Remediate-Drift
- Rename-File
- Repackage
- Replace-Text
- Send-Email
- Set-FileAttributes
- Set-Variable
- SHEnsure
- Sleep
- Transfer-Files
- Upload-Assets
- Upload-Http
- IIS
- Otter
- PowerShell
- ProGet
- Python
- Registry
- Servers
- Services
- Shell
- Windows
- Installation & Maintenance
- Windows (Inedo Hub)
- What is the Inedo Hub?
- Configuring & Maintaining Inedo Products
- Offline Installation (no Internet access)
- HOWTO: Install on Windows
- HOWTO: Upgrade or Downgrade with the Inedo Hub
- HOWTO: Install Pre-release Product Versions
- HOWTO: Configure Your Inedo Product to Run As a Windows Domain Account
- Silent/Automated Installation Guide
- Legacy (Traditional) Installer
- Linux (Docker)
- Manual Installation
- High Availability & Load Balancing
- LDAP/AD Integration
- IIS & Web Hosting on Windows
- Logging & Analytics
- SAML Authentication
- Upgrading your Inedo Product
- Managing Agents and Servers
- Backing Up & Restoring
- Installation Configuration Files
- SQL Server & Inedo Products
- Windows (Inedo Hub)
- Inedo Agent
- What is the Inedo Agent?
- Installation & Upgrading
- Downloads & Release Notes
- Maintenance & Configuration
- Internal Architecture
- MyInedo
- OtterScript (Execution Engine)
- Reference
- OtterScript
- Inedo Execution Engine
- Operations & Functions
- Text Templating
- Resource Pools
- Runtime Variables
- Advanced Scenarios & Features
- Statements and Blocks
- Romp (Discontinued)
- Using Romp
- Installing, Configuring, and Maintaining
- Romp CLI Reference
- Package Layout
- Downloads & Source Code
- Extensibility
- Inedo SDK
Validation & Security
A Universal Package is intended to be read-only, and once created, its contents and metacontents sealed within the package and not tampered with. However, the simple format of a Universal Package makes it easy to tamper with its contents using a zip editor.
This is where cryptographic hashing comes into play. This is a small text string that acts as a "thumbprint" of a file and allows you to verify that it is the expected file after downloading "Accounts/HDars v1.3.4" from a package source.
Since the hash of a package is calculated from the bytes in the package file, it is impossible to store the hash of a package within the package, since changing the package would change the hash. For this reason, a trusted package source should be used to verify the hash of the package.
However, a package's manifest file may reference other packages' hashes in the dependencies and repackageHistory properties.
Secure Package Identifier
A universal package can be uniquely identified by its group, name, and version. In some cases, such as when specifying a dependency or describing an audit trail, these details are combined into a single string.
The format for this string is quite simple: group and name are combined (separated by a slash), and version is appended (separated by a colon). For example:
HDARS:1.3.9initrode/vendors/abl/ABLast:2.2.1-rc.1
To ensure a tamper-proof chain of packages, you may also use a package's cryptographic hash by appending a colon and then a hash string to the end of a package.
This will be used for verification purposes when possible. For example:
HDARS:1.3.9:fca66ce2a8ceea2d651eecf2369d4072d1871aecinitrode/vendors/abl/ABLast:2.2.1-rc.1:5b31eaa26d0c6e7bb985f740dbceed854293c369
If the identified packages exist, but the hash doesn't exist, then the package will not be used.
Package Hash Format
Package hashes are calculated using the SHA-1 algorithm, and encoded visually as a 40-character case-insensitive string of hexidemical digits without spaces or other separator characters. For example: 2660bf74fc8147ca41bd53bdb1defc3aae35bc91