Chocolatey Blog

Announcing Release of Chocolatey Central Management v0.15.0, Chocolatey CLI v2.7.0, Chocolatey Licensed Extension v8.0.0, Chocolatey Agent v4.0.0, Chocolatey GUI v3.0.0, and Chocolatey GUI Extension v3.0.0

Rain Sallow — Thu, 19 Mar 2026 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

Discussed below are the change highlights included in these releases, but we also have a full set of release notes available for each product release:

We're excited to announce the releases of Chocolatey Central Management v0.15.0, Chocolatey CLI v2.7.0, Chocolatey Licensed Extension v8.0.0, Chocolatey Agent v4.0.0, Chocolatey GUI v3.0.0, and Chocolatey GUI Extension v3.0.0!

Collection and Display of Computer Facts

<Callout type="info"> This functionality requires both Chocolatey Central Management v0.15.0 on the server side as well as client computers to have Chocolatey Agent v4.0.0 in order for the feature to be fully functional. </Callout>

Chocolatey Central Management will now display some additional information in the Facts tab on the Computer Details page, which will list information such as:

Chocolatey License type, expiry, and node count
Computer system domain name and machine name
BIOS manufacturer
Physical memory (RAM) capacity, speed, and manufacturer
Operating system
Processor speeds, cores, and manufacturer
Storage media format, available space, and drives present
Network interfaces' IP address(es), theoretical speed, and current status

Improvements to How Central Management Handles Outdated Software

Previously, Software in Chocolatey Central Management handled outdated software globally. If one computer reported that a package version was outdated, Chocolatey Central Management would always report that this version was outdated, even if other computers did not have access to a source with the updated package version.

With this change, each computer's Software information now contains more granular information about whether a package is outdated, and which sources are reporting information about newer package version(s) from that computer. Additionally, changes to a client computer to remove or disable a source will naturally flow through to update this information, ensuring that Chocolatey Central Management will always display up to date information for any outdated software.

This information is displayed in the Computer Details screen in Chocolatey Central Management, when it is available.

<Callout type="info"> This functionality requires at least Chocolatey Central Managment v0.15.0 on the server, as well as Chocolatey Agent v4.0.0 on client computers. </Callout>

This is also visible on the Software Details screen, showing a list of all Computers and whether the package available from their configured sources is up to date.

Release Notes

For more information on the changes, features, improvements and bug fixes that were included in these releases, please see the release notes:

Learn More

Check out the documentation.
Learn about other features available in Chocolatey for Business.
Contact us to find out more and setup your evaluation of Chocolatey for Business today.

Chocolatey users unaffected by Notepad++ incident

Stephen Valdinger — Mon, 02 Mar 2026 00:00:00 GMT

The publisher of Notepad++ recently disclosed a security incident involving a compromised update server. The issue created the potential for a man-in-the-middle (MITM) attack affecting the application’s built-in updater component, WinGUp.

After review, the Chocolatey Security Team has determined that packages distributed via the Chocolatey Community Repository (CCR) were not affected by this incident.

Details of the Upstream Vulnerability

According to the publisher, the vulnerability involved:

A compromised update server owned and operated by the Notepad++ publisher.
The WinGUp updater component connecting to that server to download updated binaries.
The potential for a malicious actor to intercept or modify update payloads.

Additional information from the publisher is available here: https://notepad-plus-plus.org/news/hijacked-incident-info-update/

Impact Assessment for Chocolatey Users

The Chocolatey Community Repository follows a structured moderation and security review process. As part of that process:

Maintainers are instructed to source binaries from secure and reputable locations whenever possible.
Moderators review packages prior to publication.
For Notepad++ specifically, the package is configured to pull release binaries directly from Notepad++'s GitHub releases using the Get-GitHubRelease cmdlet.

Because CCR packages source binaries from GitHub—not the publisher server which was compromised—Chocolatey-delivered updates were not exposed to this vulnerability.

The current Notepad++ package configuration can be reviewed here: https://github.com/chocolatey-community/chocolatey-packages/blob/37bea46c2c5a72d71e3b2849abd480f4f2410187/automatic/notepadplusplus/update.ps1

Repository moderation requirements are documented here: https://docs.chocolatey.org/en-us/community-repository/moderation/#requirements-1

The last instance of pulling binaries directly from the publisher occurred in 2020 and has not been the standard practice since: https://github.com/chocolatey-community/chocolatey-packages/commit/1b5c7038f04aee674f5a27e508ea15a0b97b46a1

Important Note Regarding WinGUp

The CCR package for Notepad++ includes the WinGUp updater component.

Customers who manually initiated updates through WinGUp (outside of Chocolatey) during the affected period may have attempted to connect to the compromised server.
Customers who used Chocolatey to perform updates were not affected, as updates were sourced from GitHub.

Recommended Actions

Continue updating Notepad++ via Chocolatey to ensure packages are retrieved from approved sources.
If manual updates were performed using WinGUp during the affected timeframe, consider reinstalling the latest version via Chocolatey as a precaution.
Review internal update policies to ensure centralized package management tools are used consistently.

Conclusion

Based on our review, there is no evidence that Chocolatey Community Repository packages for Notepad++ were affected by the publisher's compromised update server. Chocolatey's moderation process and, in this case, sourcing the binaries from GitHub, provided effective mitigation against this upstream incident.

For the most recent package information, please visit: https://community.chocolatey.org/packages/notepadplusplus.install

Announcing Release of Chocolatey CLI v2.6.0, Chocolatey Licensed Extension v7.0.0, Chocolatey Agent v3.0.0, and Chocolatey GUI Extension v2.0.1

Rain Sallow — Mon, 01 Dec 2025 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

Discussed below are the change highlights included in these releases, but we also have a full set of release notes available for each product release:

We're excited to announce the release of Chocolatey Licensed Extension v7.0.0!

<Callout type="info"> If you use Chocolatey Licensed Extension it is recommended that you install v7.0.0 to use all the new functionality that has been added to Chocolatey CLI v2.6.0. </Callout>

Improvements to `choco info`

choco info has been enhanced and now shows both the source URL and the software installation path for a given package.

Improvements to `choco download`

New functionality has been added to choco download to avoid downloading dependencies that had already been downloaded to the target folder.

Additionally, the --ignore-dependencies-from-source parameter has been added. This parameter takes the name of a known source (one that has previously been registered via choco source), and will skip downloading any dependency packages that already exist on this source. For example:

Improvements to Virus Checking

Previously, with the Chocolatey Licensed Extension installed, virus checking was only performed when downloading an installer or an archive, but would not run if they were embedded in the package. With this change, virus checking is now performed when installing from an embedded installer or archive (such as with Install-ChocolateyInstallPackage or Get-ChocolateyUnzip).

Clearer Error Messages For Non-administrative Users

Previously, non-administrative users attempting to run commands that require administrative permissions could run into some unclear and repetitive error messages. With this change, non-administrative users will see a clear error merssage rather than attempting the operation.

Attempting to Upgrade a Pinned Package will Display the Pin Reason

Previously, the pin reason was only visible if querying choco pin list. With this change, it will be displayed when a user attempts to upgrade a pinned package to inform them why the package was pinned.

`choco sync` Improvements

Previously, the choco sync command would not provide any information when run with --noop. This has been changed to display the full set of packages that are expected to sync if you were to re-run the command without --noop, without making any changes.

Added Configurable Prohibited Options For Background Service

Administrators could already configure which commands could be run through Background Service, but there was no way to restrict the available options. The configuration setting backgroundServiceDisallowedOptions now allows Administrators to create a list of prohibited options. For example:

choco config set --name="'backgroundServiceDisallowedOptions'" --value="'force,f,s,source'"

This configuration would prevent users from using any of the mentioned options (--force, -f, -s, --source) when commands are run through Background Service.

<Callout type="warning"> The configuration value must explicitly contain the options to be restricted. As an example, if you want to resrict the force option, you need to add both f and force to this value. The default list restricted options can be found on the Self Service page. To expand the list, we recommend you run choco config get --name="'backgroundServiceDisallowedOptions'" to obtain the existing list first and add the new options to it. </Callout>

Improvements For `choco convert`

Previously, choco convert required every package dependency to be present, and would convert all of them when converting a target package. This could sometimes result in Chocolatey CLI converting dependency packages multiple times over when it wasn't necessary. With this change, running choco convert will attempt to take into account any existing dependencies of the target package that have already been successfully converted and are available in the local directory.

Changes to the `chocolatey.licensed` Source

Previously, there was an issue where if you updated or changed the license file, the chocolatey.licensed source would be enabled the next time you ran Chocolatey CLI, even if you'd previously disabled it. This has been rectified; the source will remain disabled if it has been previously disabled on that computer.

Release Notes

For more information on the changes, features, improvements and bug fixes that were included in these releases, please see the release notes:

Learn More

Check out the documentation.
Learn about other features available in Chocolatey for Business.
Contact us to find out more and setup your evaluation of Chocolatey for Business today.

Chocolatey Sponsors KCDC 2025

Stephen Valdinger — Tue, 30 Sep 2025 00:00:00 GMT

Chocolatey Software was proud to sponsor KCDC 2025, held in Kansas City, Missouri, August 14-16, 2025.

KCDC is a community-driven conference that brings together approximately 1,700 developers, IT professionals, and technology enthusiasts to share knowledge, network, and explore the latest trends in the tech industry. Our booth was a flurry of activity where attendees gathered to learn about Chocolatey, our products, and how we can help streamline software management and deployment for an organization. They also enjoyed our swag, including our popular custom Chocolatey chocolate bars! We look forward to sponsoring and attending KCDC again in the future.

Chocolatey Community Repository Optimizations

Stephen Valdinger — Mon, 29 Sep 2025 00:00:00 GMT

The Chocolatey Community Repository gets a boost!

Chocolatey's engineering team has recently implemented several optimizations to the database that powers the Chocolatey Community Repository. These optimizations result in performance improvements when interacting with the Chocolatey Community Repository, both by visiting community.chocolatey.org in a web browser and when using the choco command line tool to search for, install, and manage packages. In addition to these SQL performance enhancements, we have prevented invalid requests from hitting the API, as well as improving our testing and deployment strategies.

All of these combine to make using the Chocolatey Community Repository a better experience for everyone.

Four Billion Installs?

Gary Ewan Park — Wed, 27 Aug 2025 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

<Callout type="info"> This blog post is being published on 5th September 2025, however, the roll over to 4 billion downloads happened on the 27th August 2025, which is why the blog post uses that date. </Callout>

It was just over 1 year ago when we announced 3 billion package installations from the Chocolatey Community Repository. It took us just under 9 years to get to our first billion downloads. But each subsequent billion is taking less and less time to reach!

The 3 billion package installations happened on 31st May 2024. At that time we had just under 10,500 unique packages and just over 220,000 total packages. Today we have grown those numbers to almost 11,000 unique packages and a staggering 264,000 total packages! Chocolatey Software hosts the largest community repository of Windows packages of any software or package manager on Windows today.

This is all thanks to the hard work by our awesome volunteer Community Moderators, individual package maintainers and the Chocolatey Community Chocolatey Packages maintainers. Thank you to each one of you!

And just because everyone loves a table, or is that just me?!?

Date	Event	Unique Packages	Total Packages	Days between each event
1st September 2011	CCR Created	51	161	N/A
19th May 2020	1 Billion Installs	7739	92,288	3183 (8.7 years)
9th September 2022	2 Billion Installs	9562	165,040	843 (2.3 years)
31st May 2024	3 Billion Installs	10424	220,893	630 (1.7 years)
27th August 2025	4 Billion Installs	10905	264,188	453 (1.2 years)
Place your bets!	5 Billion Installs	???	???	???

Some fun questions to make you all think...

When do we think the 5 Billion package installs is going to happen?
What packages do you think existed in the 51 packages that were available when CCR first released?
What was the first package downloaded from the Chocolatey Community Repository?

Highlights from the Chocolatey CLI v2.5.0 Release

Kim Nordmo — Wed, 09 Jul 2025 00:00:00 GMT

Below is a summary of the most notable changes included in this release. For a comprehensive list of features, improvements, and bug fixes, please refer to the full release notes.

Enhanced PowerShell Tab Completion

Chocolatey CLI now supports expanded PowerShell tab completion for a more intuitive command-line experience. Key enhancements include:

Version Selection: When using --version with the install or upgrade commands, you can now cycle through available package versions using tab completion—no need to manually lookup versions.
Argument Completion: Tab completion is also supported for:
- --name in the feature, config, and pin commands.
- --source in the source command.

These improvements streamline CLI usage by reducing manual input and lookup time.

Flexible Search Result Ordering

A new --order-by option has been introduced for the search command, enabling users to control how results are sorted.

Previously, sorting was limited to the --order-by-popularity option. With this release, you can now sort search results by:

Id.
Title.
Popularity.
LastPublished.
Unsorted (disables sorting, preserving source response order).

This provides greater flexibility when filtering and reviewing packages.

New `license` Command for Installed License Information

A new top-level command, choco license, is now available for users with an installed Chocolatey license.

This command outputs key license details, including:

Registered user or organization.
License expiration date.
License type (e.g., Business, Pro).
Node count covered by the license.

This makes it easier to audit and confirm licensing information directly from the CLI.

Option to Exclude Pinned Packages in `list`

A new --ignore-pinned option is available for the list command. When used, it excludes pinned packages from the output, providing a clearer view of the packages that are eligible for upgrade or removal.

New Feature: Global HTTP Cache Control

Chocolatey CLI now includes a new configurable feature: useHttpCache.

While commands like install, upgrade, search, info, and outdated have long supported bypassing HTTP caches on a per-command basis, v2.5.0 allows users to globally disable HTTP caching.

When useHttpCache is disabled, Chocolatey CLI will always fetch the latest data from configured sources, ensuring the most up-to-date information is used.

:choco-warning: Warning

Disabling this feature may significantly increase command execution times, especially when multiple sources or many packages are involved.

Improvements for Package Maintainers

Several updates have been made to provide package maintainers with more context during package operations:

Access to Previous Package Version During Upgrades

When a package is being upgraded, the version being upgraded from is available via the environment variable $env:ChocolateyPreviousPackageVersion, for use in the chocolateyInstall.ps1 script. This is useful for version-aware upgrade logic within packages.

Detection of `--not-silent` Option Usage

Maintainers can now detect when a user has explicitly passed the --not-silent option via the environment variable $env:ChocolateyNotSilent. This is useful for conditionally running interactive logic (e.g., UI-based installers or AutoHotkey scripts) in a supported manner.

Additional Improvements

This release also includes various bug fixes, internal improvements, and smaller enhancements not covered above. We recommend reviewing the full release notes to see everything included in v2.5.0.

Behind the Curtain: Moderating Packages on the Chocolatey Community Repository

Josh King — Thu, 19 Jun 2025 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro'; import SocialMedia from '@components/global/SocialMedia.astro';

In previous blog posts, we've talked about what the Chocolatey Community Repository is, and the package moderation process that packages go through when they have been submitted to the repository. These posts, and the documentation on the Chocolatey documentation site, mention a "Human Moderation" step; but what does this step actually involve, who does it, and what sort of things are these Moderators looking for?

Moderating the Chocolatey Community Repository is a labor of love for a small group of volunteers and Chocolatey Team Members, who serve as a final check as packages pass through the moderation pipeline looking for issues that the automatic Package Moderation Services cannot. When a moderator approves a package, they are saying "I've reviewed this package, and I am willing to vouch that it doesn't violate any guidelines or rules."

The Moderators also provide help and guidance to package maintainers when they have questions, or need a deep-dive into the Package Moderation Services testing results.

Throughout this post, I'll use the term 'we' to refer to the moderation team as a whole, however I'm writing from my own perspective and the process I employ when moderating packages.

Why Involve Humans?

Beyond the guidelines, Moderators are focused on one core goal: making sure a package is safe. By the time a package reaches us, the Package Validator service has already checked it against our baseline quality rules, and the Package Verifier service has tested that it actually installs. From there, moderators dig into the package's metadata, scripts, and other contents to understand what it's trying to do, confirm that it does what it claims, and ensure that, if approved, users can install it with confidence.

<Callout type="warning" > While Moderators do their best to ensure that packages on the Chocolatey Community Repository are safe to use, you should always carry out your own due diligence before installing a package. </Callout>

Since the Chocolatey Community Repository is open to anyone, and because the heart of most Chocolatey packages is just a PowerShell script, a package can theoretically "do" almost anything that PowerShell can do. It's worth noting that packages are not software, though they often install software. Without a human in the loop, a bad actor could push a package that passes automated checks but does something dangerous or deceptive when run. A smoke test by a human reviewer brings contextual understanding that automated tools can't replicate and can mean the difference between a trustworthy package and a hidden security risk. But more than just catching malicious intent, Moderators can spot when metadata doesn't align with the included software, when license terms are misrepresented, or when a package uses creative (or questionable) workarounds to get around restrictions.

Humans also recognize nuance. For example, some software authors / vendors don't offer silent installation options and so a package maintainer may include a AutoHotkey script to achieve an interaction-free installation. Automation can't answer why that script has been included and if it does what a casual observer would expect it to do.

Of course, the human touch comes with a cost: time.

The majority of Chocolatey Community Repository Moderators are volunteers that review packages in their spare time. This means that the speed at which a package is reviewed can vary. This makes moderation one of the repository's strongest features but also its biggest frustration. It's a delicate balance between expedience and safety. And trust me, we're just as frustrated when the moderation queue fills.

Ultimately, involving humans in moderation is what allows the Chocolatey Community Repository to remain open to contributions while still offering users a sense of safety, transparency, and quality. We're the last line of defense, and it's the human element that makes that line meaningful.

Tips for Package Maintainers: Passing Moderation Smoothly

To make your life (and ours) easier, keep these things in mind when submitting your packages:

Start from a package template. Using the choco new command will scaffold out a new package for you, which you can complete and add other content your package needs to function, such as scripts or binaries or installers.
Include all required fields and ensure all URLs are valid. The Package Validator service generally picks up on this particular issue, but sometimes they make it through to the moderation team.
Install the Chocolatey Community Validation Extension to catch common issues before you push your package.
Use meaningful tags to help users discover your package, but don't go overboard. Avoid generic tags, like chocolatey, and expect to be asked to amend a list greater than 10.
Understand redistribution rights. It is possible to embed a software installer inside your package, but the software's license must allow for this, and you will need to include the full license and instructions on how to validate those files within your package.
Package icons should be hosted at a location you control. It is common for this to be the GitHub repository in which you store the contents of your packages, but do note that you should not link directly to the icon on GitHub and instead use a CDN service like jsDeliver, Statically, or Githack.
Name your package correctly. Use only lowercase letters, split long names with hyphens (-), and don't use dots.
Don't create duplicate packages. If there is an existing package that is out of date, don't try to push an updated copy of it under a different ID. Instead, volunteer to take over the package by following the Package Triage Process.

Make sure you use all resources available to you, for example:

And if you're unsure about something, ask! Jump onto our Community Hub and ask your question in the #community-maintainers channel.

Time, Effort, and Workload

As mentioned above, the majority of the Chocolatey Moderation Team are volunteers. Even those of us who are members of the Chocolatey Team will moderate packages in our free time. As a small team, the time for a package to be reviewed can vary from a few days to a few weeks. We aim to keep the queue low, but sometimes it fills, especially around major holidays, summer, and year-end, but the volume of packages is not insignificant; there were over 6,000 packages manually reviewed in the last 12 months!

How long does it take a Moderator to review a package? There isn't one single answer to that question. A brand-new package from a first-time maintainer could take an hour to go through just to get to the point of sending a message asking for some changes to be made. Other packages that are updates to an existing package from a "seasoned" maintainer may only take 5 to 10 minutes.

We maintain full transparency on moderation and publish monthly statistics in the #community-repository channel on our Community Hub, including how many packages were reviewed by which Moderator and the average moderation time.

Becoming a Volunteer Moderator

We love our work, but we always welcome more helpers. If moderation seems interesting to you, you could make a big difference. If this sounds like something you'd enjoy, we encourage you to join us!

There is no formal process for becoming a moderator, but a good first step is to ensure you understand Chocolatey packaging and have published and successfully maintained packages on the Chocolatey Community Repository. Once you feel comfortable packaging, pop onto our Community Hub and let us know that you're interested. We're a friendly bunch, and veterans are generally happy to mentor new reviewers.

Wrap Up

Package moderation keeps Chocolatey packages safe and reliable for everyone, but it's a team effort. By understanding the process and following the guidelines above, maintainers can make approvals smoother. And if you've been considering giving back, joining the Moderation Team is a great way to do so.

Whether you're maintaining packages, reviewing them, or just curious, the Chocolatey Community Repository thrives on shared effort. Come say hi; we'd love to meet you!

Find us on:

Michael Governanti Joins Chocolatey as Infrastructure Operations Engineer

Chocolatey News Team — Tue, 03 Jun 2025 00:00:00 GMT

We are excited to announce that Michael Governanti has joined the Chocolatey Team as an Infrastructure Operations Engineer!

With a background in site reliability and systems analysis, Mike brings an enthusiasm for solving complex technical problems and an appreciation for automation. Over the years he’s honed his skills, primarily in PowerShell and Go, scripting business processes and building lightweight services that connect systems.

Mike focuses on building Infrastructure-as-Code solutions that scale well and remain maintainable over time. He’s worked with tools like Ansible and ARM templating to provision and manage systems, and he’s especially interested in making sure those systems are observable and easy to monitor.

Outside of work, you’ll likely find him either on a climbing wall, playing dubious lines in a game of chess, or working on byte-sized coding projects to learn something new.

Mike will be working remotely from Philadelphia, Pennsylvania.

How to Get The Most Out of Chocolatey Products & Services

Paul Broadwith — Tue, 20 May 2025 00:00:00 GMT

import SocialMedia from '@components/global/SocialMedia.astro';

Chocolatey Software has a plethora of information sources that provides you, our customers and community members, with answers to questions you may not have even thought of yet! With so many sources and so much information, the challenge can be: where do you start?

Today I will outline all the sources where you can find out more about Chocolatey, the company and the products, where to ask your questions and what options are available to you as a customer, or as a community member.

Reference Documentation

The first place to look at is our documentation site. Here you will find:

Reference documentation for all Chocolatey Software products, including:
Set up and how-to guides.
Frequently asked questions.
Rarely asked questions that are important to document.
What is, and how to create packages for, the Chocolatey Community Repository including organizational use, excessive use, and rate limiting.

... and much more.

The documentation site is a comprehensive resource for all things Chocolatey. So much information, in fact, that it can be difficult to find what you are looking for. We are very conscious of that, so ensure you use the Search to help find what you are looking for.

Release Announcements

If you are looking to find out what we release, when we release it, then you have a few options open to you:

chocolatey-announce Google Group.
Chocolatey Blog. We only blog about the major Chocolatey product releases.
We announce the releases on all our social media platforms, so make sure you're following us.

You can always find the release notes for all Chocolatey products on our documentation site:

Chocolatey Blog

You know where the Chocolatey blog is, as you're reading it right now! Our blog is where we announce releases, deep dive into features, talk about frequent use cases and so much more. If you want to know more about what is going on in the world of Chocolatey, our blog is a good place to start.

Commercial Customer Support

If you are a Chocolatey for Business customer you may have access to our Support and Solutions Team. We don't just "answer tickets", we raise internal and external issues, jump on virtual calls and work through your problem to get you a solution, gather feedback and advice for our Engineering Team, and do whatever is needed to provide each and every customer a "white glove" level of service backed by a Service Level Agreement.

You can also find help articles on our Chocolatey Help Center and find related issues raised by our team, or customers, in our Chocolatey Licensed Issues GitHub Repository If you still have questions, run choco support from the command line, to find out your other options.

If you are not a Chocolatey for Business customer, and you are intrigued as to how a company dedicated to the success of each, and every one, of their customers, becomes dedicated to your success, contact us.

Community Assistance

Whether you are a Chocolatey for Business customer, or not, every one of our customers and community members has access to our Community Assistance. While not backed by any Service Level Agreement, you will find the Chocolatey Team frequently responding to questions alongside our fantastic Community members.

To make accessing Community Assistance as easy as possible, we cover several different platforms:

Discord.
chocolatey Google Group: This is our longest running assistance area, using the traditional Google Groups email forum for questions and answers.
Reddit. Established in 2013 it is one of the longest running subreddits.
Both Chocolatey and Chocolatey Community GitHub Discussions.
GitHub issues for Chocolatey CLI, Chocolatey GUI, Chocolatey Ansible and others.

Social Media

Chocolatey Software is tweeting, tooting, and posting where our customers and community are. We're on all the social media things so come and join us by following.

Chocolatey Community Repository

While not a resource of information in the strictest sense, the Chocolatey Community Repository is the largest repository of Windows packages available. With, as of today's date, 3.74 Billion downloads of the 10,767 unique packages and 252,579 package versions, there is a lot of blood, sweat and experience in those packages.

If you are creating packages, whether for the Chocolatey Community Repository or your own internal repository, learn from the experience of others and use the repository packages as a basis for your own.

Summary

Chocolatey Software provides our customers and community with a wide range of options to find out about our products, how to set up and configure them, get answers to questions, and best practices for creating and maintaining packages. You could argue there is too much information! I hope this blog post has alerted you to resource that you didn't know existed, and encourages you to use those you did.

If you're a customer, experience a level of service and support that so many other customers fail to provide. If you're not a customer, you now know what you're missing. Don't let FOMO consume you.

We are always open to feedback on how we can do better. Let us know on one of the many channels above!

Announcing Release of Chocolatey Central Management 0.14.0

Stephanie Hays — Tue, 29 Apr 2025 00:00:00 GMT

import SocialMedia from '@components/global/SocialMedia.astro';

export const colors = ['pink', 'red', 'orange', 'yellow', 'green', 'blue', 'purple'];

We're excited to announce the release of Chocolatey Central Management v0.14.0! This update focuses on enhancing accessibility and usability, making it easier than ever for everyone to navigate and benefit from Chocolatey Central Management. We've made meaningful improvements to ensure a more comfortable and efficient experience for all users.

Discussed below are the main changes included in this release, but we also have the full set of release notes available to provide more details.

Accessibility Improvements

Improved Keyboard Navigation and Introduction of Skip Links

Navigating Chocolatey Central Management is now much smoother for users who rely on keyboards. Logical tab order ensures that moving through the interface with the <kbd>Tab</kbd> key is predictable and efficient. We've also introduced a skip link that allows users to jump directly to main content, reducing the number of keystrokes needed to get where they want to go. This is especially helpful for users of assistive technologies and those who prefer not to use a mouse. To activate the skip link, simply press <kbd>Tab</kbd> when the page loads and then press <kbd>Enter</kbd> to skip to the main content.

Improved Semantic HTML Structure and ARIA Attributes for Better Screen Reader Support

We've restructured our HTML to use more semantic elements, making it easier for screen readers to interpret and announce content accurately. By adding ARIA (Accessible Rich Internet Applications) attributes, we provide additional context to assistive technologies, ensuring that users get meaningful information about interactive elements, page structure, and navigation landmarks.

Enhanced Color Contrast for Improved Readability

All interface elements have been reviewed and updated to meet higher color contrast standards. This change makes text, icons, and buttons easier to read for users with low vision or color blindness, reducing eye strain and improving overall usability.

{['light', 'dark'].map(theme => ( <div class="card card-body mb-3" data-bs-theme={theme}> <h4>{theme.charAt(0).toUpperCase() + theme.slice(1)} Mode Colors</h4> <div class="d-flex flex-wrap justify-content-center"> {colors.map(color => ( <div class={text-bg-${color} h-px-100 w-px-100 rounded d-flex align-items-center justify-content-center m-1}> <p class="mb-0">{color}</p> </div> ))} </div> </div> ))}

Larger Clickable Areas for Buttons and Links

We've increased the size of clickable areas for buttons and links throughout CCM. This makes it easier for users with limited dexterity or those using touch devices to interact with the interface, reducing the likelihood of missed clicks and improving the overall experience.

Unique Titles and Descriptions for Each Page

Every page in CCM now features a unique title and description. This provides clear context for screen reader users and those navigating via assistive technologies. Users always know where they are and what to expect on each page.

Expanded Options in the Left Navigation Menu

The left navigation menu has been expanded and reorganized to provide quicker access to more features. Menu items are now easier to find and interact with, and the improved structure benefits both keyboard and screen reader users, making navigation more intuitive and efficient.

Addition of Breadcrumbs

Breadcrumbs have been added to every page and offer a straightforward way for users to see where they are and easily navigate back to previous sections. By making our breadcrumbs accessible, we help everyone, especially screen reader and keyboard users, stay oriented and move around easily.

Ability to Pause Auto Refresh

We've added a feature that allows users to pause the auto refresh functionality on certain pages. This is particularly useful for users who may need more time to read or interact with content without being interrupted by automatic updates.

Give Warning When Links Open in a New Window

To improve the experience for users who may not expect links to open in new windows or tabs, we've added a warning message that appears on hover or focus. This ensures that users are aware of the change in context and can manage their navigation accordingly.

Our Commitment to Accessibility

We recognize that accessibility is an ongoing journey, not a one-time checkbox and we are committed to continuous improvement. Our goal is to make Chocolatey Central Management usable by as many people as possible, regardless of ability. We welcome feedback from our community to help us identify areas for further enhancement.

Find us on:

Release Notes

For more information on the breaking changes and improvements that were included in this release, please see the release notes.

Learn More

Check out the documentation.
Learn about other features available in Chocolatey for Business.
Contact us to find out more and setup your evaluation of Chocolatey for Business today.

We're Hiring an Infrastructure Operations Engineer, Come Work with Me!

Josh King — Fri, 07 Mar 2025 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

Here at Chocolatey Software, we're looking for an Infrastructure Operations Engineer to join our team. Are you on the fence about applying, or just curious what it's like to work at Chocolatey? Let me tell you a little bit about the role and what a day in the life of a member of the Operations Team looks like.

Who is on the Operations Team?

Currently, that would be me, Josh King. I've been with Chocolatey since 2021, and I'm a Senior Infrastructure Operations Engineer.

With any luck, you'll be joining me, and we'll be working together to ensure that Chocolatey's infrastructure is secure, reliable, and available for our community, customers, and the wider Chocolatey Team.

As a small team, we both have a lot of responsibility but also a lot of autonomy. We're responsible for the day-to-day running of Chocolatey's infrastructure, as well as planning and executing projects to improve it. We also work closely with the rest of the Chocolatey Team to ensure that our infrastructure meets the needs of the business.

What does a typical day look like for an Infrastructure Operations Engineer?

<Callout type="info"> Before getting too far into the weeds here, it's worth pointing out that I am working remotely from New Zealand. Compared to the rest of the Chocolatey Team, I am a day ahead and in a "weird" time zone. This means that I'm regularly coming online in the middle of the night to meet with the rest of the team; this is a choice on my part that is made easier thanks to the support and understanding of my colleagues. </Callout>

Everyone at Chocolatey works remotely, so the first thing is there's no daily commute! At least not one that you're allowed to complain about to your significant other!

My day starts with a coffee and getting logged in at my desk to check what happened overnight. When working remote, it is a big help to have a dedicated workspace so that you can separate work from home life. I'm lucky enough to have a dedicated home office that absolutely still looks as tidy as in the included photo.

In the Operations Team we aim to split our days in half. The first half is spent on "business as usual" tasks - monitoring the infrastructure, responding to alerts, and dealing with any issues that arise. If we're able to automate away these sorts of tasks, then you bet we'll pursue that. The second half is spent on project work - planning and executing projects to improve our infrastructure.

We're also big on learning at Chocolatey, so you can expect to spend some time each week on your professional development. This could be anything from reading a textbook or taking an online course, to attending a conference or giving a presentation.

There are regular meetings that include both the Operations and Developments Teams, as well as company-wide meetings. These are a great way to keep in touch with the rest of the team and get a little bit of that social interaction that you might miss out on when working from home and that chat can't fully emulate.

What are we looking for in an Infrastructure Operations Engineer?

Before anything else, make sure you check out the job listing for all the nitty-gritty details.

<Callout type="info"> Please do pay attention to the hours listed in the job listing. We're a global team, and while you could work from anywhere, this role requires that a specific period of time is covered. If you're not able to work the hours listed, then this role might not be for you. </Callout>

First and foremost, we're looking for someone who is passionate about automation. We're a small team, so we need to be able to automate as much as possible to keep up with the demands of the business. You should be comfortable writing code in at least one programming or scripting language, PowerShell being a strong preference, and have experience with tools like Ansible, Terraform, Chef, or Puppet.

You should have experience working with both cloud and physical infrastructure, and be comfortable with both Windows and Linux (though you don't need to be a Linux guru!).

Being a natural troubleshooter is a must. You should be able to quickly diagnose and resolve issues with our infrastructure, and be able to work under pressure when things go wrong.

Finally, you should be a good communicator. We're a remote team, so you need to be able to communicate effectively in writing and over video calls. You should also be able to explain complex technical concepts to non-technical folk.

Ready to Make an Impact?

Does the above sounds like a good fit for you? Are you excited by the prospect of building and maintaining efficient infrastructure? Then we'd love to hear from you: check out the job listing for all the details, and apply today!

If you have any questions about the role, or what it's like to work at Chocolatey, feel free to reach out to me on Bluesky or LinkedIn.

I can't wait to welcome a new team member! Could it be you? 🍫

Deep Dive into NuGet v2 & v3 Repository Behaviour

Cory Knox — Wed, 19 Feb 2025 00:00:00 GMT

This blog post details a comprehensive investigation into the behavior of NuGet v2 and v3 repositories, specifically focusing on the discrepancies and inconsistencies observed across different repository managers. The aim is to provide clarity on the observed issues and offer practical recommendations for users encountering similar problems.

Our investigation revealed inconsistencies in the data provided by various NuGet repository managers (Nexus, Artifactory, and ProGet) when queried using both v2 and v3 NuGet API endpoints. While both Chocolatey CLI (Chocolatey CLI) and NuGet CLI (NuGet CLI) consistently presented the data received, the data itself varied between repository implementations. Below we have outlined our methodology, findings, and recommendations for mitigating these issues.

Terms and Definitions

For consistency, we have used some wording that we should define before we go on:

Group(ed) Repository: A repository that aggregates queries from multiple other repositories. (Nexus calls these Group Repositories, and Artifactory calls them Virtual Repositories).
Proxy Repository: An intermediary repository between a client and an upstream repository. (Nexus calls these Proxy Repositories, and Artifactory calls them Remote Repositories).
Correct/Incorrect Endpoint: Using the appropriate NuGet API endpoint version (v2 or v3) for the corresponding repository version.

Methodology

To ensure reproducibility and thoroughness, our methodology consisted of several key phases:

1. Environment Setup

We used the following versions during our investigation:

Software Name	Version Number
Chocolatey CLI	2.3.0
NuGet CLI	6.11.1.2
Fiddler Classic	5.0.20244.10953
SQL Server (Docker Container)	2019-CU28-ubuntu-20.04
Artifactory (Docker Container)	7.77.8
Nexus (Docker Container)	3.71.0
ProGet (Docker Container)	24.0.13

Repository Manager Setup

We used Docker Compose (provided in the Git repository) to provision isolated environments for each repository manager (the version used is shown in the table above) using docker compose up --wait. This ensured consistency and prevented interference between tests. The Nexus repository's default administrator password was retrieved using docker compose exec nexus cat /nexus-data/password.admin.

SQL Server was used as the database backend for those repository managers that require it.

Each repository manager was configured with the following settings:

Consistent administrator username and password across all systems.
Anonymous access enabled to simplify testing.
Nexus: NuGet API-Key Realm was explicitly enabled.
Port mappings were carefully configured to allow access to each repository manager's web interface and API endpoints:
- Nexus: Port 9000
- Artifactory: Ports 8081 and 8082
- ProGet: Port 9003

2. Test Repository Configuration

Within each repository manager, we created a standardized set of repositories:

nuget-hosted: A local NuGet v3 repository.
nuget-v2-hosted: A local NuGet v2 repository.
nuget.org-proxy: A proxy NuGet v3 repository pointing to https://api.nuget.org/v3/index.json.
nuget.org-v2-proxy: A proxy NuGet v2 repository pointing to https://nuget.org/api/v2/.
nuget-group: A group repository that aggregated nuget-hosted and nuget.org-proxy.
nuget-v2-group: A group repository that aggregated nuget-v2-hosted and nuget.org-v2-proxy.

ProGet's configuration differed slightly as it does not have an explicit group and proxy repository type in the same way that Nexus and Artifactory do. Its nuget-group repository included a connector to https://api.nuget.org/v3/index.json.

3. Package Creation and Publication

Using the provided PowerShell scripts, New-Dependencies.ps1 and New-Packages.ps1, we generated many test packages with varying dependencies. A Vagrantfile is provided to further simplify the package creation process.

We used Push-Repo.ps1, along with the appropriate API keys and source URLs for each repository, to upload all the generated test packages.

4. Automated Testing

The testRepos.ps1 PowerShell script automated the testing process. This script:

Took the Docker host as a parameter.
Created a timestamped output directory for each test run.
Iterated through all the defined repositories and endpoint combinations (NuGet v2 and NuGet v3).

For each combination:

Created an output file (<RepositoryBeingTested>-<RepositoryType>-<RepositoryQueryType>-queriedas-<TypeOfQuery>.txt).
Added the source URL to the output file.
Executed choco search --source <SourceUrl> --ignore-http-cache and captured the results.
Recorded the Chocolatey CLI exit code.
Executed nuget search -Source <SourceUrl> -Take 1000 and captured both standard error and standard output.
Recorded the NuGet CLI exit code.

For example, if your Docker Host is corbob-docker, you would run ./testRepos.ps1 -dockerHost corbob-docker.

5. Network Traffic Analysis

Fiddler Classic was used to capture and analyze the network traffic during testing with the captured traffic being saved as a .saz file, and stored along with the corresponding test output files. This allowed us to inspect the raw HTTP requests and responses, and verify the data being exchanged.

6. Expanded Testing Scenarios

Based on initial observations and user reports, we designed additional test scenarios:

Configuring a NuGet v2 upstream repository as a NuGet v3 proxy.
Testing dependency resolution when downloading/installing packages.
Investigating incomplete results when querying NuGet v2 repositories.

7. Data Analysis

The captured output files and Fiddler traces were then analyzed to identify inconsistencies and discrepancies in the behavior of the different repository managers.

Initial Results

The initial results were mostly as we'd expected, and as we'd seen in previous testing.

Nexus Results

When queried with the incorrect endpoint, the group repository returned a 502 result indicating that there was a mismatch between the query and the repositories.

When queried with the correct endpoint, the results were that although both Chocolatey CLI and NuGet CLI were wanting 1000 results, they only received and subsequently outputted less than 1000 results. While both NuGet v2 and NuGet v3 endpoints returned less than 1000 results, the NuGet v3 endpoint returned a totalHits property that was populated with the number of results reported by Chocolatey CLI and NuGet CLI. And both requested results until that number.

Artifactory Results

When queried with the incorrect endpoint, the group repository returned just the hosted repository packages.

When queried with the correct endpoint, the NuGet v3 results were that both Chocolatey CLI and NuGet CLI were requesting 1000 results and that is how many they output. There were some discrepancies in the NuGet v2 endpoints where sometimes Chocolatey CLI would output more, and other times NuGet CLI would. By our understanding, the repository providers have deprecated the NuGet v2 endpoints, so we have focused our analysis on the NuGet v3 endpoints.

ProGet Results

ProGet was by far the most consistent in our testing. It responded with 1000 packages on every endpoint tested.

Expanding the Testing

Based on reported issues, we expanded our testing to include the following scenarios:

1. NuGet v2 Upstream Repository as a NuGet v3 Proxy

Configuring a NuGet v2 upstream repository as a NuGet v3 proxy in Nexus resulted in the group repository reporting everything as fine, but only returning hosted repository packages. Direct NuGet v3 queries to the proxy repository resulted in a 502 error. Artifactory exhibited similar behavior, while ProGet remained consistent.

2. Dependency Detection

Testing the download/install of the dep100 package revealed that Nexus consistently downloaded only dep100, while Artifactory and ProGet downloaded the full dependency chain (dep1 to dep100). Further investigation showed that Nexus required version numbers to be present in the dependencyGroups element of the .nuspec file to return dependencies correctly, while Artifactory and ProGet did not.

3. NuGet v2 Repository Package Retrieval

To address issues with incomplete results from NuGet v2 repositories, the usePackageRepositoryOptimizations feature in Chocolatey CLI was disabled. This, along with an increase in the number of test packages to 100, resolved the issue in Nexus and ProGet. However, Artifactory still showed inconsistencies, returning varying numbers of results to Chocolatey CLI and NuGet CLI.

Conclusion

Throughout this investigation, both Chocolatey CLI and NuGet CLI consistently reported the data they received from the repository providers. Discrepancies arose from the differing implementations of the NuGet API by the repository managers. Chocolatey CLI's default query optimization can also contribute to some of these discrepancies, but can be disabled using choco feature disable --name usePackageRepositoryOptimizations.

Recommendations

Based on our findings, we make the following recommendations when using repository managers:

If you encounter incomplete search results from a group repository, consider splitting it into multiple Chocolatey source repositories.
If you encounter incomplete results from a NuGet v2 repository, try querying it as a NuGet v3 repository.
When using Nexus, ensure that your .nuspec files include version numbers for dependencies to ensure correct dependency resolution.
If encountering inconsistencies with Chocolatey CLI, consider temporarily disabling the usePackageRepositoryOptimizations feature using choco feature disable --name usePackageRepositoryOptimizations.

Summary

This study provides a snapshot of the current behavior of several NuGet repository managers. Ongoing changes and updates to these systems may affect these findings. Continued testing and monitoring are recommended to ensure compatibility and identify any new issues.

We hope this blog post provides insight into the complexities of NuGet repository management. By understanding the nuances of each repository manager's implementation, you can make informed decisions and avoid potential pitfalls.

Looking Back on Community Day for 2024

Rain Sallow — Tue, 11 Feb 2025 00:00:00 GMT

For just over a year now, the Engineering team at Chocolatey have been getting on board with doing regular Community Days. So, with all that time under our belt, let's talk about 2024!

What's a Community Day?

As I'm sure everyone knows, many of our products and community projects are open source, with repositories on GitHub. Part of our open source commitment is to give back to the community we're a part of, as well as acknowledge and give proper attention to the community contributions in our own repositories. This is one way that we try to do that.

Community Day is where we set aside time to engage with other open source projects. This can be triaging issues and handling code contributions, or pull requests on our open source repositories, picking up outstanding issues that may not otherwise get prioritised, and at least some of the time engaging with the wider community by contributing to other open source repositories.

Where It All Started

This idea started out as some conversations with a friend in the community who was working for Puppet at the time, Mikey Lombardi (GitHub). He told me about how in order to help keep awareness on the large number of open source repositories that they had to manage, they allocated a day every week to work on the community aspect of their open source repositories. This sounded like a pretty good idea and also a good way to help team members engage with the open source projects more. Additionally, it avoids the problem we often see with many companies where team members are mostly working on non-public projects and the wider community rarely sees team engagement and input on their own open source repositories.

In talking with him, he raised the following excellent points as to why implementing a Community Day is a worthwhile endeavour, even though on paper it might first look like it takes time away from prioritised work:

The team already had obligations to maintain the open source repositories, but time was otherwise not specifically allocated to spend on issue triage, reviewing code contributions, and so on.
If team members are spending a decent amount of time trying to maintain the open source repositories, this can result in a lot of context switching, where they would be in the middle of other work and have to triage a new issue or find some time to review a code contribution or pull request, which always wound up taking a lot of extra time to just juggle the different work contexts constantly.
Allocating specific days as Community Day (for them, it was every Monday) meant they could focus more on planned and prioritised work without needing to worry about interruptions; reviewing code contributions, issue triage, and so on were all banished with that can wait until Monday, and the consistent time allocation there allowed them to focus better on both aspects of their work, with much less context switching getting in the way.
- Additionally, having all team members agree on the same day ensured no team members were held up in either the open source or planned and prioritised work by other team members being assigned to a different context.
If you aren't actively maintaining repositories and reducing the friction for open source development and community contributions, you don't really have an open source project; it could just as well be "public source". If nobody can really contribute because the barrier to entry remains too high, or the team's focus is never on issues or pull requests from the community, from a functional standpoint it doesn't really make sense to call it open source in a lot of ways.

After looking over some of their methods for approaching Community Day and trying to work out what might make sense for Chocolatey, I talked it over with the team, and we got the green-light to allocate some time for Community Day on a regular basis.

What Does That Look Like For Chocolatey?

When we first started, we reserved just one day per quarter for Community Day. A sort of trial run at first, to see how it could work for us.

After a handful of Community Days, we've started to look at doing things more frequently. At present, we're planning for two community days per quarter (one every six weeks or so), with every other Community Day being flagged as explicitly non-Chocolatey days. In other words, we spend half of our Community Days primarily focusing on handling our own open source projects, dealing with triaging issues and reviewing and helping get pull requests over the line, picking up issues and resolving them, and all around working to lower the barrier for open source contributors to be more readily able to contribute to our projects. The other half, we spend focusing on the wider open source ecosystem and helping out and contributing where we can.

For example, Chocolatey CLI depends on PowerShell and .NET, many of our websites rely on various TypeScript libraries, and plenty of the tooling we interact with on a regular basis is also open source. Ultimately, participating in and contributing back to the community whenever and wherever we can, benefits us as well as everyone else in our open source ecosystem.

Somewhat recently, other teams outside the core Engineering team have started to join in on Community Day when they are able to, as well.

Impact

We keep track of issues and pull requests actioned for Community Day, as well as the amount of team participation we're able to commit to it on a given Community Day, so we can better evaluate what our approximate impact is.

We had a total of 8 Community Days across 2024, from February to December. In that time, we had an average team participation rate of 75% (not counting folks who were out of office at the time).

In general, we record actions for a given pull request or issue. This may include:

Issue triage:
- Adjusting issue labels.
- Responding to issues.
- Opening or closing an issue.
Pull requests:
- Opening or otherwise directly contributing to a pull request.
- Responding to and/or reviewing a pull request.
- Merging or closing a pull request.

In 2024, we recorded a total of 297 contributions across all repositories the team worked in, with an average of 8 repositories being worked on during any given Community Day (averaging around 5 Chocolatey-owned repositories and 3 non-Chocolatey-owned repositories). This breaks down into a total of 121 contributions to pull requests, and 80 contributions to issues.

For those of you who like tables, the full breakdown for 2024 looks like this:

Month	Contributions	Pull Requests Actioned	Issues Actioned	Repositories	Team Participation
February	12	8	4	6	71%
March	43	27	16	11	71%
May	52	32	20	7	63%
June	72	44	28	12	86%
July	9	3	6	5	50%
September	20	18	2	7	57%
October	16	10	6	6	100%
December	73	49	24	13	100%

Future

We have steadily worked towards more Community Day contributions and more frequent Community Days as we've moved forward; we hope to continue that trend and continue to be able to contribute to our open source community. It may not make sense for us to take things as far as the Puppet folks did, focusing on the community for one day out of every week, but we will continue to evaluate that as we monitor our progress on future Community Days.

Using Chocolatey Packages For More Than Just Software Installation!

Derek Walker — Wed, 05 Feb 2025 00:00:00 GMT

Chocolatey CLI is well-known for installing and managing software, but it can be used to automate in a lot of different ways. A customer recently used Chocolatey CLI to deploy a Windows hardening baseline.

Beyond Software: The Versatility of Chocolatey Packages!

Chocolatey CLI isn't just a package manager for Windows software. It's an automation tool. Here's why Chocolatey CLI is a great choice for more than just installing software:

Automation: The scripting capabilities of Chocolatey packages allow automation of complex tasks.
Consistency: Deploying scripts or configurations as Chocolatey packages guarantees uniform deployment across systems.
Integration: Chocolatey CLI can be used with tools such as CI/CD pipelines and configuration management tools to simplify automation and reduce administrative overhead.

A hardening baseline is a set of security configurations that can be applied to a system to reduce its attack surface. An example script can be found on the PowerShell Gallery.

In this post we will show you how you can use Chocolatey CLI to deploy a Windows client hardening script, demonstrating its versatility beyond just software installation.

Why Use Chocolatey for Script Deployment?

Chocolatey CLI provides a simple way to package and distribute scripts, making it easy to deploy configurations or automation tasks across multiple machines. This is particularly useful in environments where consistency and repeatability are crucial. With Chocolatey CLI, you can also manage dependencies, ensuring that any required tools or libraries are available before executing your main script. Packages are also versioned, making it easy to roll back changes if needed.

Case Study: Deploying a Windows Client Hardening Script

Let's explore how a Chocolatey package can be used to apply a Windows client hardening script.

Step 1: Create Your Script

First, create a PowerShell script that applies the necessary settings for hardening a Windows client. For example, windows-client-hardening.ps1 might include security configurations like disabling SMBv1, enabling Windows Defender, and configuring firewall rules.

Step 2: Set Up the Chocolatey Package Structure

Organize your package by creating the necessary directory structure:

choco-windows-client-hardening
│   choco-windows-client-hardening.nuspec
└───tools
    │   chocolateyInstall.ps1
    │   chocolateyUninstall.ps1
    │   windows-client-hardening.ps1

Step 3: Define the Package Metadata

The .nuspec file contains metadata about your package. Here's an example:

<?xml version="1.0"?>
<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
  <metadata>
    <id>choco-windows-client-hardening</id>
    <version>0.0.1</version>
    <title>Windows Client Hardening</title>
    <authors>Chocolatey Software</authors>
    <tags>windows-client-hardening script tutorial</tags>
    <summary>Windows Client Hardening</summary>
    <description>Windows client hardening</description>
  </metadata>
  <files>
    <!-- this section controls what actually gets packaged into the Chocolatey package -->
    <file src="tools\**" target="tools" />
  </files>
</package>

Step 4: Write the Installation Script

The chocolateyInstall.ps1 script will execute your hardening script:

$ErrorActionPreference = 'Stop'
$toolsDir   = "$(Split-Path -parent $MyInvocation.MyCommand.Definition)"

$script = Join-Path -Path $toolsDir -ChildPath 'windows-client-hardening.ps1'

Write-Verbose "Executing script: $script"
& $script

:choco-info: NOTE

You can edit the chocolateyUninstall.ps1 script to reverse any changes made by your hardening script. This is optional but recommended for a complete package. If you choose not to implement an uninstall script, this file can be removed as it is not needed.

Step 5: Pack and Push Your Package

Use Chocolatey CLI to pack your package:

choco pack choco-windows-client-hardening.nuspec

Then push your package to a repository. For something like a hardening baseline this would be an internally hosted repository:

choco push choco-windows-client-hardening.0.0.1.nupkg --source <YOUR_REPOSITORY_URL>

With your package ready, you can now deploy it to any machine using Chocolatey CLI:

choco install choco-windows-client-hardening

Updating the Package

Updating the package is straightforward. Modify your script, update the version in the .nuspec file, and repeat the packing and pushing process. This can even be automated with a CI/CD pipeline.

Broader Applications

The same approach applies to various other tasks:

Configuration Management: Deploy system configurations, environment settings, or network policies.
Maintenance Scripts: Automate regular maintenance tasks like cleanup scripts, backups, or performance optimizations.
Custom Deployments: Roll out custom software setups or proprietary tools specific to your organization.

I Have Questions!

Check the Chocolatey Packaging FAQ for more information, or reach out for community assistance on our Community Hub.

Wrap Up

In this post we covered a unique way Chocolatey packages can be used to help in your automation efforts.

If you have any more questions, please reach out for community assistance on our Community Hub.

Securing your Chocolatey Agent connections to Chocolatey Central Management

Josh King — Tue, 14 Jan 2025 00:00:00 GMT

import Iframe from '@choco-astro/components/Iframe.astro'; import Callout from '@choco-astro/components/Callout.astro';

For our ninth, and final for 2024, back-to-basics livestream, we went a little bit beyond the basics and covered securing your Chocolatey Agent connections to Chocolatey Central Management (CCM). We also briefly considered some general security best practices for your Chocolatey Central Management deployment itself.

This blog post gives a deeper dive than was possible during the livestream, including covering the setup that happened ahead of time and provides links to relevant documentation for further context.

Security Best Practices for Chocolatey Central Management Deployments

Before we dive into securing your Chocolatey Agent connections to Chocolatey Central Management, let's consider some general security best practices for your Chocolatey Central Management deployment itself.

Separation of Components

It is common, especially when testing Chocolatey Central Management, to install all components on a single server. However, in a production environment, it is recommended to capitalize on the flexibility afforded by CCM being released as multiple Chocolatey packages, and install the components on separate servers. These components include:

The CCM Database
The CCM Web Interface: where CCM Admins log in to, manage the environment, create deployments, and view reports.
The CCM Service: where the Chocolatey Agents communicates with.

Host the Database on a Dedicated SQL Server Instance

First, host the database on a dedicated SQL Server instance. This could be SQL Server installed on a virtual machine (VM) or physical server, an Azure SQL Database, or Amazon RDS instance. This separation allows you to scale the database independently of the CCM Web interface and CCM Service components. The CCM database component is installed using the chocolatey-management-database package.

Host the CCM Service Where it is Accessible to Chocolatey Agents

Next up, install the CCM Service component on a server that is accessible to your Chocolatey Agents. This could be an on-premises server, a server in a DMZ, or a server in a cloud provider. The key is ensuring that this server is in some way isolated from the rest of your infrastructure as you will have Chocolatey Agent connecting to it from your end-user devices. This server needs to be able to accept incoming connections from Chocolatey Agent, and an outgoing connection to the database. The CCM Service component is installed using the chocolatey-management-service package.

Host the CCM Web Where it is Accessible to CCM Admins

Finally, install the CCM Web component on a server that is accessible to the administrators responsible for your Chocolatey for Business deployment, and will also need an outgoing connection to the database. The CCM Web component is installed using the chocolatey-management-web package.

You'll notice that both the Web and the Service components need to be able to access the database. An additional consideration is to use different credentials for the Web and Service components to access the database, and to ensure that these credentials have the minimum required permissions to access the database. Not only does this mean each service has only the access it needs to run, but also that if one set of credentials is compromised then you only need to rotate those credentials and not the others.

For more details about installing CCM, see the Chocolatey Central Management Setup documentation.

Always Configure Communication Salt Additives

While the Chocolatey Agent and the Chocolatey Central Management Service communicate over HTTPS (either using a self-signed certificate or a certificate issued by a public or private Certificate Authority), it is recommended to configure communication salt additives. This is a pair of secrets that are shared between the Chocolatey Agent and the Chocolatey Central Management Service that is used to encrypt the communication between the two. This is an additional layer of security that ensures that even if the communication is intercepted, it cannot be read.

To configure these salts, set the configuration options on both CCM Service host and any Chocolatey Agent end-user devices communicating with it:

choco config set --name centralManagementClientCommunicationSaltAdditivePassword --value <Your Client Salt>
choco config set --name centralManagementServiceCommunicationSaltAdditivePassword --value <Your Service Salt>

More information about this can be found in the Config Settings documentation.

Chocolatey Agent Connection Scenarios

The main topic of the above livestream was securing the connection between Chocolatey Agent and Chocolatey Central Management using Cloudflare's Zero Trust tunnel service. Before we get to that, however, let's cover some other common scenarios.

While these scenarios are presented as all-or-nothing solutions, it is more likely that a real-world deployment will be a mix of these scenarios. For example, you may have some clients on your local network that connect directly, some clients connecting via a VPN, and some clients connecting via a Zero Trust tunnel.

Direct Connection on Local Network

The simplest scenario is to have Chocolatey Agent connect directly to the Chocolatey Central Management Service. This is a scenario that may make sense if all of your clients are on-premises, and you're able to host the CCM service within a network segment that is accessible to all of your clients. Your clients will just need to be able to resolve the hostname of the CCM service and connect to it over the Chocolatey Agent port (which defaults to 24020).

External Clients via Firewall rules

If you have clients that are external to your network, you may want to consider using firewall rules to restrict access to the Chocolatey Agent port on the CCM Service host. This is a scenario that may make sense if you have a small number of external clients, or if you have a small number of external clients that are connecting from a known set of IP addresses. You can use your firewall to restrict access to the Chocolatey Agent port to only the IP addresses of your external clients.

You do not want to use this scenario if your external clients are unlikely to have static IP addresses as you will need to update your firewall rules every time an IP address changes.

If you opt to use this scenario, it is very important to ensure that your CCM Service is installed on a dedicated server that is in a DMZ, or is otherwise segmented from the rest of the network.

External Clients via VPN

If you have clients that are external to your network, and you have a Virtual Private Network (VPN) solution in place, you may want to consider using your VPN to allow your external clients to connect to your Chocolatey Central Management Service. This is a scenario that may make sense if you have a large number of external clients, or if you have external clients that are connecting from a range of IP addresses.

Do remember that a VPN often gives the client access to a given subnet on your network, and so you will need to be aware of what other services the client can access once connected to the VPN.

External Clients via Zero Trust Tunnel

Finally, you can use a Zero Trust solution to allow your external clients to connect to your Chocolatey Central Management service via a tunnel. This tunnel allows network traffic for only a given port to be transported from a client to the CCM service host without needing direct network access or open firewall rules. Generally speaking, the Zero Trust solution will require the client to authenticate before the tunnel is established, and can even enforce that the client is in a given state (such as running a specific antivirus solution and having up to date patches installed.)

Securing Chocolatey Agent Connections using Cloudflare Zero Trust

While there are a number of services that can be used to operate a Zero Trust Tunnel, such as Teleport and Boundary, we're going to focus on Cloudflare Zero Trust for this blog post.

Cloudflare Dashboard

There are a couple of things to consider when using Cloudflare Zero Trust. First, you'll need a Cloudflare account, and you'll need to have the domain you're wanting to use for your tunnels managed by Cloudflare. There is no cost associated with this in and of itself, including the Zero Trust feature, as long as you have under 50 users.

You'll also want to consider what host names under your domain you want to use for your tunnel. Technically you can register multiple services against a single tunnel, and each of these will need a hostname. For example, in this post we will use tunnel-ccm-web.toastit.dev for the CCM Web component and tunnel-ccm-agent.toastit.dev for a Chocolatey Agent connecting to the CCM Service.

In order to start using the Zero Trust feature, you'll need to create a "Zero Trust organization".

Next, configure an identity provider. This will be used to authenticate users before they are allowed to connect to your services. Cloudflare supports a number of identity providers, including Google, Okta, and Azure AD. Each of these are well documented within the Zero Trust web dashboard itself.

With that, the high level Cloudflare Zero Trust Configuration is complete. You may wish to create user groups to make policy creation easier, but from here we can start getting ready for specific the setup of our CCM tunnel.

Application Configuration

Within the Cloudflare Zero Trust dashboard you will see the term "Application". This is the term used for a specific service, of which multiple can be associated with a single tunnel. We're going to create two applications, one for the CCM Service itself that Chocolatey Agent will use and one for the CCM Web component that CCM Admins will use to access the CCM Web interface.

In my demo environment, I am running all the CCM components on a single server, and so we'll be making use of a single tunnel. However, in a production environment you would likely have the CCM Service and CCM Web components on separate servers and so would have two tunnels.

These are the general steps to create an application, remember to change my example names and URLs to match your environment:

Open the Cloudflare Zero Trust dashboard.
Click on Access on the left side of the screen, and then Applications.
Click the Add an application button.
Click the Select button under the Self-hosted option.
Enter a name for this service, such as CCM (Web) in the Application name field.
Enter the subdomain for this service in the Subdomain field, such as tunnel-ccm-web and select your domain name from the Domain dropdown.
1. You will get a warning that there is no DNS record found for this domain. We will be creating that during the Server Configuration.
Further down this page under the Identity providers section, select the identity provider you configured earlier. If you have multiple identity providers, you can select one, multiple, or all of them.
Click the Next button.
Enter a name for policy that will dictate who can access this service, such as CCM (Web) Allow Admins.
If you configured user groups, you can select them here, otherwise configure the policy to allow access to the service in the Configure rules section.
1. Your policy needs to have at least one rule or group marked as Include.
Click the Next button.
Click the Add application button.

Repeat this process for the CCM Service now, ensuring the name and host name used reflect the difference between the two services.

Server Configuration

The official documentation for setting up a Cloudflare Zero Trust tunnel on a Windows Server can be found here. The following is the process that I personally follow:

Open an elevated PowerShell prompt.
Install the Cloudflare Tunnel client, cloudflared, using Chocolatey CLI:
```
choco install cloudflared
```
Run the following command to add cloudflared as a Windows service:
```
cloudflared service install
```

Create a configuration directory for cloudflared under system profile:

New-Item -ItemType Directory -Path "C:\Windows\System32\config\systemprofile\.cloudflared"

Login to Cloudflare, this will open a browser (or give you a URL to use on another system if you're using Server Core) and ask you which domain you wish to authenticate against:
```
cloudflared login
```
This creates a cert.pem file in your user profile which is used to authenticate the tunnel going forward. Copy this to the directory you created earlier under the system profile:
```
Copy-Item -Path "$env:USERPROFILE\.cloudflared\cert.pem" -Destination "C:\Windows\System32\config\systemprofile\.cloudflared"
```
Create your tunnel, giving it a unique name remembering that this single tunnel will be used for multiple services so keep it generic:
```
cloudflared tunnel create <Tunnel-Name>
```
This creates a .json file with a GUID which is the ID that has been assigned to the tunnel. Take note of this GUID, and then copy the .json file to the directory you created earlier under the system profile:
```
Copy-Item -Path "$env:USERPROFILE\.cloudflared\<Tunnel-ID>.json" -Destination "C:\Windows\System32\config\systemprofile\.cloudflared"
```

Now create a configuration file and save it as C:\Windows\System32\config\systemprofile\.cloudflared\config.yml. I have included the config file from my demo environment, remember to change the example values and placeholders as needed:

tunnel: <Tunnel-ID>
credentials-file: C:\Windows\System32\config\systemprofile\.cloudflared\<Tunnel-ID>.json

ingress:
- hostname: tunnel-ccm-web.toastit.dev
  service: https://ccm.toastit.dev

- hostname: tunnel-ccm-agent.toastit.dev
  service: tcp://localhost:24020

- service: http_status:404

Note, if you use a self-signed SSL certificate for your CCM deployment, you may need to tell cloudflared not to verify the certificate:
```
- hostname: tunnel-ccm-web.toastit.dev
  service: https://localhost:443
  originRequest:
      noTLSVerify: true
```

You now need to tell Windows where your configuration file is when running the cloudflared service:
1. Open regedit and navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cloudflared
2. Inspect the ImagePath, it should currently be the path to the cloudflared executable.
3. Edit the ImagePath to add the following to the end of the current value:
```
--config=C:\Windows\System32\config\systemprofile\.cloudflared\config.yml tunnel run
```
4. Restart the cloudflared service:
```
Restart-Service cloudflared
```

Connecting Clients

Now that the tunnel is up and running, and you have configured the services that are accessible through it, you can now connect clients through the tunnel.

First, let's see how an admin will be able to access the CCM web interface.

In a browser, enter the hostname you configured for the CCM Web interface. In my case tunnel-ccm-web.toastit.dev. You will be redirected to your identity provider to authenticate, if you aren't already, and then you will be able to access the CCM web interface.

This is fairly straight forward as it all happens in the browser, and the tunnel is almost invisible to the user.

Next, let's see how we can configure a Chocolatey Agent to connect to the CCM Service through the tunnel. This is a little more involved as we need to explicitly open the client end of the tunnel. You need to install and configure Chocolatey Agent. This is well covered in the documentation, so I won't cover it here.

Do note, that when you open the tunnel on a client, it opens ON the client. This means it is either localhost or 127.0.0.1. To keep things consistent, I suggest creating a DNS record in Cloudflare for the same hostname as what your internal clients access CCM and set that to 127.0.0.1. This allows an external client to use the hostname, and it will be seamlessly directed to localhost on the client side of the Zero Trust tunnel. This will mean you can have the same Central Management Service URL, used by Chocolatey Agent, regardless of where the client is.

To open the tunnel on a client, run the following command, ensuring you:

Replace the hostname with the hostname of your CCM Service via the tunnel.
Set the URL to the DNS record that you have set to 127.0.0.1.
Set the CCM service port (defaults to 24020).

cloudflared access tcp --hostname tunnel-ccm-agent.toastit.dev --url ccm.toastit.dev:24020

This will take over the console it is executed in, and you will be able to see output from cloudflared. When the console is closed, the tunnel will also close.

If you now start (or restart) the Chocolatey Agent service, it will connect to the CCM Service through the tunnel. This will either open a browser window for you to authenticate, or you will be prompted with a URL to authenticate in the console:

Restart-Service chocolatey-agent

At this point, your Chocolatey Agent is connected to your Chocolatey Central Management Service through a Cloudflare Zero Trust tunnel! However, this is a manual process and so you may want to consider running the tunnel as a service that is always running rather than relying on the user opening the tunnel and always having a console dedicated to the tunnel.

Running the Tunnel as a Service

Now we bring this all together by running the tunnel on our clients as a service. This is a little more involved than running the tunnel manually, but it means that the tunnel will always be open and available for the Chocolatey Agent to connect to.

First, we'll be using the CredentialManager PowerShell module to store a service token ID and secret that will be used to authenticate the tunnel rather than authenticating as an individual user. This needs to be installed to allow all users on the computer to use the module, as we will be running the tunnel as the Local Service account. To do this run:

Install-Module -Name CredentialManager -Scope AllUsers

Now we need a couple of applications which we can install using Chocolatey CLI:

choco install nssm psexec

nssm is the Non-Sucking Service Manager, which we will use to register a PowerShell script which opens the cloudflared tunnel as a service. psexec is a tool from the Sysinternals suite that we will use to run the CredentialManager PowerShell module as the Local Service account, and store credentials in that context.

Now we need to create a service token with which we can authenticate the client end of the tunnel:

Open the Cloudflare Zero Trust dashboard.
Click on Access on the left side of the screen, and then Service auth.
Click the Create Service Token button.
Give the token a name. You should really only use a given token for one service and so the name should be descriptive of the service it is for.
Specify how long the token should be valid for. Strike a balance between security and convenience, i.e. how often you'll need to update it on your clients vs. how long it remains valid if it is compromised.
Click the Generate token button.
Copy the client ID and client secret. Note that these are presented in the form of <Header Name>: <Value>. You only need the value.
From the left-hand menu, select Applications from the Access section.
Select your CCM Agent/Service application and then click the Configure.
This will open the Policies page. You can either edit your existing policy or create a new one. If you edit the existing one, you will no longer be able to authenticate the tunnel with your user account and will always need to use the service token. There is no right answer here so do whatever makes sense for your environment.
Set this policy much the same as above, with the following differences:
1. Next to the Policy Name field, change the Action to Service Auth.
2. In the Configure rules section, add an "include" rule with the Selector set to Service Token and the Value set to the Service Token value we just created.
Click the Save policy button.
Click the Save application button.

With the service token client ID and client secret, we can now save that to the Credential Manager under the Local Service account:

$CfServiceId = @{
  Target   = 'CF-Service-Token-Id'
  UserName = 'CF-Service-Token-Id'
  Password = '<Service Token Client ID>'
  Persist  = 'LocalMachine'
}

$CfServiceSecret = @{
  Target   = 'CF-Service-Token-Secret'
  UserName = 'CF-Service-Token-Secret'
  Password = '<Service Token Client Secret>'
  Persist  = 'LocalMachine'
}

$null = psexec -accepteula -nobanner -u "NT AUTHORITY\LOCAL SERVICE" powershell -command New-StoredCredential @CfServiceId 2>&1
$null = psexec -accepteula -nobanner -u "NT AUTHORITY\LOCAL SERVICE" powershell -command New-StoredCredential @CfServiceSecret 2>&1

Now we'll create a PowerShell script which will open the tunnel using these saved credentials. For this example, I've saved the script as C:\Tools\ccm-tunnel.ps1:

$Token = @{
    Id     = (Get-StoredCredential -Target 'CF-Service-Token-Id').GetNetworkCredential().Password
    Secret = (Get-StoredCredential -Target 'CF-Service-Token-Secret').GetNetworkCredential().Password
}

cloudflared.exe access tcp --hostname tunnel-ccm-agent.toastit.dev --url ccm.toastit.dev:24020 --id $Token.Id --secret $Token.Secret

Other than using the Get-StoredCredential function to retrieve the service token ID and secret, this script is largely the same as the command we ran earlier to open the tunnel manually. The difference is the addition of the --id and --secret parameters which are used to authenticate the tunnel with the service token.

Finally, we'll use nssm to create a service that runs this script:

$chocoAgentServiceName = 'choco-agent-tunnel'
if (-not (Get-Service $chocoAgentServiceName -ErrorAction SilentlyContinue)) {
  $powershellPath = ( Get-Command powershell ).Source
  $serviceScriptPath = 'C:\Tools\ccm-tunnel.ps1'
  $serviceArgs = '-ExecutionPolicy Bypass -NoProfile -File "{0}"' -f $serviceScriptPath
  $null = nssm install $chocoAgentServiceName $powershellPath $serviceArgs
  $null = nssm set $chocoAgentServiceName ObjectName "NT AUTHORITY\Local Service" ""
  $null = nssm set $chocoAgentServiceName DisplayName Cloudflare Tunnel - Choco Agent
  $null = nssm set $chocoAgentServiceName Description Maintains a persistent Cloudflare Zero Trust tunnel to CCM.
}

These commands create the service which opens your tunnel, give it a nice display name and description, and change the user under which it runs to the Local Service account.

To wrap this up, start the service you just created and restart the Chocolatey Agent service:

$chocoAgentServiceName = 'choco-agent-tunnel'
Start-Service -Name $chocoAgentServiceName
Restart-Service chocolatey-agent

Bonus Configuration

There are two enhancements you may which to make to ensure this tunnel configuration is as robust as possible.

Delay Tunnel Opening

You can set the tunnel service to start automatically, but with a delay. This ensures that the network stack has fully initialized on the client before the tunnel is opened:

$chocoAgentServiceName = 'choco-agent-tunnel'
nssm set $chocoAgentServiceName Start SERVICE_DELAYED_AUTO_START

Start Chocolatey Agent Only When the Tunnel is Ready

You can make the Chocolatey Agent service dependent on the tunnel service, forcing Chocolatey Agent to start only after the tunnel is up and running.

$chocoAgentServiceName = 'choco-agent-tunnel'
nssm set chocolatey-agent DependOnService $chocoAgentServiceName

<Callout type="info" > It is normal to get a message about the chocolatey-agent service not being an NSSM service. This is because that service wasn't created using NSSM, but the command will still work. </Callout>

Wrap Up

There was a lot of client setup scripting in this post. Once you have the scripts in hand, the process is easily repeatable. Using a Chocolatey Package for the scripts allows you to set up a client by installing a single package. There may be a post on about this type of package coming soon!

This is the ninth post in our back-to-basics series, and we look forward to continuing to expand the series in 2025. Please do let us know if there are specific topics you would like to see covered!

If you've got any questions about this post, Chocolatey for Business, or other Chocolatey products, please reach out to us on our Community Hub!

2024 Chocolatey Wrap-Up

Stephen Valdinger — Thu, 19 Dec 2024 00:00:00 GMT

2024 Chocolatey Wrap-Up

As we wrap up another incredible year, we want to take a moment to thank our amazing community and customers for their continued support. From exciting product launches to key milestones, 2024 was a year filled with innovation and growth. Let's take a look back at what we achieved together.

Product Releases

2024 was a big year for product updates, bringing new features and improvements to enhance the Chocolatey experience:

Community Validation Extension: Announced in January, this extension has made package validation more accessible for the community.
Elasticsearch Integration for the Chocolatey Community Repository: May brought Elasticsearch to the Chocolatey Community Repository, improving search performance and reliability.
Chocolatey CLI 2.3.0, Licensed Extension 6.2.0, and Agent 2.1.3: These June releases enhanced stability and introduced new features for users and organizations.
Hyper-V for the Chocolatey Test Environment: Hyper-V support returned, providing greater flexibility for testing environments.
Chocolatey Central Management 0.13.0: September’s release brought significant updates to Chocolatey Central Management, making it even more powerful.
Chocolatey CLI 2.4.0: November introduced new enhancements to the CLI, further streamlining software management.
Chocolatey Agent 2.2.0: December wrapped up the year with improvements to the Chocolatey Agent.

Livestreams

Our livestreams continue to be a fantastic way to educate and engage with the community, and 2024 was no exception:

Chocolatey Back-to-the-Basics: 8 Chocolatey Product Spotlight episodes focused on foundational skills and best practices for using Chocolatey products effectively.
Unpacking Software: We aired 10 episodes of our popular livestream series, diving deep into software packaging and management news.

Chocolatey in the Wild

We had the pleasure of connecting with our community at events around the world this year:

PowerShell + DevOps Global Summit 2024: A highlight of the year, where we shared insights and innovations.
PowerShell Conference Europe: Continuing our strong presence in the PowerShell community.
Nebraska.Code(): Engaging with developers and IT professionals.
PowerShell Saturday NC: A great opportunity to meet and collaborate with Powershell enthusiasts.

Big Wins

2024 also marked some incredible milestones for Chocolatey:

13 Years of Chocolatey: In March, we celebrated over a decade of simplifying software management.
3 Billion Installs on the Chocolatey Community Repository: A monumental achievement reached in May, thanks to our thriving community.
10 Years of Moderation: October marked a decade of dedication from our volunteer moderators, ensuring the quality and reliability of the CCR.

As we look ahead to 2025, we’re excited to build on this year’s success and continue delivering value to our community and customers. Thank you for being part of our journey—we couldn’t do it without you!

Feature Highlight - Chocolatey Package Internalizer

Stephen Valdinger — Mon, 16 Dec 2024 00:00:00 GMT

Chocolatey Package Internalizer is a powerful tool that allows you to create a 100% offline copy of a package available from the Chocolatey Community Repository. In a single command you can ensure that your favorite 3rd party tool's package, and dependencies, are made available to host in your own private package repository.

This tool fits perfectly into your favorite automation platform such as Jenkins, GitHub Actions, Azure DevOps, really anywhere that can run a licensed version of Chocolatey CLI!

Never worry about 3rd party software updates again in three easy steps:

Use Script Builder on the Chocolatey Community Repository to build your list of packages.
Download and host the packages in your internal package repository.
Automate choco download to keep your internal packages up to date with their upstream counterpart.

Need help setting up the automation? Use our Automate Package Internalizer guide (based on Jenkins) to get started, or use the scripts found in the guide in the platform of your choosing!

Ready to get started, or want to learn more?

<a href="https://chocolatey.org/contact/sales" class="btn btn-primary">Start A Trial!</a>

Announcing Release of Chocolatey Agent 2.2.0

Gary Ewan Park — Wed, 04 Dec 2024 00:00:00 GMT

Discussed below are the changes included in this release, but we also have a full set of release notes available:

Chocolatey Agent v2.2.0

New Background Job Management System

With the release of v2.2.0 of Chocolatey Agent, the internal logic of how "jobs" are managed has changed. This now gives much more flexibility and scalability in terms of how Chocolatey Agent operates. From an outside perspective, there should be no visible changes, and Chocolatey Agent should operate exactly the same way as it did previously. The only known difference that you may encounter is a change to how some logging is completed within the Chocolatey Agent log file.

Scheduled retry logic for reporting into Chocolatey Central Management

When configured to report into Chocolatey Central Management, the first thing that Chocolatey Agent does when it starts up is to try to communicate with the Chocolatey Central Management Service. Prior to the v2.2.0 release, if it was not able to establish communication initially, it would re-attempt a few times, however, it eventually would stop trying, and it would report an error in the Chocolatey Agent log file. Once this initial connection attempt was made, and a connection was not established, it would have been necessary to restart the Chocolatey Agent Windows Service in order to re-connect. There are several reasons that this could cause a problem. For example, when using remote workstations that first need to connect to a VPN to the office before a connection to the Chocolatey Central Management Service would even be possible. In this type of situation, the connection attempts to the Chocolatey Central Management Service might have already failed to complete, before the VPN connection was established. As a result, Chocolatey Agent would not be able to report anything back to Chocolatey Central Management without first being restarted.

To help with this type of issue, the logic with Chocolatey Agent has changed in the v2.2.0 release. Now, if after some initial re-tries, Chocolatey Agent is not able to communicate with the Chocolatey Central Management Service, it will halt and then re-attempt the process after a set period. By introducing this retry period, it gives any setup/configuration that needs to be completed on the computer time to be completed, which then allows Chocolatey Agent to make the connection to the Chocolatey Central Management Service. This retry logic will continue indefinitely until either the Chocolatey Agent Service is stopped, or a connection to the Chocolatey Central Management Service is made.

Learn More

To find out more about Chocolatey Agent, check out the documentation.

Unpacking Software Livestream and Podcast, Episode 10

Paul Broadwith — Fri, 22 Nov 2024 00:00:00 GMT

We have just published episode 10 of our livestream, and podcast, Unpacking Software. You can watch it now on YouTube.

On the third Thursday of each month we livestream to Twitch, YouTube and LinkedIn Unpacking Software. Each month we chat about the latest news & opinion on the world of software focusing on packaging, software deployment & lifecycle management. We also publish a podcast of our stream, for you to save and enjoy using your favorite podcast manager.

Where do we get our news? In short, everywhere. As a technical team with decades of experience we practice what we preach and ensure we are up-to-date in the software world. Our customers and community often pass us links to articles, blog or forum posts they find relevant or interesting. The resources we used for this month's livestream, and podcast, are below.

Software News

Chocolatey News

Package, Software Deployment and Lifecycle Management News

Trusted Signing is now open for individual developers to sign up in Public Preview!

Open-Source News

Miscellaneous News

Security and Privacy News

Events

PSSaturday Karlsruhe.
- Date: 30 November 2024

To ensure we are creating content that you want to see, and listen to, we need your feedback. Please complete our very short survey letting us know your thoughts of this month's content.

Thanks for watching and listening!

Announcing Release of Chocolatey CLI 2.4.0

Rain Sallow — Fri, 15 Nov 2024 00:00:00 GMT

Discussed below are the change highlights included in this release, but we also have a full set of release notes available:

Chocolatey CLI v2.4.0

Update tab completions for compatibility with PowerShell 7.4+

PowerShell removed some older methods of providing tab completion in 7.4.x. We have updated our tab completion to use the newer tab completion methods available from PowerShell 5 and onwards, which are still fully supported.

Prevent dependency resolution from unexpectedly downgrading packages

There was an issue with some uncommon situations that could occur, especially with some .install packages and metapackages (for example vlc and vlc.install), where attempting to upgrade packages would unexpectedly downgrade one of the packages. This has been resolved and will no longer occur.

Do not install packages if dependencies fail to install

Previously Chocolatey CLI would continue to install some packages even if a dependency they require failed to install, unless the stopOnFirstPackageFailure feature was enabled. This change ensures that users cannot get into broken states where their local packages folder contains broken dependency chains, which would otherwise prevent installing or updating any other packages until the missing dependencies are installed.

Improvements to dependency resolution

Performance improvements have been made to dependency resolution to allow it to function more effectively. This improves some corner cases dramatically, but will be an overall performance improvement for dependency resolution in general and reduces the number of queries Chocolatey CLI needs to make when resolving dependencies.

Learn More

To find out more about Chocolatey CLI, check out the documentation.

What is a Chocolatey Template Package?

Gary Ewan Park — Fri, 08 Nov 2024 00:00:00 GMT

In our eighth back-to-basics livestream, we covered Chocolatey template packages.

Documentation

This livestream covered the template packages documentation, but also included discussion of the Community maintained template packages, to demonstrate what can be achieved and spark your imagination!

Wrap Up

This is the eighth post in our back-to-basics series, and we look forward to continuing to expand it! Please let us know if there are specific topics you would like to see covered.

Thanks for watching, and listening!

Unpacking Software Livestream and Podcast, Episode 9

Paul Broadwith — Fri, 18 Oct 2024 00:00:00 GMT

We have just published episode 9 of our livestream, and podcast, Unpacking Software. You can watch it now on YouTube.

Software News

Chocolatey News

Open-Source News

Miscellaneous News

Security and Privacy News

Microsoft reveals security improvements for Recall, including the ability to uninstall it. (NOTE: We didn't cover this due to time constraints).
Internet Archive hacked, data breach impacts 31 million.
- The Internet Archives' Wayback Machine site is back online but in a read-only mode for now.

Honorable Mentions

Events

PowerShell Summit.
- Date: 7 to 10 April 2025
- Where: Bellevue, Washington, USA
PowerShell Conference EU.
- Date: 23 to 26 June 2025
- Where: Malmo, Sweden.

To ensure we are creating content that you want to see, and listen to, we need your feedback. Please complete our very short survey letting us know your thoughts of this month's content.

Thanks for watching and listening!

Celebrating 10 Years of Moderation

Gary Ewan Park — Thu, 17 Oct 2024 00:00:00 GMT

What is Package Moderation?

Back in October 2014, Package Moderation was introduced to the Chocolatey Community Repository. Rob Reynolds, the Creator and Founder, of Chocolatey wrote about this on his blog. What this meant was that any package that was pushed to the Chocolatey Community Repository would now be subject to human moderation.

Since the introduction of the human aspect to Package Moderation, a number of automated systems have been introduced. These include:

What did this mean for package consumers?

With the introduction of Package Moderation, consumers of packages from the Chocolatey Community Repository would get:

High quality packages: moderators give feedback to maintainers and fixes can be added.
Appropriate packages: packages that are not relevant to Chocolatey's community repository will not be approved.
Trust: packages are reviewed for safety and completeness before they are live.

What were things like before Package Moderation started?

Before the introduction of Package Moderation, any package (regardless of contents), could be submitted to the Chocolatey Community Repository. This meant that a package would be immediately available to be installed by anyone. Due to the risks associated with running Chocolatey CLI with administrative permissions, the ability for anyone to push a package was not something that was desirable.

Who were the early moderators?

When Package Moderation was first introduced to Chocolatey Community Repository, there were a different set of moderators helping, compared to the people that work on it today. They included:

Rob Reynolds
Matt Wrock
Gary Park
Thomas Walter
Resandro
dtgm
Anthony Mastream
Dan Atkinson
Simon Cropp
jbrezanski
doc
riezebosch
digitaldrummer

What does working on Package Moderation look like?

Package Moderation starts and stops on the moderation queue. This view shows all the possible states for a package that has been pushed to the Chocolatey Community Repository:

Submitted: this is the first state for a package, but it will immediately be moved into a Pending state.
Updated: this is a package that has been pushed again by the maintainer of the package (could be that a change was required after the initial submission).
Pending: this is a package that is either pending one of the automated Package Moderation Services to run, or the package is pending the approval of a dependent package.
Waiting: this is a package that has been reviewed (either by a human moderator, or an automated Package Moderation Service) and a change is required by the maintainer.
Responded: this is a package that has had a comment made by the maintainer of the package, perhaps based on feedback from a human moderator, or requesting help after an automated Package Moderation Service has run.
Ready: this is a package that is ready for review by a human moderator.

Packages appear in this queue based on when they were first pushed, and then if action is taken on them. Moderators will then work through the queue, in the order presented.

Moderators are looking to ensure that any package submitted to the Chocolatey Community Repository meet the documented requirements and guidelines. If a package doesn't meet something here, a moderator will leave a comment, asking for the package to be modified, and then re-submitted. This process might go through a few cycles, and once things has been addressed, the package will be approved.

In addition to these requirements and guidelines, moderators will be checking to ensure that no duplicated packages are being created, as well as to ensure that the package is intended to be used by all users of the Chocolatey Community Repository.

How many moderators work on the Chocolatey Community Repository today?

The current moderation team is made up of 11 people, covering 7 different time zones. We aim to keep the package moderation queue as low as possible, and to get packages moderated as quickly as possible, but there are times when this simply isn't possible. We try to be as open and transparent about this as we can. You can always find the current moderation queue on the site, and we also regularly post the moderation stats in the community-repository channel in our Community Hub.

As an example, here is the moderation information for August 2024:

Interested in helping out?

If you are interested in helping out with moderation of packages on the Chocolatey Community Repository, we would love to have you involved. The rough steps for becoming a moderator are outlined on our docs site, but feel free to reach out on our Community Chat if you have any other questions.

The Future

We have lots of ideas on how we are going to continue to improve the moderation of Chocolatey packages on the Chocolatey Community Repository. These include:

Improvements to the package-differ service
- Making it easier for a package moderator to "see" differences in files using a diff/display technology similar to what you would see on GitHub.
Tighter integration with the latest version of VirusTotal.

What is a Chocolatey extension package?

Gary Ewan Park — Wed, 09 Oct 2024 00:00:00 GMT

import Iframe from '@choco-astro/components/Iframe.astro';

In our seventh back-to-basics livestream, we covered Chocolatey extension packages.

Documentation

This livestream was based off the documentation that we have for the creating extension packages.

In addition, there are a number of Community maintained extension packages, which can give some ideas about what can be achieved.

Wrap Up

This is the seventh post in our back-to-basics series, and we look forward to continuing to expand the series. Please let us know if there are specific topics you would like to see covered.

Thanks for watching, and listening!

Unpacking Software Livestream and Podcast, Episode 8

Paul Broadwith — Fri, 20 Sep 2024 01:01:01 GMT

import Iframe from '@choco-astro/components/Iframe.astro';

We have just published episode 8 of our livestream, and podcast, Unpacking Software. You can watch it now on YouTube.

Software News

Chocolatey News

Open-Source News

Miscellaneous News

New Anti-Toxicity Features on Bluesky.

Security and Privacy News

Honorable Mentions

To ensure we are creating content that you want to see, and listen to, we need your feedback. Please complete our very short survey letting us know your thoughts of this month's content.

Thanks for watching and listening!

Alex Aveldanez Joins Chocolatey as Full Stack Software Engineer

Chocolatey News Team — Fri, 20 Sep 2024 00:00:00 GMT

We are excited to announce that Alex Aveldanez has joined the Chocolatey Team as a Full Stack Software Engineer!

With a lifelong curiosity about technology and how computers work, Alex chose to pursue a career in the technology industry. His passion for helping others led him to begin a technical support role, where he could use his computer skills to help solve problems directly.

He later developed an interest in understanding the inner workings of web applications and began building software with the goal of automating manual tasks, aiming to improve people’s lives by making everyday tasks easier and more enjoyable.

Alex has 3 years of experience building full stack web applications with programming languages such as JavaScript, TypeScript, C#, HTML, CSS, and frameworks like .NET and Angular.

Alex will be based remotely in Atlanta, Georgia, USA.

Announcing Release of Chocolatey Central Management 0.13.0

Kim Nordmo — Thu, 19 Sep 2024 00:00:00 GMT

We are very happy to announce the release of version 0.13.0 of Chocolatey Central Management! This release contains a major overhaul of the underlying framework technologies that Chocolatey Central Management is built on, and other improvements for the web interface.

Discussed below are the main changes included in this release, but we also have the full set of release notes available providing more detail.

Removal of support for SQL Server 2012 / 2014

Since version 0.9.0 of Chocolatey Central Management it has been possible to use SQL Server 2012 to host the database that is required. Starting with this release SQL Server 2012 and 2014 are no longer supported for Chocolatey Central Management and SQL Server 2016 or later are required.

Encryption support required for SQL Connection String

In Chocolatey Central Management v0.13.0, the SQL connection mode has changed to secure-by-default. By default, all connection strings will assume Encrypt=true; and attempt a connection to the SQL Server over SSL. If you wish to disable this, you must pass a complete connection string to the /ConnectionString package parameter that contains an explicit Encrypt=false; parameter.

To accommodate this new default, the package installation will automatically add the TrustServerCertificate=True parameter to the connection string it constructs or receives if the initial connection to the SQL server fails without it.

If you would like to ensure a completely secure SQL connection, you must install a trusted SSL Certificate on the SQL Server instance before installing, upgrading, or reinstalling Chocolatey Central Management packages.

Updated target .NET Framework

All components of Chocolatey Central Management (database, service, and web) have been updated to .NET 8 which is supported by Microsoft until November 10 2026. .NET 6.0, used in previous versions, is only supported to November 12 2024.

Updated UI to use Choco Theme

Since the initial release of Chocolatey Central Management, the user interface has relied on a framework that was not consistent with the design of our other websites. Starting with Chocolatey Central Management 0.13.0, we updated the user interface to use the same choco-theme framework and functionality as our other websites, ensuring a consistent user experience.

Release notes

For more information on the breaking changes and improvements that were included in this release, please see the release notes.

Learn more

Check out the documentation.
Learn about other features available in Chocolatey for Business.
Contact us to find out more and setup your evaluation of Chocolatey for Business today.

What Is Chocolatey Central Management?

Chris White — Fri, 30 Aug 2024 00:00:00 GMT

import Iframe from '@choco-astro/components/Iframe.astro';

In our sixth back-to-basics livestream, we covered Chocolatey Central Management (CCM). This blog post gives an overview of what's discussed in the video, and provides links to the documentation used to set up and upgrade CCM, along with the documentation on all the bells and whistles!

What is Chocolatey Central Management?

Chocolatey Central Management is a single pane of glass from which an organization can manage the software installed across all of their endpoints. It provides visibility when those endpoints check-in with Chocolatey Central Management to report currently installed Chocolatey packages and whether any of those packages are outdated, giving you full control from a single seat to be able to install, upgrade, or uninstall Chocolatey packages throughout the environment.

What can Chocolatey Central Management do for me?

Chocolatey Central Management offers you a detailed look inside each endpoint showing which Chocolatey packages are currently installed and whether they're outdated, providing the ability to report on this status for licensing or compliance. You're able to install, upgrade and even uninstall Chocolatey packages with a Basic Deployment from the CCM interface. You can also run remote PowerShell with an Advanced Deployment, allowing you to accomplish anything you can with PowerShell on any endpoint, such as setting registry keys, creating directories and adding files, etc.

How do I install Chocolatey Central Management?

If you're looking to set up Chocolatey Central Management in your Chocolatey for Business environment, you can reference our Setup documentation here. Alternatively, if you already have Chocolatey Central Management installed and are looking to upgrade to the latest version, our upgrade documentation has you covered!

What data is available in Chocolatey Central Management?

The documentation we have on Chocolatey Central Management is extensive and includes configuration topics as well as screenshots of all the tabs and features. For a detailed dive into Chocolatey Central Management and all it has to offer, head over to our documentation.

Where can I find out more information about Chocolatey Central Management?

Watch our back-to-basics livestream, see our Chocolatey Central Management documentation or reach out for community assistance on our Community Hub.

Wrap Up

This is the sixth post in our back-to-basics series, and we look forward to continuing to expand the series. Please do let us know if there are specific topics you would like to see covered!

Thanks for watching and listening!

Exporting Chocolatey Packages

Gary Ewan Park — Mon, 19 Aug 2024 00:00:00 GMT

It is a common requirement to allow the exporting of all the packages that are currently installed on one computer, to enable them to be easily installed onto another computer.

Since Chocolatey GUI 0.13.0 added an export button, and Chocolatey CLI 0.11.0 added the export command, this has been possible using a packages.config file.

A packages.config file is an XML file, which stores information about the package ID, and optionally a package version. An example packages.config file would be:

<?xml version="1.0" encoding="utf-8"?>
<packages>
  <package id="calibre" version="7.16.0" />
  <package id="chocolatey" version="2.3.0" />
  <package id="chocolatey.extension" version="6.2.1" />
  <package id="chocolatey-core.extension" version="1.4.0" />
</packages>

Once created, this packages.config file can be used along with the choco install command, to perform the installation of each package contained within the file.

choco install <path-to-exported-file>

Enhancements to the `packages.config` file

There are several ideas around how the packages.config file can be extended to further enhance the ability to export the list of installed Chocolatey packages.

For example, there is a GitHub issue, currently slated for the next Chocolatey CLI release, which would include the ability to export the arguments that were used during the initial installation of the package.

An example of what this would allow would be:

<?xml version="1.0" encoding="utf-8"?>
<packages>
  <package id="iperf2" prerelease="true" ignoreDependencies="true" forceX86="true" installArguments="/test" overrideArguments="true" applyInstallArgumentsToDependencies="true" packageParameters="/test" applyPackageParametersToDependencies="true" allowDowngrade="true" timeout="0" failOnStderr="true" useSystemPowershell="true" />
  <package id="Wget" />
  <package id="z3" packageParameters="/z3param" forceX86="true" />
</packages>

During installation, these additional arguments would be respected, and passed into the installation of the correct package.

This is a very exciting addition to Chocolatey CLI, and I personally am very much looking forward to this being available.

If you have any suggestions to how this particular command can be enhanced, I invite you to reach out via our Community Hub, as I would love to hear your ideas!

Summary

With the aid of two Chocolatey CLI commands, it is possible to make one computer match another in terms of the Chocolatey packages that are installed.

choco export --include-version-numbers

Followed by:

choco install <path-to-exported-file>

Your new computer will now install all the packages listed in the packages.config file, using the included package parameters!

If you have any follow-up questions, check the export command documentation page, or reach out for community assistance on our Community Hub.

Unpacking Software Livestream and Podcast, Episode 7

Paul Broadwith — Fri, 16 Aug 2024 00:00:00 GMT

import Iframe from '@choco-astro/components/Iframe.astro';

We have just published episode 7 of our livestream, and podcast, Unpacking Software. You can watch it now on YouTube.

Security and Privacy News

CrowdStrike News

Open-Source News

Google brings AI agent platform Project Oscar open source.

Honorable Mentions

To ensure we are creating content that you want to see, and listen to, we need your feedback. Please complete our very short survey letting us know your thoughts of this month's content.

Thanks for watching and listening!

Unpacking Software Livestream and Podcast, Episode 6

Paul Broadwith — Fri, 19 Jul 2024 00:00:00 GMT

import Iframe from '@choco-astro/components/Iframe.astro';

We have just published episode 6 of our livestream, and podcast, Unpacking Software. You can watch it now on YouTube and LinkedIn.

Security and Privacy News

Software News

PowerShell Pro Tools are no longer going to be a paid and supported product and will be open sourced.

Package, Software Deployment and Lifecycle Management News

Open-Source News

Dev rejects CVE severity, makes his GitHub repo read-only.

Miscellaneous News

GitLab explores sale.

Honorable Mentions

Events

Nebraska.Code() on 17 to 19 July in Lincoln, Nebraska.
- Chocolatey Software is a sponsor.
- Stop by for a chat with Stevie or Tyler.

To ensure we are creating content that you want to see, and listen to, we need your feedback. Please complete our very short survey letting us know your thoughts of this month's content.

Thanks for watching and listening!

Automating Chocolatey Package Updates, the Next Step in Your Packaging Journey!

Josh King — Fri, 12 Jul 2024 00:00:00 GMT

import Iframe from '@choco-astro/components/Iframe.astro'; import Callout from '@choco-astro/components/Callout.astro';

In a previous back-to-basics blog post we covered manually creating Chocolatey packages. In this post we'll take your package creation skills to the next level by automating the update process.

A Quick Refresher

It's always good to keep in mind what a Chocolatey package is, so we'll start with a quick refresher. For a deeper dive please refer back to our first back-to-basics blog post.

First, it's important to remember that a package is not software. Instead, a package is a "container" that contains something that needs to be enacted on or delivered to a computer. This could include a software installer that needs to be executed, a font to be installed, or a file that needs to be stored in a specific directory. The possibilities are endless.

Another feature of a package is metadata about what is contained inside of it. This includes a unique identifier for the package, and a version number allowing you to update or rollback the package to a known point in time.

What Is Automatic Packaging?

Automatic packaging, as you might expect, automatically updates a Chocolatey package to reflect and update to its contents. This is most often done with packages that contain software installers as there is a very obvious link between a new version of the software and the need for a new version of its package.

In order to set up automatic packaging of a package that contains/manages a software installer, you will need:

Some way of detecting that an update is required.
Collection of metadata including the new version number and the new installer download location.
The ability to update the files in your package, specifically the .nuspec file and any PowerShell scripts.

The first two items are generally closely coupled, as you're likely to get your metadata from the same place as you're looking to tell if there is an update available. This could be the download page on a given piece of software's official webpage, release notes RSS feed, or the releases or tags listed on a GitHub repository.

To actually carry out the update of the files in your package, you could create your own script. However, a lot of the hard work has already been done for you via the Chocolatey-AU PowerShell Module (also available as a Chocolatey package). Originally created by Miodrag Milić, it has recently been adopted by the Chocolatey Community and contains functions that enable easy automatic packaging.

How Do You Automate Package Updates?

When we covered manual packaging, we created a package for Elk Native. You can find the result of this work on GitHub.

We will continue by taking the elk-native package from manual to automatic.

Get Your Metadata

As mentioned above, we need to both determine that an update is available and also collect metadata about the update. Elk Native is open source and is released via the project's GitHub repository, meaning that we can get the information we need from the GitHub API.

The generic form of the API endpoint we're using is: https://api.github.com/repos/<org>/<project>/releases/latest

To query this API, specifically for the Elk Native software, using PowerShell we can run:

$LatestRelease = Invoke-RestMethod -UseBasicParsing -Uri "https://api.github.com/repos/elk-zone/elk-native/releases/latest"

This command stores the response from GitHub in a variable called $LatestRelease so that we can pull information from it without needing to request the information from GitHub multiple times. You'll also notice the use of the -UseBasicParsing parameter. This is included simply because I will be executing this script via GitHub Actions and this parameter tells PowerShell not to attempt to use the Internet Explorer engine to parse the API response, as it won't be available.

<Callout type="info"> In this example we are not providing any form of authentication to the GitHub API. This means that we are restricted to 60 requests per hour. Given this, you should consider authenticating to the API which increases the applicable rate limit to 5,000 requests per hour. </Callout>

From this release information we need to get the version number, the download URL, and a link to the release notes. Your package may need more or less information that this, read through your .nuspec file and ensure you're aware of everything that needs to be updated from version to version.

# Version Number
$Version = $LatestRelease.tag_name.Replace('elk-native-v', '')

# Download URL
$URL64 = ($LatestRelease.assets | Where-Object {$_.name.EndsWith("_windows_x86_64.msi")}).browser_download_url

# Release Notes URL
$ReleaseNotes = $LatestRelease.html_url

Here you'll see that we are referencing the "tag name" from the GitHub release to determine the version number. Often, you'll find that the version number is prefixed with a "v" that needs to be trimmed so that you just have "the version number" itself, but in the case of Elk Native, there is much more text that needs to be removed.

For the download URL, there is often a large number of "assets" attached to a GitHub release. These are for different Operating Systems, such as Windows, Linux, and macOS. They're also for different processor architectures, like x64, x86, or even ARM. Your package may require multiple installers, but the Elk Native installer only comes in a 64-bit variant and so we're only getting a single installer.

We now have our metadata, but how do we know that there's actually an update available? In short, you compare the version number we've collected in this step to the version number in our .nuspec file. You could write a script to make this comparison, or we can lean on the Chocolatey-AU module to do this for us.

Put Chocolatey-AU to Work

Now that we know how to get out metadata, we can start working on our actual Chocolatey-AU update script. We'll start the script by explicitly importing the module:

Import-Module Chocolatey-AU

Following this we'll populate a specially named function called au_GetLatest that is executed to gather metadata. We've largely already done this, however instead of saving the values into variables, we'll instead build and return a hash table. The data in this hash table will be assigned to an automatic variable called $Latest by the Chocolatey-AU module.

function global:au_GetLatest {
    $LatestRelease = Invoke-RestMethod -UseBasicParsing -Uri "https://api.github.com/repos/elk-zone/elk-native/releases/latest"

    @{
        URL64        = ($LatestRelease.assets | Where-Object {$_.name.EndsWith("_windows_x86_64.msi")}).browser_download_url
        Version      = $LatestRelease.tag_name.Replace('elk-native-v', '')
        ReleaseNotes = $LatestRelease.html_url
    }
}

Next we'll define a second specially named function called au_SearchReplace. This function is executed to update the files in your package. The content of this function is a hash table of paths to files, with a nested hash table per file that specifies a RegEx to search for inside said file and what to replace the matching content with.

function global:au_SearchReplace {
    @{
        ".\tools\chocolateyInstall.ps1" = @{
            "(?i)(^\s*(\$)url64\s*=\s*)('.*')"      = "`$1'$($Latest.URL64)'"
            "(?i)(^\s*checksum64\s*=\s*)('.*')"     = "`$1'$($Latest.Checksum64)'"
            "(?i)(^\s*checksumType64\s*=\s*)('.*')" = "`$1'$($Latest.ChecksumType64)'"
        }

        "elk-native.nuspec" = @{
            "(\<releaseNotes\>).*?(\</releaseNotes\>)" = "`$1$($Latest.ReleaseNotes)`$2"
        }
    }
}

In this example, you'll see that we're updating both the chocolateyInstall.ps1 and elk-native.nuspec files. You may find yourself asking two questions, however?

Why haven't we specified a Search and Replace pair for the Version number? This is because Chocolatey-AU does this for us automatically, and so we don't need to worry about it.
Where did those Checksum64 and ChecksumType64 properties come from? Chocolatey-AU automatically downloads the installer and calculates the checksum for us, then adds these values to the $Latest variable alongside the properties we gathered in the au_GetLatest function.

The final step is to actually execute the update. By default, Chocolatey-AU will assume that there is a 32-bit installed included in the package and so the Elk Native update will error because it only has a 64-bit installer. We avoid this error, but specifying what we need a checksum calculated for.

update -ChecksumFor 64

Save this script as update.ps1 into the root of the directory containing your package. It should be alongside your package's .nuspec file.

Updating the Package

Now we can run our update script and generate an updated package:

.\update.ps1

If any update is available, you should see a number of things happen. You will have an updated .nuspec file as well as any PowerShell scripts that required updating, and your package will be packed into the Chocolatey package file (.nupkg). This can then be pushed to the Chocolatey Community Repository, if it's a community package, or your own internal repository.

If an update isn't available, Chocolatey-AU will tell you so and won't create a new package.

In some cases you may need to force an update to your package, for example if the developer of the software has changed the installer without releasing a new version of the software, then the checksum in the original package will no longer match. You can force an update by setting the $au_Force variable to $true and then running your update script.

$au_Force = $true; .\update.ps1

The result will be your package updated with a version number that uses package fix version notation.

Next Steps

You now have a script you can run to generate an updated package. From here you can either set your API key in the $ENV:api_key environment variable and have Chocolatey-AU push the updated package to the Chocolatey Community Repository, or use the choco push command to push the package after Chocolatey-AU has completed.

You can also run your update script on a schedule to automate the update process. You could do this via a Scheduled Job on your computer, or use a service like GitHub Actions.

GitHub Actions is how I have personally automated the packages that I maintain, and while setting this up is beyond the scope of this blog post you can inspect the configuration for this here.

Common Questions

I covered one example of automating package updates in this post, but there are a few common questions that will be raised as you have been reading.

Are There Other Chocolatey-AU Functions?

The update script in this post only used two Chocolatey-AU functions to define how to update our package: au_GetLatest and au_SearchReplace. But there are two other useful functions:

au_BeforeUpdate can be used to perform actions like manually generating the checksum for files when the automatic checksum is not suitable. It can also be used to download files that you wish to embed in your package rather than just specifying a download URL.
au_AfterUpdate can be used to execute commands after the package update has completed, but before the package is packed. You can use this for manipulating files above and beyond what is possible with a RegEx search and replace.

Are There Good Examples of Chocolatey-AU Usage?

The biggest source of examples is the Chocolatey Community Chocolatey Packages repository. This is a repository maintained by the Chocolatey Community, rather than any one individual and hosts many automatically updated packages ranging from simple to much more complex packages.

When I was learning, I took a lot of inspiration from Maurice Kevenaar's Chocolatey Packages repository.

I Have More Questions!

Check the Chocolatey Packaging FAQ, leave a comment below, or reach out for community assistance on our Community Hub.

Wrap Up

This is the fifth post in our back-to-basics series. We do hope you've found this series interesting and helpful. We look forward to continuing to expand the series. Please do let us know if there are specific topics you would like to see covered!

If you have any more questions, please reach out for community assistance on our Community Hub.

Recapping the PowerShell + DevOps Global Summit 2024

Josh King — Mon, 01 Jul 2024 00:00:00 GMT

import Iframe from '@choco-astro/components/Iframe.astro';

The PowerShell + DevOps Global Summit is a premier conference (bordering on "unconference") that brings together the community that has formed around PowerShell and all things automation and DevOps. As a proud sponsor of this event since 2018, Chocolatey Software is excited to foster this community of tech professionals regardless of where they are in their career journey.

In this post we are thrilled to spotlight the recordings of talks delivered by the Chocolatey Software Team members, including myself! These talks not only reflect our team's deep expertise but also our dedication to contributing to the wider DevOps and PowerShell communities. We hope you find these talks insightful, entertaining, useful, or all of the above!

Paul Broadwith

Paul is a Cloud and Datacenter MVP for his work in PowerShell. His career has seen him work in many sectors for over 30 years. As somebody kindly put it, he's been about a bit.

<div class="card card-body card-border-top pt-c2"> <p class="h4">Comparing WinGet and Chocolatey: A Real-World Look at Package Management Tools</p> <p> Confused about which package management tool to use for your Windows environment?

In this talk, we'll compare WinGet and Chocolatey and explore their commonly used features in a real-world context. You'll learn about the pros and cons of each tool, as well as how to decide which one is right for your needs.

Join us and gain a deeper understanding of the package management landscape – you'll be well-equipped to make informed decisions for your organization's needs. </p> <Iframe link="https://www.youtube.com/embed/RpLbZWtHA0Q" ratio="16x9" /> </div>

<p></p>

<div class="card card-body card-border-top pt-c2"> <p class="h4">WinRM vs. OpenSSH: A Showdown for PowerShell Remoting</p> <p> Is WinRM still the go-to protocol for PowerShell remoting, or is it time to switch to OpenSSH?

In this presentation, we'll compare the two protocols and explore the pros and cons of each.

You'll see demos of how to implement and manage OpenSSH, as well as learn about the support for Windows SSH in popular configuration management tools. Plus, we'll take a look at the future of PowerShell remoting and help you decide which option is best for your needs. Join us for a comprehensive showdown of WinRM and OpenSSH! </p> <Iframe link="https://www.youtube.com/embed/c9a4uezQbfA" ratio="16x9" /> </div>

Josh King

Hey that's me!

Josh is a Senior Infrastructure Operations Engineer at Chocolatey Software. He has a long history working within Windows and VMware environments and has a passion for all things PowerShell and automation.

<div class="card card-body card-border-top pt-c2"> <p class="h4">Ansible 101: For the Windows SysAdmin</p> <p> Have you heard about Ansible? You want to give it a try but aren’t sure where to start? A little intimidated about needing to use Linux when what you’re wanting to manage is entirely Windows?

Let’s go right back to the start and get Ansible setup for management of Windows hosts including the actual install of Ansible itself, the prerequisites for WinRM communication, initial Ansible configuration, and defining your inventory.

Don’t worry, there may even be a little PowerShell involved. </p> <Iframe link="https://www.youtube.com/embed/SqO2HkKep90" ratio="16x9" /> </div>

Ryan Richter

Ryan is a Senior Support Engineer at Chocolatey. He loves to help people and organizations learn more about Chocolatey and how it can best work for their use case. Making IT admins lives just a little bit sweeter.

<div class="card card-body card-border-top pt-c2"> <p class="h4">From Chaos to Control: Transforming Software Management with Chocolatey for Business</p> <p> Traditional tools for managing software, while powerful, continue to take a system administrator’s most valuable asset: time.

Chocolatey For Business aims to provide a suite of tools that allow system administrators to have peace of mind about the state of software in their organization, allowing them to focus on what really matters.

Join us to discover modern software automation with Chocolatey For Business. </p> <Iframe link="https://www.youtube.com/embed/nZ2ofn2Mgm0" ratio="16x9" /> </div>

James Ruskin

James is a Senior Solutions Engineer with a passion for automation. Over the last decade, he has gathered experience and enthusiasm as a DevOps Engineer, SysAdmin, and general PowerShell dev.

<div class="card card-body card-border-top pt-c2"> <p class="h4">Improving Your Attributes</p> <p> You're probably familiar with a few Cmdlet Attributes - but did you know that it's surprisingly easy to implement your own?

In this session, we'll explore the wide variety of existing attributes you can utilise - as well as diving into what else you can do, and how you can create your own custom argument attributes and transforms! </p> <Iframe link="https://www.youtube.com/embed/ujU9DJoibbA" ratio="16x9" /> </div>

Stephen Valdinger

Stephen is the Customer Solutions Manager who focuses on customer success, experience, and usage of Chocolatey Software products. He enjoys teaching people how to use Chocolatey to improve end user experience for their organizations.

<div class="card card-body card-border-top pt-c2"> <p class="h4">Simple Network Management.....PowerShell!!!</p> <p> It's been around forever, well since 1988 at least, but how much have you actually used SNMP? It is an incredibly useful little protocol that allows you to really amp up your network monitoring game! This session will teach you how to talk to devices using SNMP, and how to read the data being returned, and furthermore turning into something extremely useful. You're Grafana dashboards are never gonna look prettier! </p> <Iframe link="https://www.youtube.com/embed/HXUqNGRLixg" ratio="16x9" /> </div>

The Dynamic Duo, Cory Knox and Ryan Richter

Cory is a Chocolatey Software Engineer with a background in End User Computing who enjoys working with PowerShell and C# while dabbling in whatever language a project that needs a fix might be using. Constantly looking for ways to streamline processes and improve developer experiences.

<div class="card card-body card-border-top pt-c2"> <p class="h4">Mastering Git: A Comprehensive Guide to Setting Up and Using Git Effectively</p> <p> Are you ready to embark on a journey towards mastering git, one of the most essential tools for modern DevOps? Whether you're a complete beginner or have some experience with git, this workshop is designed to equip you with the knowledge and skills you need to set up git on your computer and use it effectively in your projects. </p> <Iframe link="https://www.youtube.com/embed/LBzdRHZabQE" ratio="16x9" /> </div>

Wrap Up

Like every year, this year's PowerShell + DevOps Global Summit was a great experience!! If you're interested in attending the 2025 event, you can purchase tickets now from the official website. And if you'd like to speak at the event then the Call for Papers (CFP) is due to open on the 1 October 2024.

We hope to see you there! Make sure you pay our booth a visit to get your own Chocolatey Software t-shirt! In the meantime please join us on our Community Chat.

Unpacking Software Livestream and Podcast, Episode 5

Paul Broadwith — Fri, 21 Jun 2024 00:00:00 GMT

import Iframe from '@choco-astro/components/Iframe.astro';

We have just published episode 5 of our livestream, and podcast, Unpacking Software. You can watch it now on YouTube, LinkedIn and X.

On the third Thursday of each month we livestream to Twitch, YouTube, LinkedIn, and X Unpacking Software. Each month we chat about the latest news & opinion on the world of software focusing on packaging, software deployment & lifecycle management. We also publish a podcast of our stream, for you to save and enjoy using your favorite podcast manager.

News

Honorable Mentions

Events

PowerShell Conference Europe 2024 on June 24 to 27, 2024 in Antwerp, Belgium.
- Chocolatey Software is a sponsor.
- Stop by for giveaways and to chat with some of the Chocolatey Team!
Nebraska.Code() on 17 to 19 July in Lincoln, Nebraska.
- Chocolatey Software is a sponsor.
- Stop by for a chat with Stevie or Tyler.

To ensure we are creating content that you want to see, and listen to, we need your feedback. Please complete our very short survey letting us know your thoughts of this month's content.

Thanks for watching and listening!

(Re)Introducing Hyper-V for the Chocolatey Test Environment

Josh King — Thu, 20 Jun 2024 00:00:00 GMT

Last year we announced that the sandbox used by the Package Moderation Services on the Chocolatey Community Repository was being updated to Windows Server 2019. At that time the image that supports this sandbox was released publicly for use in the Chocolatey Testing Environment, allowing package maintainers to test their packages in the same environment as the automatic Package Moderation Services.

Today we're releasing an update to this image, and you can pull it, versioned 3.2.0, from Chocolatey's Vagrant Cloud!

What has changed?

We have taken the opportunity to ensure all updates, through to May 28, 2024, have been installed out of the box. And we've made some behind the scenes changes, making the process easier for future releases.

Version 3.0.0 was only available for use with VirtualBox. Version 3.2.0 reintroduces a Hyper-V variant enabling those are using Windows features that depends on Hyper-V, such as the Windows Subsystem for Linux (WSL), and as a result cannot use VirtualBox, to make use of the Chocolatey Testing Environment.

For details about setting up, or upgrading, the Chocolatey Testing Environment do check out the project's README.

Should you swap to Hyper-V?

In short: No.

If you can use VirtualBox to host the Chocolatey Testing Environment, then you should. This variant, as mentioned above, is intended to lower the friction to use the testing environment if you have no option but to use Hyper-V.

If you do opt to use Hyper-V to host the test environment, then please be aware of the limitations. The main limitation that will impact your usage of the testing environment is that when you revert your snapshot in between tests you will be prompted for "SMB Credentials." When this happens, enter the username and password for your account on the host machine. This allows the passthrough of the packages directory from the host into the testing environment.

Wrap up

Earlier versions of the test environment Vagrant box did support both VirtualBox and Hyper-V, and the reason Hyper-V support was missing from version 3.0.0 was due to the uplift from Windows Server 2012 R2 to Windows Server 2019. We wanted to ensure the updated box was as stable as possible before reintroducing Hyper-V.

I wanted to thank Community members that advocated for, and patiently waited for, Hyper-V support. Your input helped to solidify the need for providing a Hyper-V version of this Vagrant box.

If you want to discuss any of these changes further, please join us on our Community Chat.

Announcing Release of Chocolatey CLI 2.3.0, Chocolatey Licensed Extension 6.2.0, and Chocolatey Agent 2.1.3

Gary Ewan Park — Wed, 05 Jun 2024 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

Discussed below are the change highlights included in these releases, but we also have a full set of release notes available for each product release:

<Callout type="info"> If you use Chocolatey Licensed Extension it is recommended that you install v6.2.0 of Chocolatey Licensed Extension to use all the new functionality that has been added to Chocolatey CLI v2.3.0. </Callout>

Deprecation of the `unpackself` Command

The decision has been taken to deprecate the unpackself command, and it will be completely removed in the next major version of Chocolatey CLI.

This is a command that was never intended for usage outside the installation of Chocolatey CLI, so we do not envision that anyone will be impacted by this deprecation, however, if you feel you will be impacted, please reach out.

New Enhanced Exit Codes

Chocolatey CLI has a feature named useEnhancedExitCodes, which is disabled by default, that allows Chocolatey CLI to output additional exit codes, on top of the usual 0, 1, or -1. These enhanced exit codes are typically used when scripting Chocolatey CLI into a larger workflow, and taking additional action when a specific outcome has occurred. This release of Chocolatey CLI increases the number of places where enhanced exit codes are output, including in the apikey, config, feature, pin, source, and upgrade commands. See the output of choco [command] -h for specific information about the enhanced exit codes available for each command.

Improvement to Installation of Chocolatey CLI

When Chocolatey CLI was uplifted to require .NET Framework 4.8, there was a noticeable change to how the installation happened. If you were installing on a machine that didn't already have .NET Framework 4.8 installed, the script would perform that installation, but it would then immediately prompt for a reboot, and then the installing user would need to run the installation script again. This was far from ideal, and thanks to a change from @JPRuskin, this is no longer required. Instead, when installing on a machine that doesn't already have .NET Framework 4.8 installed, the installation script will install it, but it will also immediately install the Chocolatey CLI files, and then it will prompt for a reboot (as this is still a requirement). After the reboot, Chocolatey CLI can be used straight away, without the need to re-run the installation script.

Allow Bypassing of Pinned Package(s) During Upgrade

A long-standing request in Chocolatey CLI was around the usage of the choco pin command. For example, let's say that you complete the following:

choco install windirstat
choco pin add --name="windirstat"

or you shorten the above to the following:

choco install windirstat --pin

Going forward, any time you attempt to run either of the following:

choco upgrade all
choco upgrade windirstat

Chocolatey CLI will not allow this action to happen, since the package has been pinned. It is doing exactly what has been asked of it. However, if you really do want to upgrade the package, you would have to do the following:

choco pin remove --name="windirstat"
choco upgrade windirstat
choco pin add --name="windirstat"

In this release of Chocolatey CLI, the above three commands can be condensed to the following single command:

choco upgrade windirstat --ignore-pinned

The end result will be that the package is upgraded, and will also still be pinned.

Install all Packages From a Source

A well known feature for Chocolatey CLI is the ability to run the following command:

choco upgrade all

Which will upgrade all the currently installed packages to the latest available versions.

In this release of Chocolatey CLI, you can now also run the following:

choco install all --source <your-custom-source-url>

This would allow the installation of all the packages on a custom source that you specify. This could potentially be very useful for initial machine setup/configuration, where all the required packages are stored on a custom feed.

Usage of this command is not allowed against the Chocolatey Community Repository, as installing over 10,000 packages at the same time isn't recognized as a necessary use case :smile:.

Package Hash Verification Check

Security is important to everyone, and we at Chocolatey Software, Inc. do everything that we can to ensure that usage of Chocolatey CLI remains as safe as possible.

One new addition to Chocolatey CLI to help with security is the usePackageHashValidation feature, which you can enable using:

choco feature enable --name="usePackageHashValidation"

This will verify that the hash of the package file (the .nupkg) matches what is reported from the server that it is being installed from.

This feature will only work when the feed that is being used, reports the stored package hash.

New `choco rule` Command

Within Chocolatey CLI, there are a number of validation rules that are run every time the choco pack command is run. These validation rules are there to ensure that packages meet a minimum bar in terms of requirements. On top of this, with the release of the Chocolatey Community Validation Extension, it is possible to have a number of other validation rules in play during the choco pack and choco push commands.

However, prior to this release of Chocolatey CLI, there was no way to be able to "see" what validation rules are being applied. The introduction of the choco rule command changes that by making it possible to list out all the validation rules that are in action, and also to get additional information about a specific rule. Run choco rule -h to get full information, or visit the docs.

Show Remembered Arguments for a Package

Since version 0.20.0 of Chocolatey GUI, it has been possible to view the remembered package arguments for a given package. This ability can be very useful when reviewing how packages were installed, in order to ensure that they are done the same way on another machine, for example.

In this new release of Chocolatey CLI, it is now possible to get the same information by running the choco info <packageName> --local-only command.

Prevent Usage of `--ignore-pinned` Through Chocolatey Agent

Within this v2.3.0 release of Chocolatey CLI, a new command line option called --ignore-pinned has been added. After discussion with the team, the decision was taken that this command line option should be one of the Background Service Restricted Options, since it could provide a mechanism to by-pass the configuration that has been put in place by a System Administrator. Any attempt to use the --ignore-pinned option when running in Self Service mode will be blocked. This addition was the main impetus for the v6.2.0 release of Chocolatey Licensed Extension, and v2.1.3 of Chocolatey Agent.

Thank you to @TheCakeIsNaOH!!!

In this release of Chocolatey CLI, @TheCakeIsNaOH had no fewer than 11 Pull Requests merged! This is quite simply amazing, thank you!

Also, they already have another 5 Pull Requests lined up for the next release :smile:!

For future release announcements, we are working on the ability to call out everyone who has helped with a release. Keep an eye out for that happening in the release notes that we store on GitHub, and on our docs site!

Release Notes

For more information on the changes, features, improvements and bug fixes that were included in these releases, please see the release notes:

Learn More

Check out the documentation.
Learn about other features available in Chocolatey for Business.
Contact us to find out more and setup your evaluation of Chocolatey for Business today.

Three Billion Installs?

Gary Ewan Park — Fri, 31 May 2024 00:00:00 GMT

It was just over 1 and a half years ago when we announced 2 billion package installations from the Chocolatey Community Repository. It took us 9 years to get to our first billion downloads. But each subsequent billion is taking less and less time to reach!

The 2 billion package installations happened on 9 September 2022. At that time we had just over 9,500 unique packages and just over 165,000 total packages. Today we have grown those numbers to over 10,400 unique packages and a staggering 220,000 total packages! Chocolatey Software hosts the largest community repository of Windows packages of any software or package manager on Windows today.

The Chocolatey Community Repository, Made Even Sweeter with Elasticsearch!

Josh King — Wed, 22 May 2024 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

Have you ever searched for a package on the Chocolatey Community Repository and found yourself scratching your head at the list that was returned to you? Or perhaps even more frustratingly, tapping your foot because it is taking so long to get any results at all?

Earlier this year, in the post that started our back-to-basics series, Paul covered what the Chocolatey Community Repository is and how you’re able to use it. In this post we’re going to give you a rare peek behind the curtains at the infrastructure that powers the Chocolatey Community Repository and a recent project that saw its search functionality completely replaced.

The Need for Speed

Before diving into the recently completed project, let’s take a moment to lay out the challenges we faced with the old search system that led us to replacing it.

<Callout type="info"> I’m using the term “search” throughout this post, and this may make you think of the search bar at the top of the webpage when visiting the Chocolatey Community Repository in a browser. While that is indeed one part of the repository’s search system, it also plays an important part in the functionality of Chocolatey CLI. Any command that reaches out to the Chocolatey Community Repository, including the fundamentals like install and upgrade, go through the search system. </Callout>

Latency

The old search system wasn’t known to be performant. Unfortunately, the time to return search results was not a metric we tracked. Instead we’ll consider the overall latency experienced when using the Chocolatey Community Repository. This is average time, in seconds, it would take to respond to a request.

Over the six weeks leading up to replacing the search system the average latency was: 1.3 seconds

Do remember this is an average, meaning that many requests were responded to much faster, but on the other side of that same coin many requests were much slower. Frustrating to say the least.

Consistency

This isn’t really a statistic that can be measured, but more so a result of the architecture behind the old search system. As illustrated in the diagram below, the Chocolatey Community Repository isn’t hosted on one monolithic server and is instead powered by a number of smaller “workers”. Historically each of these workers maintained its own cache of search queries and results it had seen. As a user you had no control over which worker you connected to meaning the answer to your particular query may not be readily accessible when processing your request and so the worker has to go ask the database, cache the result, and return the answer to you.

<div class="text-center"> {/* Dark theme only /} <img class="dark-theme border-0 w-75" src="https://img.chocolatey.org/charts/LocalCache-Dark.svg" alt="Chocolatey Community Repository with Local Search Caches" title="Chocolatey Community Repository with Local Search Caches" /> {/ Light theme only */} <img class="light-theme border-0 w-75" src="https://img.chocolatey.org/charts/LocalCache-Light.svg" alt="Chocolatey Community Repository with Local Search Caches" title="Chocolatey Community Repository with Local Search Caches" /> </div>

This resulted in inconsistency when two different workers would potentially cache two different answers to a given search query. This could take the form of seeing a new version of a package and trying to install it, only to be told that that package version doesn’t exist. Why? One worker cached the fact that the previous version was the latest and won’t “see” the new version until its cache expires, and it checks with the database again.

Database Load

The local search cache mentioned above also meant that there was a lot of queries being made to the Chocolatey Community Repository’s database. If you assume there were five workers running, a given query would need to be answered five times before all of those workers had cached the answer. Repeat this for when the cache expired and the workers need to repeat those same queries again to (potentially) get an updated response. Then multiply that by over 10,000 unique packages and 200,000 package versions. I will share some graphs to help visualize the before and after of our database load following the replacement of our search system, but for now these are the raw numbers we were starting with.

CPU Utilization: 11.88% average with spikes up to 80%.
Incoming Network Throughput (kB/s): 409 average with spikes over 900.
Total Storage IOPS: 297 average with spikes over 1250.

Introducing Elasticsearch

The title of this post gave away the surprise, but to address the search related challenges we were facing with the Chocolatey Community Repository, we turned to Elasticsearch.

Elasticsearch is a popular search engine that excels at full-text search and promises to provide “lightning fast search.” Sounds perfect to me.

Having settled on Elasticsearch we set about introducing it into our infrastructure. Instead of a search cache on each worker, we harvest all searchable information and index it centrally in Elasticsearch. Now each worker queries the same search cache, and this cache is the source of truth as far as the workers are concerned… there is no fall back to asking the database for a second opinion.

<div class="text-center"> {/* Dark theme only /} <img class="dark-theme border-0 w-75" src="https://img.chocolatey.org/charts/Elasticsearch-Dark.svg" alt="Chocolatey Community Repository with Elasticsearch" title="Chocolatey Community Repository with Elasticsearch" /> {/ Light theme only */} <img class="light-theme border-0 w-75" src="https://img.chocolatey.org/charts/Elasticsearch-Light.svg" alt="Chocolatey Community Repository with Elasticsearch" title="Chocolatey Community Repository with Elasticsearch" /> </div>

The keen-eyed reader will note that there is a dotted line from the workers to the database in this diagram. This is for those times when the cache needs to be updated, when, for example, a new package is pushed to the Chocolatey Community Repository.

Not All Smooth Sailing

So, problem solved, right? Nothing is ever that easy! Before we look into the results, let’s first look at some of the bumps we found in the road on this implementation journey.

A Failed Deployment

Working in Infrastructure Operations, the reality is that if I do my job right then no one should notice. When things don’t go right though, we have to do what we can to minimize the impact.

On February 19, 2024, we were all set to deploy an update to the Chocolatey Community Repository which would introduce the Elasticsearch powered search cache. We’d tested the update internally every which way we could conceive and were confident that the deployment would go off without a hitch.

And then we opened up the repository to the public.

Over a short period of time, the Chocolatey Community Repository began crawling to a halt. What we hadn’t accounted for in our testing was some of the wild, and unsupported, search queries the repository was subjected to on a persistent basis. As Elasticsearch was unable to handle these unsupported queries, the workers were helpfully redirecting them to the database which was very quickly saturated and couldn’t keep up with the load.

After some time trying to fix the issue in place, the decision was made to roll back to the previous version of the Chocolatey Community Repository while we assessed what had gone wrong and patched the code to prevent the same thing happening next time.

A few weeks later, we had a solution for handling the unsupported queries. This also led to improved testing, allowing us to better replicate real world traffic conditions. On March 24, 2024, we finally deployed the Elasticsearch enabled version of the Chocolatey Community Repository.

Long Time Issues Unmasked

With the repository now online and using the new Elasticsearch cache, several longstanding issues were uncovered that had previously been masked by the usage of a local search cache on each of the workers.

One of the these issues resulted in port exhaustion, and it stopped workers from creating new network connections. Previously, no one noticed this as the results to common searches were stored locally, so the worker could still respond to most incoming requests. Now that the workers needed to reach out to Elasticsearch? Suddenly the worker would go silent and not respond to search queries until some ports opened back up.

It’s a little embarrassing to admit that this issue had remained hidden under the old search infrastructure. But once identified, this was easily fixed.

Crossing the Finish Line

Deployment done, and teething issues addressed, did we fix the problem areas that set us on this journey in the first place? Let’s go back through them and find out!

Latency

Prior to implementing Elasticsearch, the average latency when access the Chocolatey Community Repository was 1.3 seconds and afterward this dropped to 0.6 seconds. That is over 50% of what it used to be!

This improvement was best summed up by my colleague, Gary:

Consistency

There’s not much to say here! Moving to a centralized search cache naturally means all workers are now working with exactly the same data. So responses are consistent regardless of which worker a user happens to be directed to when using the Chocolatey Community Repository.

Database Load

Finally, what happened to our database load? You’ll remember above I mentioned that the workers now consider Elasticsearch as their source of truth for search queries and there was no falling back on the database for a second opinion? Given this you’d expect to see a considerable decrease in database usage, and you’d be correct.

CPU Utilization

This dropped from an average of 11.88% to 5.52%, and the spikes plummeted from up to 80% down to just under 15%.

This is such a huge drop in CPU usage that we could consider reducing the size of the compute that this database runs on. That wasn’t the goal of this project, but is certainly a nice side benefit.

Incoming Network Throughput

Previously this was an average of 409 kB/s and is now 158 kB/s, with the spikes dropping from 900 kB/s to 644 kB/s.

Total Storage IOPS

Finally, storage IOPS saw a similar decrease, from an average of 297 to 126, and spikes of 1250 decreasing to 1042.

Wrap Up

So there we have it, the journey towards implementing Elasticsearch on the Chocolatey Community Repository. While it wasn’t necessarily a smooth ride getting there, the end result has been amazing. I hope you’ve noticed, and benefitted from, the improved search performance.

If you’ve got any questions about this post, the Chocolatey Community Repository, or Chocolatey in general, please reach out to us on our Community Hub!

Unpacking Software Livestream and Podcast, Episode 4

Paul Broadwith — Fri, 17 May 2024 00:00:00 GMT

import Iframe from '@choco-astro/components/Iframe.astro';

We have just published episode 4 of our livestream, and podcast, Unpacking Software. You can watch it now on YouTube, LinkedIn and X.

Patch Tuesday

Software News

VMware Workstation and Fusion "Enterprise Standard Pro Edition" goes free for personal use, commercial use moves to subscription model.
Company's entire Google Cloud environment deleted after "misconfiguration".
- Twitter / X tweet / xeet.
- Google Cloud accidentally deletes UniSuper’s online account due to ‘unprecedented misconfiguration’ - The Guardian.
IBM acquires HashiCorp for $6.4B.
Linux package managers disagree on usefulness of AI / ML contributions.

Security News

Events

PowerShell Conference Europe 2024 on June 24 to 27, 2024 in Antwerp, Belgium
- Chocolatey Software is a sponsor.
- Stop by for giveaways and to chat with some of the Chocolatey Team!

To ensure we are creating content that you want to see, and listen to, we need your feedback. Please complete our very short survey letting us know your thoughts of this month's content.

Thanks for watching and listening!

What Is Chocolatey GUI, Self Service and the Chocolatey Agent Background Service?

Gary Ewan Park — Thu, 02 May 2024 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

In our fourth back-to-basics blog post, we're going to take a look at Chocolatey GUI, using Chocolatey CLI in Self Service mode, and the work of the Chocolatey Agent's Background Service.

In our first three blog posts, we found out what the Chocolatey Community Repository is, and how to create your own packages, and we also learned exactly what Chocolatey CLI is. Now that we have this information at hand, we can begin exploring how Chocolatey CLI and Chocolatey GUI can be used in a Self Service mode with the Chocolatey Agent Background Service, which is a common requirement for our Chocolatey for Business customers.

What Is Chocolatey GUI?

If you're familiar with what Chocolatey CLI is, you'll know that it works from the command line. But what do you do if you want the power of Chocolatey CLI, visually, using a graphical user interface (GUI)?

Chocolatey GUI provides the more commonly used functionality of Chocolatey CLI, using an interface that is immediately familiar and usable. It's commonly used by organizations to give colleagues a familiar interface to self-serve their own software, without giving them Administrator privileges.

What Is Self Service?

Self Service allows colleagues to selectively manage packages, and the software they provide, on their computer without providing them with Administrator privileges, normally required for managing software on Windows.

The important part of Self Service is that the person installing or managing the software may not have permission to install software. But using Chocolatey Agent you can control what they can manage, and what they can install or uninstall. In addition, by controlling the list of packages, and therefore software, that can be installed, Administrators have a clearer understanding of what can be installed across the entire organization.

Behind the scenes, the functionality of Self Service is provided through Chocolatey Agent using a feature known as "Background Service". This feature ensures that Chocolatey packages, and therefore the software managed by them, are managed by a user account with the Windows required permissions that Chocolatey Agent controls.

With the Background Service feature of Chocolatey Agent enabled, both Chocolatey CLI and Chocolatey GUI, can take advantage of it and allow packages to be managed.

What Is Chocolatey Agent?

Chocolatey Agent uses a Windows Service, which along with other features, provides the Self Service implementation that is used by both Chocolatey CLI and Chocolatey GUI.

Chocolatey Agent is the client-side component of Chocolatey Central Management, facilitating both the communication of the local package state, and executing Deployment Plan Steps.

What Is a Source?

Before we go further, we should really define what a 'source' is in the context of both package managers, and Chocolatey products. This is an important consideration when it comes to the Chocolatey Agent configuration.

A 'source' is a location (sometimes also referred to as a 'feed') where Chocolatey CLI can find information about packages. Chocolatey CLI comes pre-configured with one source: the Chocolatey Community Repository which we learned about in our first back-to-basics blog post and livestream.

You can run your own Chocolatey package source. This can be a simple file share, or a dedicated repository manager such as Sonatype Nexus or JFrog Artifactory. We have extensive documentation on hosting your own packages internally to help you decide what is best for your organization.

Hosting a Chocolatey packages source allows you to have complete control over which packages can be installed, or otherwise managed.

To see which sources Chocolatey CLI currently has configured, you can run the following command:

choco source list

To create a new source, for example to add a repository that you have created, you would run the following command, remembering to replace the --source value with your own URL:

choco source add --name="my-internal-source" --source="https://my-internal-source/api/v2/"

How Do I Install Chocolatey Agent?

To use Chocolatey Agent, ensure you also have Chocolatey Licensed Extension installed and a valid Chocolatey license file in place.

Like all Chocolatey products, Chocolatey Agent is installed using its Chocolatey package, by running the following command:

choco install chocolatey-agent

Once installed you need to configure Chocolatey CLI to use Chocolatey Agent to perform actions.

How Do I Configure Chocolatey Agent?

We are only going to cover a few commands to provide the Self Service functionality with Chocolatey Agent. However, the documentation covers the extensive options available for Chocolatey Agent.

The following three commands are what we need to run to configure Chocolatey CLI and Chocolatey Agent:

choco feature disable --name="'showNonElevatedWarnings'"
choco feature enable --name="'useBackgroundService'"
choco feature enable --name="'useBackgroundServiceWithNonAdministratorsOnly'"

As Windows requires Chocolatey CLI to ordinarily need to be run by an account with Administrator privileges, and we will be using Self Service with accounts that do not have Administrator privileges, helpful warnings will be shown to remind us. As we are intentionally doing this, we don't need those warnings so we can disable them.
This command enables Chocolatey CLI to use the Chocolatey Agent Background Service for commands to be run.
Chocolatey CLI and Chocolatey GUI will, by default, pass commands from all users to the Chocolatey Agent Background Service. In the case of user accounts with Administrator privileges, this is unnecessary. By enabling this feature, we are limiting the accounts that commands are passed from, to be non-Administrators only.

Configure Self Service Sources

<Callout type="info"> By default, each source must be individually configured to allow Self Service. However, you can disable the useBackgroundServiceWithSelfServiceSourcesOnly feature, which is enabled by default, to allow all sources to be used for Self Service without the need to configure them individually. For security reasons we do not recommend you disable this feature. </Callout>

As mentioned in our previous back-to-basics blog post, Chocolatey CLI is secure by default. This continues with Chocolatey Agent and the Background Service by only allowing use of sources that have been specifically enabled for Self Service.

While logged in as a non-administrator user with the configurations above applied, running the command choco install windirstat, will give you the following error as none of the sources available are configured for Self Service:

<Callout type="warning"> Sources should only enable Self Service after careful consideration. </Callout>

To configure a Self Service source, add the --allow-self-service option to the command line, remembering to replace the --source value with your own URL:

choco source add --name="my-internal-source" --source="https://my-internal-source/api/v2/" --allow-self-service

Can Everyone Use Chocolatey Agent?

Self Service and the Background Service are features of the Chocolatey Agent product, and available as part of the Chocolatey for Business suite. See the product comparison for more information.

Got Questions?

Check the Self Service Anywhere feature page, the Chocolatey Agent setup FAQ, reach out for community assistance on our Community Hub Discord Server, or contact Chocolatey Support (run choco support for more information).

Summary

This is the fourth in our back-to-basics series. Chocolatey CLI, Chocolatey GUI and Chocolatey Agent all work together to allow your colleagues to self serve packages and software on their own computers, in a safe, secure and controlled way, providing the Administrators with confidence of what is deployed across the entire organization.

Unpacking Software Livestream and Podcast, Episode 3

Paul Broadwith — Mon, 29 Apr 2024 00:00:00 GMT

import Iframe from '@choco-astro/components/Iframe.astro';

We have just published episode 3 of our livestream, and podcast, Unpacking Software.

On the third Thursday of each month, at 5pm UTC, we livestream to Twitch and YouTube, Unpacking Software. Each month we chat about the latest news & opinion on the world of software focusing on packaging, software deployment & lifecycle management. We also publish a podcast of our stream, for you to save and enjoy using your favorite podcast manager.

JetBrains doubles down on process, fixes 26 security problems with no details, initially.
- Release notes.
- Security bulletin.
Over 170K users caught up in poisoned Python package ruse.
- Analysis of the malware - Detecting and removing the pypi hosted malware.
PyPI suspends new user registration to block malware campaign.
- 2023 suspension.
AI hallucinates software packages and devs download them – even if potentially poisoned with malware.
- Alibaba GitHub code where the fake package is included.
PuTTY vulnerability in versions before 0.80.
Microsoft is silently installing Copilot onto Windows Server 2022.
- Microsoft Learn.
- Twitter.
- Mastodon.
- Lemmy.
Adobe patches 9 vulnerabilities..
- Krebs on Security.
PowerShell Conference Europe 2024 on June 24 to 27, 2024 in Antwerp, Belgium
- Chocolatey Software is a sponsor.
- Stop by for giveaways and to chat with some of the Chocolatey Team!

To ensure we are creating content that you want to see, and listen to, we need your feedback. Please complete our very short survey letting us know your thoughts of this month's content.

Thanks for watching and listening!

What Is Chocolatey?

Gary Ewan Park — Fri, 12 Apr 2024 00:00:00 GMT

In our third back-to-basics blog post, we're going to take a slight step backwards, and talk about "What is Chocolatey?".

In our first two blog posts, we found out what the Chocolatey Community Repository is, and how to create your own packages. Now that we have this information at hand, we can dive deeper into exactly what Chocolatey is, and what it does for us.

A Little History

Chocolatey CLI was created by Rob Reynolds in 2011 (it had its 13th birthday in March this year) with the simple goal of offering a universal package manager for Windows. Chocolatey CLI is an open-source project that provides developers and admins alike, with a better way to manage Windows software.

We launched Chocolatey for Business (C4B) in 2016 that provides complete software lifecycle management, built on top of our popular open-source product Chocolatey CLI. C4B is backed with dedicated support, services, and roadmap with a focus on three value-added areas:

improved security.
enhanced productivity features.
enabling complete visibility of your software and package environment.

What Is a Package Manager?

This was covered in our second back-to-basics blog post, but it is worth emphasising the main point:

Chocolatey CLI is a package manager for Windows. If you've used Linux, then you're likely familiar with at least one of the various package managers available on that platform such as APT, Yum, DNF, or Pacman (among many others). On macOS you can use Homebrew for your package management needs.

Why Would I Want to Use a Package Manager?

Making use of a package manager makes the installation of software onto your computer much easier! It takes away a lot of the manual work that needs to be performed, to the point that installation of software can be completely automated.

Let's look at an example, consider the installation of a fictitious piece of software called "SoftwareA". Without a package manager, what do you need to do to install this software? You need to:

Find out where to download the software from.
Download the installation files that are appropriate for the computer that you are using (x86/x64).
Understand how that installer works and provide any additional command line arguments that need to be passed in.
Invoke the software installer and click through any screens that require input, or license acceptance.
Repeat this entire process again during upgrade, or on another machine.

A package manager provides a much easier, and repeatable, way to accomplish all of these steps!

What Is Chocolatey CLI?

Chocolatey CLI is the package manager for Windows. To re-iterate that point, as it is worth repeating, it is the package manager, for Windows. It manages packages. A package can contain the necessary instructions to install a piece of software onto your computer, but those instructions are part of that package. Chocolatey itself is not responsible for those instructions, only the installation of the package, onto your computer:

Chocolatey manages packages.
Packages manage software.
Chocolatey does not manage software.

Using the example that we started above, if we wanted to install "SoftwareA" onto our computer, Chocolatey CLI removes all of the above manual steps, and allows the installation of the software onto your computer with the use of a simple to understand command. Assuming that the software that you want to install exists on the Chocolatey Community Repository (if it doesn't you could look to create a package for it), and that you already have Chocolatey CLI installed, installing software is as easy as:

choco install SoftwareA

How Do I Install Chocolatey CLI?

The process of installing Chocolatey is well documented on our website. The typical installation can be completed using a single line of PowerShell from an administrative shell:

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))

If you need more control over the installation of Chocolatey CLI, you can check out the other options.

Why Does Chocolatey CLI Require Administrative Permissions?

By default, Chocolatey CLI requires administrative permissions to run. This is done for a number of reasons, and one of the primary ones is security. We want the installation, and running, of Chocolatey CLI to be secure by default. This means locking down the installation folder of Chocolatey CLI, which needs administrative permissions. In addition to this, most Chocolatey packages use native installers (MSI, InnoSetup, etc.), that write to the Program Files folder, which again requires administrative permissions to complete.

However, it is possible to run Chocolatey CLI without administrative permissions. But, some packages require administrative permissions to install and will not install properly without them.

In addition, C4B provides the ability for non-administrator users to perform installations with administrator permissions using Chocolatey Agent (background service).

If you prefer to use a graphical interface for package management, Chocolatey GUI provides that ability. While this post is about Chocolatey CLI, as one of the core maintainers of Chocolatey GUI over the years, it would be remiss of me not to mention it!

Can Chocolatey CLI Manage Other Software Types?

Yes!

A Chocolatey package doesn't just contain instructions on how to install a piece of software, a package can contain:

Software installers.
Portable executable files.
Zip/Compressed files.
Random files, such as fonts.
License keys.
Registry keys.
Scripts that do... anything.

Got Questions?

Now that we have gone over what Chocolatey CLI is, and what it can do for you, you may have some burning questions. I've tried to predict some here, but skip to the bottom of this post for a link to our Community Hub on Discord to ask any unanswered questions.

What is the Difference Between Chocolatey CLI and WinGet?

This is a question that comes up from time to time, and it is one that requires more than just a section at the end of a blog post. Our very own Paul Broadwith recently presented a talk titled "Comparing WinGet and Chocolatey: A Real-World Look at Package Management Tools" at PSConfEU. This talk was recorded, and I would encourage everyone to watch it.

Does Chocolatey CLI Work on Linux/Mac?

First and foremost, Chocolatey CLI is the Windows Package Manager. It is not intended to install/uninstall/upgrade software on any other Operating System, other than Windows.

However...

There are some Chocolatey workloads that make sense to be executed on another Operating System. For example, you might be creating Chocolatey packages on a Continuous Integration platform like GitHub Actions, using Ubuntu, and you want to run the choco pack and choco push commands, without spinning up a Windows Virtual Machine. For these types of scenarios, you can use Chocolatey CLI on these platforms, assuming that they have Mono installed. There is also an official Chocolatey Docker Image available on Docker Hub, which can be used to help with these types of workloads.

I Have More Questions!

Check the General Chocolatey FAQ or reach out for community assistance on our Community Hub Discord Server.

Summary

This is the third in our back-to-basics series. Chocolatey CLI, the Windows Package Manager, is an every day tool for many people, and at the time of writing has been downloaded 330,148,996 times, and responsible for the installation of 2,887,299,830 packages.

I hope that this post has provided some insight into exactly what it is, and what it can do for you.

If you have any more questions, please reach out for community assistance on our Community Hub Discord Server.

Creating Chocolatey Packages, Step-By-Step, the Easy Way!

Josh King — Tue, 26 Mar 2024 00:00:00 GMT

import Iframe from '@choco-astro/components/Iframe.astro'; import Callout from '@choco-astro/components/Callout.astro';

In our second back-to-basics blog post, we're going to progress from consuming Chocolatey packages to creating them. What is a package, what is a package manager, and how do you go about creating your own packages?

What Is a Package?

This question was also answered in the previous back-to-basics blog post, but it is so pivotal to the topic of package creation that I will offer my own definition.

A package is a container that holds "stuff" and for a Chocolatey package it could include:

Software installers.
Portable executable files.
Zip/Compressed files.
Random files, such as fonts.
License keys.
Registry keys.
Scripts that do... anything.

Packages also have a manifest, like a "packing slip" on a physical package, that specifies information about the package and what is held inside it. This metadata generally includes:

Some way to identify the package (a package ID).
A version number, to distinguish a newer version of a package from previous versions.
A description of what the package contains.
Any dependencies, or other packages, that are required in order to make use of the package.

Before we move on, it's important to stress that "Packages" are not "Software" and vice versa. While a package can, and often do, install software, that's not their only use and conflating the two terms can cause confusion.

What Is a Package Manager?

We now know what a package is, but how do you use them? To actually work with packages, we use a tool called a package manager. This is a tool that:

Installs packages, executing any included instructions required to "unpack" the contents of the packages.
Uninstalls packages, rolling back any changes that occurred when a given package was installed.
Upgrades packages, replacing the "contents" of a previously installed package.
Manage dependencies, ensuring any packages that need to be installed before the package you're actually installing are, in fact, installed.

This is, in my opinion, the base line set of features that any given package manager should meet. It is not, however, and exhaustive list of possible features. A package manager could also do things like pin package versions so that you cannot accidentally upgrade them, help you discover available packages, or report on installed packages that have an upgrade available.

Chocolatey CLI is a package manager for Windows. If you've used Linux, then you're likely familiar with at least one of the various package managers available on that platform such as APT, Yum, DNF, or Pacman (among many others.) On macOS you can use Homebrew for your package management needs.

How Do You Create a Chocolatey Package?

The only thing left to do now is learn how to create our own Chocolatey packages. To illustrate the process, we're going to take an MSI installer and step through wrapping a package around it. MSI installers are a good option for your first package, as they are a standard installer type and generally one MSI will behave the same as another MSI. An EXE installer, on the other hand, could actually be one of a number of installer types under the hood and behave wildly differently from one another.

Get Your Installer

First things first, we're going to investigate our installer. For the purposes of this post, we're going to be packaging the installer for Elk Native, a light weight Mastodon client.

This project includes installers for different Operating Systems, including Windows, in their releases on GitHub. At the time of writing the latest release was v0.4.0 so we go to that release and download the file ending in .msi.

Our package will download this installer as part of its installation process, but we're downloading it manually now as we'll need to get some information from it later.

Creating a Scaffold

First you'll need to ensure that you have Chocolatey CLI installed and then open up a PowerShell console.

Create a directory in which we'll work on our package.

New-Item -ItemType Directory -Path "~/Documents/ChocoPkgs"
Change into this new directory.

Set-Location -Path "~/Documents/ChocoPkgs"
Use the choco new command to create the starting point for your package, providing the ID which will uniquely represent it. In this example we're using the ID elk-native.

choco new elk-native

Package Contents

You will now have a new directory specifically for your package with the same name as the ID provided. This directory contains all of the files required to complete your package as well as guidance to help you finish creating it.

The structure and contents of this directory will look like this:

elk-native
|- tools
|  | - chocolateyBeforeModify.ps1
|  | - chocolateyInstall.ps1
|  | - chocolateyUninstall.ps1
|  | - LICENSE.txt
|  | - VERIFICATION.txt
| - _TODO.txt
| - elk-native.nuspec
| - ReadMe.md

The _TODO.txt and ReadMe.md contain a wealth of information about package creation and they can be valuable resources, going further into depth than this post can. They are not required for our package, however, and so after reading them you can delete them.

<Callout type="info"> If you're going to store your package source in source control, you may wish to repurpose the ReadMe.md file to display information about the package in your source control system. </Callout>

The LICENSE.txt and VERIFICATION.txt files are for when you embed, with proper distribution rights, the installer inside the package and you're submitting your package to the Chocolatey Community Repository. We will not be doing that, so these files should be deleted.

elk-native.nuspec is the "packing slip" for our package, containing metadata about the package. If you open it, you'll find that the essential items that need to be filled out are uncommented and have place holder values. There are also lots of comments that explain each item, and a number of additional data points that can be uncommented, and filled out.

Please go through this file and fill out as much information as possible. Once finished, remove the comments (except the one that states it's not to be removed) and save it, the end result should look something like this:

<?xml version="1.0" encoding="utf-8"?>
<!-- Do not remove this test for UTF-8: if “Ω” doesn’t appear as greek uppercase omega letter enclosed in quotation marks, you should use an editor that supports UTF-8, not this one. -->
<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
  <metadata>
    <id>elk-native</id>
    <version>0.4.0</version>
    <packageSourceUrl>https://github.com/Windos/chocolatey/tree/master/elk-native</packageSourceUrl>
    <owners>Windos</owners>
    <title>Elk Native</title>
    <authors>Elk Native contributors</authors>
    <projectUrl>https://github.com/elk-zone/elk-native</projectUrl>
    <iconUrl>https://cdn.jsdelivr.net/gh/Windos/chocolatey@0bd79df6b3e7797bd2ba272356c1eb4491b9d661/elk-native/elk-native.png</iconUrl>
    <copyright>© 2022-PRESENT Elk Native contributors</copyright>
    <licenseUrl>https://github.com/elk-zone/elk-native/blob/main/LICENSE</licenseUrl>
    <requireLicenseAcceptance>true</requireLicenseAcceptance>
    <projectSourceUrl>https://github.com/elk-zone/elk-native</projectSourceUrl>
    <mailingListUrl>https://chat.elk.zone/</mailingListUrl>
    <bugTrackerUrl>https://github.com/elk-zone/elk-native/issues</bugTrackerUrl>
    <tags>elk mastodon social</tags>
    <summary>Native version of Elk, a nimble Mastodon web client.</summary>
    <description>Native version of [Elk](https://github.com/elk-zone/elk), a nimble Mastodon web client.

Elk Native is even more early alpha than the web version, but we would love your feedback and contributions. If you would like to help us with testing, feedback, or contributing, join our [discord](https://chat.elk.zone) and get involved.

![Screenshot of the app, showing the federated timeline home](https://github.com/elk-zone/elk-native/raw/main/Screenshot-dark.png#gh-dark-mode-only)</description>
    <releaseNotes>https://github.com/elk-zone/elk-native/releases/tag/elk-native-v0.4.0</releaseNotes>
  </metadata>
  <files>
    <file src="tools\**" target="tools" />
  </files>
</package>

One of the options I've filled out in this example is the iconUrl, please make sure you're aware of the Package Icon Guidelines. In short, ensure the image is hosted somewhere that you control, and if that is on GitHub then use a CDN to access the image rather than linking directly to it.

To round out the package, we have three PowerShell scripts that form the instructions Chocolatey executes when managing the package.

chocolateyInstall.ps1 is executed when installing or upgrading your package. By default, it is defaulting to installation of an MSI installer, which is perfect for us. Note that the comments in this file show you how to use other installer types, including listing common silent installation arguments.

Take a moment to fill out this file now. Note that in our example, we only have a 64-bit installer and so we will be putting the download URL and related information against the variables with the 64 suffix and removing the equivalent variables without this suffix (which is for 32-bit.)

<Callout type="info"> If your installer can install both 32-bit and 64-bit versions of the software, then use the variables without the 64 suffix. </Callout>

You will need to know the checksum of our installer, which you can find by running this PowerShell command against the installer downloaded earlier:

Get-FileHash 'C:\Path\To\Installer\Elk_0.4.0_windows_x86_64.msi' -Algorithm SHA256

Save the file, then run the PowerShell snippet from the top of the file to remove all of the comments:

# This example assumes you created your package in the same directory as described earlier.
# If you created your package in a different directory, you will need to update this path:
$f='~/Documents/ChocoPkgs/elk-native/tools/chocolateyInstall.ps1'
gc $f | ? {$_ -notmatch "^\s*#"} | % {$_ -replace '(^.*?)\s*?[^``]#.*','$1'} | Out-File $f+".~" -en utf8; mv -fo $f+".~" $f

The end result will look like this:

$ErrorActionPreference = 'Stop'
$toolsDir   = "$(Split-Path -parent $MyInvocation.MyCommand.Definition)"
$url64      = 'https://github.com/elk-zone/elk-native/releases/download/elk-native-v0.4.0/Elk_0.4.0_windows_x86_64.msi'

$packageArgs = @{
  packageName   = $env:ChocolateyPackageName
  unzipLocation = $toolsDir
  fileType      = 'MSI'
  url64bit      = $url64
  softwareName  = 'elk-native*'
  checksum64    = '1B8F025E5187E07D3807B46EE38DA46DAE8FFC6F04EE78F22EB9E9618DD570A8'
  checksumType64= 'sha256'
  silentArgs    = "/qn /norestart /l*v `"$($env:TEMP)\$($packageName).$($env:chocolateyPackageVersion).MsiInstall.log`""
  validExitCodes= @(0, 3010, 1641)
}

Install-ChocolateyPackage @packageArgs

chocolateyUninstall.ps1 is executed when uninstalling your package. If you were doing anything "custom" in your package, like setting keys in the registry, then you would undo that here. In many cases, this file isn't actually needed as Chocolatey can automatically handle the uninstallation of many software installer types. This is the case with the MSI installer used by our package, so we can go ahead and delete this file.

Finally, chocolateyBeforeModify.ps1 is executed before upgrading or uninstalling your package. You would use this if you needed to stop a running process, or perform some other action, prior to attempting the requested change to your package. Again, this isn't the case for our package, so we can go ahead and delete this file as well.

The contents of our directory should be much simpler at this point:

elk-native
|- tools
|  | - chocolateyInstall.ps1
| - elk-native.nuspec

Our package is now complete and ready to be packed up and "shipped," but first let's dive in to the PowerShell and the helping hand that Chocolatey CLI is providing.

PowerShell Best Practices

Firstly, things can go wrong. This is why your install script starts with $ErrorActionPreference = 'Stop'. This tells PowerShell that if there are any errors, that it should stop what it's doing rather than try and carry on and end up in an unknown state where somethings worked and other things didn't.

You'll also note that all of the information about your installer was entered into a "hashtable." This format is easy to update, and easy for moderators on the Chocolatey Community Repository to review.

This also enables "splatting" where you can pass the entire hashtable to a PowerShell command rather than writing out each parameter one after another. A truncated example of this from our install script is as follows:

# Splatting
$packageArgs = @{
  packageName   = $env:ChocolateyPackageName
  unzipLocation = $toolsDir
  fileType      = 'MSI'
  url64bit      = $url64
}

# Using splatting
Install-ChocolateyPackage @packageArgs

# Writing parameters one after the other
Install-ChocolateyPackage -packageName $env:ChocolateyPackageName -unzipLocation $toolsDir -fileType 'MSI' -url64bit $url64

As you can see, writing parameters one after the other, make for long line lengths. Updating a value would involve hunting out the position of that value in the middle of that long line. Splatting greatly increases the readability of your script.

The final thing I wanted to cover here is to limit the output from your script. Chocolatey CLI writes output that an install is happening, that it has succeeded or failed, and more. So your script doesn't need to output this information. The end user experience should be consistent across packages. If you're writing out the same information, then the user may think something has gone wrong.

Chocolatey Functions That Are There to Help

The final line of our script includes a command that you may not be familiar with, even if you've been scripting with PowerShell for years: Install-ChocolateyPackage.

This is a PowerShell function provided by Chocolatey CLI that handles the download and execution of software installers. It saves you having to write the logic to perform these functions and allows packages to be created in a standard and repeatable way. The documentation for this PowerShell function shows all the potential parameters you can provide.

There are a large number of these functions that you can make use of, so I will only highlight some of the more common ones:

Install-ChocolateyInstallPackage - Used when the software installer is embedded in the package and doesn't need to be downloaded.
Install-ChocolateyZipPackage - Downloads the specified archive file and extracts it to the specified location.
Get-ChocolateyUnzip - Extracts an archive file to the specified location, without downloading it first.
Install-ChocolateyShortcut - Used to create shortcuts, useful when the installer doesn't create any but users would expect to see one.
Get-ChocolateyWebFile - Download a file and save it to a given location. Used when you need files hosted online that aren't an installer.

Take Your Package for a Spin

Alright, it's time to pack your package and test that it installs the contained software as we expect it to. From your PowerShell session, make sure you're in the directory that your package contents lives in and run the choco pack command.

Set-Location -Path "~/Documents/ChocoPkgs/elk-native"
choco pack

This command looks for all nuspec files in the current directory and will create a completed package for each that it finds. We only have the one nuspec and are expecting to see only one package created. See the documentation for the command if you need to point to a specific nuspec file or need to control where the resulted package is saved.

In our current directory we will now see a file with the extension nupkg. That is the package we created, named using the package ID and the package version number. Under the hood this is just a special archive file, so you can open it up with tools like 7zip. In our example, the resulting file is: elk-native.0.4.0.nupkg

You can now go ahead and install this package, using the choco install command and telling it that the current directory (.) is the source from which to find your package:

choco install elk-native --source .

<Callout type="info"> This will need to be done from a console with admin privileges. </Callout>

You will be asked if you want to run the install script in your package, press y to allow this to happen. All going well, you will now have the Elk Native software installed.

Our final test is, can we uninstall the package? Go ahead and use the choco uninstall command. There is no need to specify a source as the package is already installed:

choco uninstall elk-native

If you were creating your own unique package, you could at this point submit your package to the Chocolatey Community Repository. For info about this and the moderation process your package will go through, I recommend reading the previous back-to-basics post.

Got Questions?

Now that you've created and tested your package, you may have some burning questions. I've tried to predict some here, but skip to the bottom of this post for a link to our Community Hub on Discord to ask any unanswered questions.

Do I Have to Use the PowerShell Commands Provided by Chocolatey CLI in My Scripts?

If you're only using your package internally, then you're free to do as you wish with it and create any custom logic you need.

However, if you're looking at sharing your package with the community via the Chocolatey Community Repository, you'd need a very good reason to recreate the logic already covered by a standard Chocolatey command. A moderator will likely pick up on this and ask you to switch to the appropriate command when they review your package.

How Can I Know My Package Is “Good Enough” for the Chocolatey Community Repository?

One of the first things that happens when you push your package to the Chocolatey Community Repository is that it is automatically checked against a set of rules to validate that it meets a baseline of quality. You can test your package against a subset of these rules locally using the Chocolatey Community Validation Extension. This will run those tests when you run choco pack, and will cancel the creation of your package if any errors are found.

Read more about this extension in our recent blog post.

I’m Going to Be Creating a Lot of Similar Packages; Do I Always Have to Start With the Same Template?

The default template is a great starting point when learning to create packages, but if you find yourself using it often then you'll come to realize you're removing a lot of help content that you don't need any more.

What's more, if you're creating the same sort of package over and over again, you may benefit from a more tailor-made starting point.

The way to do this is to create your own Package Template. This will allow you to set your own starting point for new packages, and also allow you to include templated values so you can complete more of your package by providing information to your template when calling the choco new command.

I Have More Questions!

Check the Chocolatey Packaging FAQ, the Package Creation Guide, the 12 Days of Chocolatey Packaging series, or reach out for community assistance on our Community Hub Discord Server.

Summary

This is the second post in our back-to-basics series. Packages are the reason for Chocolatey CLI, the package manager, and also the Chocolatey Community Repository to exist. I hope that this post has empowered you to create your own Chocolatey packages, regardless of if your end goal is to maintain them for the wider community, your organization, or your own personal use.

If you have any more questions, please reach out for community assistance on our Community Hub Discord Server.

Celebrating Our 13th Year

Gary Ewan Park — Thu, 21 Mar 2024 00:00:00 GMT

This day, 13 years ago, Chocolatey CLI was born with the first commit made to GitHub. The first version of Chocolatey CLI, 0.6.0, was released just a few days later.

Back then, the Chocolatey Community Repository didn't exist, so it was published to the NuGet.org repository. A few months later, in August 2011, the Chocolatey Community Repository was born, and version 0.7.0.0 of Chocolatey ClI was officially published.

To date, there have been 1,311 downloads of that package version, whereas there have now been 20,820,768 downloads of the most recent package version, 2.2.2. It has been amazing to watch the growth of Chocolatey over the years!

Community Repository Downloads

Continuing with the tradition that has been set in our previous yearly blog posts (2021, 2022), we thought we would start by looking at the downloads from the Chocolatey Community Repository.

The Chocolatey Community Repository is the largest repository of Windows packages available. Up from 471M downloads in 2022, we saw an increase of 123M downloads in 2023 taking us to 594M for the year.

Year on year we are seeing an increasing number of downloads for the packages that are maintained by the Chocolatey Community. It is only once you see the numbers in this type of format that you begin to appreciate the scale of the project. Thank you to all the package maintainers, package moderators, and the wider Chocolatey Community, for making this happen!

Product Releases

Last year saw us releasing more product versions than all previous years. Up from 39 in 2022, we released 68 product versions last year, including:

Contained within that number of Product releases were a good number of alpha/beta releases. As we moved forward with the

switch to .NET Framework 4.8,
updating to use the latest NuGet.Client libraries,
support for NuGet v3 repositories,

we wanted to make sure that everything was working as expected, as this was done through the release of these alpha/beta packages.

A huge thank you to everyone who helped with testing these packages, and providing feedback on how they were working!

NOTE: This year, we changed the way in which we counted the Product releases slightly, so anyone looking back on the previous years blog post will notice some differences in totals for the year.

The Last Year

This year has been a particularly busy year for the Chocolatey Team, and we wanted to shared some of the highlights with you:

We released a major version of each of the core Chocolatey products (Chocolatey CLI, Chocolatey Licensed Extension, Chocolatey Agent, Chocolatey GUI and Chocolatey GUI Licensed Extension).
- This was a major undertaking by the team. Check out the release blog post for full details.
Chocolatey Central Management Deployments is a feature that our customers continue to be the most excited about. Adding the ability to import a Deployment Plan, as well as create Deployment Plans from different contexts (Group, Computer, and Software), has given users much more flexibility when creating Deployment Plans.
Over the past 12 months, we have produced 17 distinct videos on our YouTube channel as part of our monthly Product Spotlight and Coffee Break livestreams. These videos cover a range of topics, including discussions of recent releases and upcoming changes, as well as interviews with members of the Chocolatey Team and Community Moderators.

The Future

The focus for the remainder of this year is going to be improvements to the Chocolatey Community Repository, and the associated Package Moderation Services. There have been some long standing issues here that the team are very much looking forward to shipping solutions for!

Our customers, and community, drive us and our products. We are grateful to our community and our customers and we do not take for granted the support we receive, every single day.

Thank you for being part of our journey to 13!

Unpacking Software Livestream and Podcast, Episode 2

Paul Broadwith — Thu, 21 Mar 2024 00:00:00 GMT

import Iframe from '@choco-astro/components/Iframe.astro';

We have just published episode 2 of our livestream, and podcast, Unpacking Software.

To ensure we are creating content that you want to see, and listen to, we need your feedback. Please complete our very short survey letting us know your thoughts of this month's content.

Thanks for watching and listening!

Upcoming Changes to the Chocolatey Community Repository

Paul Broadwith — Fri, 15 Mar 2024 00:00:00 GMT

We are working to make improvements to the search functionality of the Chocolatey Community Repository. As this may affect our customers and community, we wanted to provide information ahead of the changes.

What Are We Doing?

There has been a long-running issue with the search functionality on the Chocolatey Community Repository. As the package indexes were stored on each web host, it could happen that those indexes are not the same for each host. This would result in package searches on one web host being correct, while on another it was missing a new package. While we have tried to minimize issues with updates, overall the issue continues.

The changes being made centralize the search index, allowing each web host to use the same index rather than their own, occasionally outdated one.

When Are We Doing It?

The changes are scheduled for Sunday 24 March 2024, between 20:00 and 22:00 UTC.

Supported Query Methods

The Chocolatey Community Repository uses the v2 OData protocol for queries, utilizing the NuGet v2 OData specification, where it is defined. Unfortunately, NuGet v2 OData specification is only loosely defined so one OData endpoint may respond with different results to another, if it responds at all.

While you may create your own queries, and get results, we have always been clear that this is not supported and may break in the future. Your own queries working today, are not guaranteed to work in the future. To guard against this happening, only the following methods are supported for querying the Chocolatey Community Repository:

To create machine-readable output from Chocolatey CLI, see our documentation.

API Changes

Below are highlights of the changes being made, but see our documentation for more details:

10,000 item limit. Results from the Chocolatey Community Repository will be limited to 10,000 items, including paging. Attempting to retrieve item 10,001 will return an HTTP Status Code 406 - Not Acceptable.
Reduced orderby parameter options. Only a subset of the orderby parameters that v2 OData makes available, are supported. If an unsupported orderby parameter is used, an HTTP Status Code 406 - Not Acceptable response will be returned.
Filter options only using supported tool. Queries, using filter options, are only supported when using Chocolatey CLI or chocolatey.lib. Any invalid queries, will return an HTTP Status Code 406 - Not Acceptable.
GetUpdates endpoint will error. The GetUpdates endpoint is not supported and any call to it will return an HTTP Status code of 410 - Gone.

Summary

This is a high-level overview of the changes being made. If you are querying the Chocolatey Community Repository using your own queries, please see our documentation for more details.

If you have any questions about the changes using supported tools, please reach out to us on our Community Hub in the first instance.

What Is The Chocolatey Community Repository?

Paul Broadwith — Fri, 01 Mar 2024 00:00:00 GMT

import Iframe from '@choco-astro/components/Iframe.astro';

In our first back-to-basics blog post, we wanted to go back to one of the first things that people find out about Chocolatey: the Chocolatey Community Repository. What is the Chocolatey Community Repository, how do you use it, and how does it work?

A Little History

Not long after Chocolatey CLI was first released in March 2011, the Chocolatey Community Repository was born, in September 2011. In the early days the repository was a place to store packages for installation with Chocolatey CLI. Moderation of packages didn't start until October 2014. Things were a little simpler back then, both for the Chocolatey Community Repository and the internet as a whole.

What Is The Chocolatey Community Repository?

In simple terms the Chocolatey Community Repository is a website that allows Chocolatey products to manage packages on a computer. It stores those packages and allows them to be consumed by you, and others.

In more complex terms, the Chocolatey Community Repository is a NuGet v2 endpoint (soon to be NuGet v3) that allows Chocolatey products to query, and therefore manage packages on your computer. Chocolatey products query the endpoint for packages that you have chosen to, amongst other things, install or upgrade. The packages are then downloaded and installed.

The Chocolatey Community Repository provides a user interface for you to search, view and manually download packages too. It shows you the package, all versions of the package, the files contained within the package, virus scan results and more.

What Is A Package?

So we have the Chocolatey Community Repository. We have packages in that repository for use by the Chocolatey community. But what actually is a package?

While this blog post isn't going to dig into the technical aspects of a package (we'll do that in a later blog post), Dictionary.com has a good definition:

a bundle of something, usually of small or medium size, that is packed and wrapped or boxed; parcel.

a container, as a box or case, in which something is or may be packed.

That definition is more akin to a package you'd have delivered. But it is a good definition of a Chocolatey package too: it's simply a container, in this case a Zip archive, that holds:

Contents: this could be software files, a software installer (MSI, or EXE for example), registry keys, license keys or just a binary file.
Instructions: what to do with the contents. These instructions are written in PowerShell. So you could run the software installer, copy files to a specific folder, import registry keys or copy a license key to a specific location and then run a program to import the license keys. If you can do it in PowerShell, you can almost always do it in a Chocolatey package.

We have documentation on creating packages, and on our Chocolatey products and packages that may help.

Who Creates and Maintains Packages?

You. Me. People like us. Members of the Chocolatey Community. Anybody can create and maintain a package.

A package maintainer ensures that a package is up-to-date, works as it should and commits to continue that maintenance. There is process for packages that are out of date or no longer being maintained.

How Do You Use The Chocolatey Community Repository?

So now we have a brief understanding of what a package is, let's talk about how you can use the Chocolatey Community Repository with those packages. You can:

Consume packages: Install, upgrade and get details on packages.
Submit packages: Create your own packages and share them with the Chocolatey community by uploading, or as we call it, pushing them to the Chocolatey Community Repository.

Install, Upgrade and Download Packages

Before you can use packages from the Chocolatey Community Repository, make sure you have Chocolatey CLI installed. Once you have it installed, you can:

Install packages: the majority of packages on the Chocolatey Community Repository are for common software. For example, to install Firefox, use the command choco install firefox. This command tells Chocolatey CLI to download the latest version of the firefox package from the Chocolatey Community Repository, extract the package contents, and runs the PowerShell script containing the installation instructions (the chocolateyInstall.ps1 script is used for installation). Firefox will then be installed to its default location where you can use it as normal. All of this without any interaction.
Upgrade packages: if you have an older version of Firefox installed, and you want to upgrade to the latest one, run choco upgrade firefox. The firefox package will be downloaded, the PowerShell script will be run and Firefox will be upgraded to the latest available version. If you want to upgrade all installed packages, you can do that using choco upgrade all. Again, all of this without any interaction.

Create and Share Created Packages

If you have created a package that you feel would benefit the Chocolatey community, then the Chocolatey Community Repository is the place to share it!

We won't dive into the technical aspects here. But keeping with the spirit of back-to-basics, the most common package runs a software installer EXE, and it's easy to create one. We also have documentation for advanced uses too, such as using an MSI installer or a Zip archive.

Once you have your package created, sign in or register for an account on the Chocolatey Community Repository. Log in, go to your account, and click Show API Key to retrieve your API Key. Keep it safe as you need it when you submit packages.

Now you have everything to submit the package to the Chocolatey Community Repository using Chocolatey CLI. If you had created a package called acme-awesome-tool then use the command choco push acme-awesome-tool --source https://push.chocolatey.org --api-key <YOUR API KEY> where <YOUR API KEY> is what you retrieved earlier.

Now ... wait for the email to confirm the package has been pushed. And then wait for your package to work its way through the moderation process.

Moderation Process? What is that?

Below is a simple workflow of what happens when you submit a package to the Chocolatey Community Repository.

Results of the Package Validator, Package Verifier, Package Scanner and Human Approval steps are emailed to you. If the package fails a step, it does not proceed to the next one. You have up to 35 days to fix the issues and submit the package again. The package will then go through the package moderation process from the start. If you have any questions or issues with the process, you can leave a moderation comment on the package page and a human Moderator will pick it up and respond. The queue of packages in the moderation process can be found on the packages package.

Moderators are long-time members of the Chocolatey Community who have demonstrated maintaining packages to a high standard over a long period of time. They have experience both in how the Chocolatey Community Repository works, and what a good and useful package looks like.

Step 1: Push Package

The very first step in the package moderation process is for you to push the package to the Chocolatey Community Repository! As mentioned above, once you have created your acme-awesome-tool package, use Chocolatey CLI to do the work by using the command choco push acme-awesome-tool --source https://push.chocolatey.org --api-key <YOUR API KEY> where <YOUR API KEY> is what you retrieved from your Chocolatey Community Repository account.

Step 2: Chocolatey Community Repository Received Package

After you push the package, the Chocolatey Community Repository will acknowledge your package being received by emailing you. Each step in the moderation process is acknowledged by an email so look out for them and make sure they don't end up in your spam folder.

Step 3: Package Validator

Package Validator is a service that validates your package against rules and guidelines that have been defined. These are used to ensure the quality of packages in the Chocolatey Community Repository continue to meet the standards that the Chocolatey community expects from packages. A few of those validations are:

A full list of requirements, guidelines, suggestions and notes is documented.

Step 4. Package Verifier

Package Verifier is a service that installs and uninstalls your package in a sandbox environment to ensure it works as expected. As of today, this sandbox environment is Windows Server 2019, but we will be adding more operating systems in the future.

Step 5. Package Scanner

Package Scanner is a service that gathers the files that the package installs and submits them to VirusTotal which " inspects items with over 70 antivirus scanners and URL/domain blocklisting services, in addition to a myriad of tools to extract signals from the studied content". The package itself, is also submitted to VirusTotal. Once the results are known, they are added to the package page.

Step 6. Human Moderator and Trusted Package

If your package is trusted, then it will skip human moderation and move straight to the next step when it has passed all other Package Moderation steps.

Otherwise, your package will wait for a human Moderator to pick up the package and look at it. A Moderator will look at different aspects of the package to ensure that it meets the quality standards required by the Chocolatey Community Repository. They will then provide advice and help on any issues with the package through moderation comments on the package page, or move it to the next step.

Step 7. Package Approved and Available For Use

Once your package has passed all Package Moderation steps, it will be approved and be available for use. If it is the latest version, you can install it with choco install acme-awesome-tool, or upgarde to it using choco upgrade acme-awesome-tool. If not, you can install that specific version using choco install acme-awesome-tool --version <VERSION> where <VERSION> is the version you want to install.

Got Questions?

Now that you know what the Chocolatey Community Repository is, how it works and how you can use it, we know you'll have more questions.

Do I Have To Use the Chocolatey Community Repository To Host Packages?

Simple answer is no. If you're an organization, we recommend you do not use the Chocolatey Community Repository directly. Organizations have different needs to our community users, and we must ensure that the repository continues to be available for everybody and not overwhelmed.

You can create and push packages to your own internal package repository. You will have to maintain the standards of those packages yourself as Package Validator, Package Verifier and Package Scanner will not be available to you.

Can I Use The Chocolatey Community Repository For My Packages?

Packages on the Chocolatey Community Repository should have broad appeal for the Chocolatey community. Packages that have a narrow use for you, your group, organization or club should be hosted on your own repository. Similarly, the Chocolatey Community Repository is not a testing ground for you to test packages in - this is very much frowned upon!

But if your package has a broad appeal for the community, we would welcome it. See our documentation for creating packages.

I Have More Questions!

Check the Chocolatey Community Repository FAQ or reach out for community assistance on our Community Hub Discord Server.

Summary

This is the first in our back-to-basics series. The Chocolatey Community Repository is at the heart of the Chocolatey community and is typically the first exposure people have to Chocolatey packages. I hope this post helps explain what it is, how you can use it and how it works in more detail.

If you have any more questions, please reach out for community assistance on our Community Hub Discord Server.

Unpacking Software Livestream and Podcast, Episode 1

Paul Broadwith — Thu, 15 Feb 2024 00:00:00 GMT

import Iframe from '@choco-astro/components/Iframe.astro';

We have just published episode 1 of our livestream, and podcast, Unpacking Software.

Windows gets a sudo command.
Bluesky has gone GA!
Nginx is forking!
- Mailing list message.
Ivanti is having a bad day!
- The vulnerabilities are in the Connect Secure and Policy Secure VPN products.
  - CVE-2023-46805.
  - CVE-2024-21887.
  - CVE-2024-21888.
  - CVE-2024-21893.
- Exploitation of Another Ivanti VPN Vulnerability Observed.
- Volexity Catches Chinese Hackers Exploiting Ivanti VPN Zero-Days.
Adobe Acrobat Chocolatey package.
Zoom Chocolatey package.

To ensure we are creating content that you want to see, and listen to, we need your feedback. Please complete our very short survey letting us know your thoughts of this month's content.

Thanks for watching and listening!

Chocolatey Community Validation Extension Is Now Available!

Kim Nordmo — Thu, 25 Jan 2024 00:00:00 GMT

import Iframe from '@choco-astro/components/Iframe.astro';

Recently we released a new Community project called Chocolatey Community Validation that extends Chocolatey CLI by introducing additional rules that will be applied when creating packages.

What Is Chocolatey Community Validation?

Chocolatey Community Validation is a native extension that extends certain parts of Chocolatey CLI to give improved or new features to Chocolatey CLI.

The project is focused on bringing rules that Chocolatey packages would normally have to adhere to when being hosted on the Chocolatey Community Repository, to the choco pack command running locally.

Think of it as a limited version of the Chocolatey Community Repository Package Validator, now being available to you locally when creating your packages.

Want to see the extension in action? Watch our Product Spotlight Livestream!

Why Was This Extension Created?

The Chocolatey Community Validation extension was created to:

Provide a faster indication of a package being accepted to the Chocolatey Community Repository,
To give package maintainers the ability to use similar validation rules for their own repositories, and
To encourage a more open nature of the validation rules that are implemented.

What Is Currently Available?

This is the first release of Chocolatey Community Validation, so the initial ruleset we have added is small. Currently, the only implementation are the validation rule requirements we use in Package Validator for metadata/nuspec files with the exception of validating URLs. The implented rules are as follows:

These new rules will be used automatically when the extension is installed and choco pack is called, as well as when pushing a package to the Chocolatey Community Repository.

What's Next?

The main focus going forward for this Community extension is to implement more rules that are currently being used by Package Validator, as well as seeking feedback from our Customers and Community on other rules they would like to see.

Want To Give It a Try?

Install Chocolatey Community Validation with Chocolatey CLI!

choco install chocolatey-community-validation.extension

After install, run choco pack on any packages you have previously created. If they have invalid metadata fields this will be shown for errors such as a required field being empty, using an email address in the metadata, etc._.

Find out more about the rules we've implemented in our Release Notes.

12 Days Of Chocolatey Packaging - Day 12 - Creating a Chocolatey Hook Script

Chocolatey Team — Thu, 21 Dec 2023 00:00:00 GMT

Chocolatey Hooks - Bringing You Cheer Before And After Your Automation

Don't forget to prepare with Day 1, a sweet beginning to your Chocolatey journey!

Chocolatey Hook Scripts play the role of Santa's little helpers, ensuring that package installations not only happen seamlessly but also come bearing customized enhancements. These scripts add a touch of magic to managing Chocolatey packages, making the season merrier than ever. Hook yourself up with the knowledge of creating these incredible scripts today!

👉 The final day begins here! Creating Chocolatey Hook Scripts

Thanks for joining us as we walked through the wonderland of the 12 Days of Chocolatey Packaging. Happy Coding and Happy Holidays from the Chocolatey Team!

12 Days Of Chocolatey Packaging - Day 11 - Creating a Chocolatey Extension Package

Chocolatey Team — Wed, 20 Dec 2023 00:00:00 GMT

On Dasher, Dancer, Prancer, Vixen; Create A Chocolatey Extension

Swing your sleigh by Day 1 to make sure you've got everything you need!

🎄🌟🛷 Package your PowerShell modules and functions up tightly in a Chocolatey Extension package! No matter how big or small, Chocolatey extensions can assist with any configurations you want to use and reuse across multiple packages, making them a powerful addition to your Chocolatey environment! Wrap some up today by clicking the link below; no ribbons or bows required! 🎁🎀🎉

👉 Ready? Creating Chocolatey Extensions

Frolic and play the Chocolatey way and may your code be swift and sure! ❄️⛄ #TechWonderland #ChocoHoHo 🍪🥛

12 Days Of Chocolatey Packaging - Day 10 - Creating Custom Package Templates

Chocolatey Team — Tue, 19 Dec 2023 00:00:00 GMT

Tech Elves, Unite!

Be sure to stop by Day 1 to make sure you've got your twelve drummers drumming and all other necessary parts!

🎄✨ Unwrap the Gift of Chocolatey Magic this Christmas! 🍫🎁

'Tis the season for joy and tech delights! 🎅🔧 Dive into the festive spirit with our exciting Christmas treat: a guide to crafting your very own custom Chocolatey package templates! 🍬✨

Whether you're a tech enthusiast, developer extraordinaire, or just someone craving a sweet tech adventure, this is the perfect present for you. 🎉👩‍💻🎁

Click on the link below to embark on a journey filled with code, creativity, and chocolatey goodness! 🚀🍫✨

🌟 Unwrap Your Chocolatey Package Template Gift Here! 🌟

May your code be bug-free and your holidays be filled with warmth and joy! 🎄🍪 #TechTreats #ChocolateyMagic #HolidayCodingJoy

12 Days Of Chocolatey Packaging - Day 9 - Exporting Packages

Chocolatey Team — Mon, 18 Dec 2023 00:00:00 GMT

Wrap The Presents With Care

Be sure to stop by Day 1 to make sure you've got all the cookies and eggnog you need to continue!

🎄✨ Unwrap the Gift of Chocolatey Magic this Christmas! 🍫🎁

This holiday season, spice up your tech game with the sweetest treat for developers and IT pros alike! 🚀 Dive into the world of Chocolatey, where packaging and deploying software becomes as delightful as opening presents on Christmas morning.

🌟 Imagine a winter wonderland where software installation is a breeze, updates are seamless, and configurations dance to the tune of holiday joy. 🎶🔧 Whether you're a tech enthusiast or a seasoned pro, exporting Chocolatey packages is your ticket to a smoother, faster, and more festive software management experience.

Ready to add a sprinkle of holiday magic to your development toolkit? Click the link below to discover the secrets of exporting Chocolatey packages and unwrap a present that keeps on giving! 🎅🔗 Exporting Packages

May your code be bug-free, your deployments swift, and your Christmas filled with tech-tastic cheer! 🌐🎅 #ChocolateyChristmas #TechJoy #SoftwareMagic

12 Days Of Chocolatey Packaging - Day 8 - Creating a Package containing large files

Chocolatey Team — Fri, 15 Dec 2023 00:00:00 GMT

Be sure to stop by Day 1 to make sure you've got all the tinsel and ribbon you need to continue!

🎄✨ Unwrap the festive coding joy! 🚀 Dive into the holiday spirit by crafting a Chocolatey package adorned with a jolly large binary, turning software deployment into a merry tech spectacle. 🍫🌟 Click the link below to embark on a holly jolly coding adventure! 🎁🚀

👉 Create a Chocolatey Package with Festive Binaries 🚀🍬 #CodeMerryChristmas 🌟

12 Days Of Chocolatey Packaging - Day 7 - Creating a Chocolatey Meta Package

Chocolatey Team — Thu, 14 Dec 2023 00:00:00 GMT

Be sure to pop over to Day 1 before moving on to make sure you have everything you'll need to get started.

🍫✨ Brace yourself for the ultimate Choco-delight! 🚀 Dive into the whimsical universe of Chocolatey meta packages, where a single package orchestrates a symphony of installations, transforming your coding journey into a delightful dance of tech magic! 🌟🎉 Click the link below and join the meta package fiesta! 🍭🚀

👉 Experience the Choco-delight 🚀✨ #MetaMagic 🌟

12 Days Of Chocolatey Packaging - Day 6 - Creating a Configuration Package

Chocolatey Team — Wed, 13 Dec 2023 00:00:00 GMT

Ready Your Wands

Be sure to stop by Day 1 to make sure you've got all the magical power you need to continue!

🚀✨ Ready to wield your coding magic and transform system configurations into a technicolor dream? 🌈💻 Dive into the whimsical world of writing Chocolatey packages that don't just install software but sprinkle enchantment on your system settings! 🌟✨ Unleash your inner tech sorcerer by clicking the link below and embark on a configuration adventure! 🚀🔮

👉 Craft Your Configuration Spell with Chocolatey 🚀✨ #ConfigWizardry 🌟

12 Days Of Chocolatey Packaging - Day 5 - Creating a Chocolatey Script Package

Chocolatey Team — Tue, 12 Dec 2023 00:00:00 GMT

Don your Santa Hat!

Make sure you've checked out Day 1 to ensure you've got everything you need setup and ready to go!

🚀✨ Dive into the wild, wacky world of Chocolatey Script Packages and turn your code into a party! 🎉🍫 Unleash the magic of scripting with a sprinkle of tech wizardry, making software deployment as fun as a confetti explosion. 🌟🎁 Click the link below for a script-tastic adventure! 🚀🍭

👉 Join the Script Package Fiesta 🚀🎉 #CodeAndConfetti 🌟

12 Days Of Chocolatey Packaging - Day 4 - Creating a CLI Executable Package

Chocolatey Team — Mon, 11 Dec 2023 00:00:00 GMT

On this delightful Day 4 of our 12 Days of Chocolatey Packaging celebration, we're empowering you to share your favorite EXE files with the magic of Chocolatey packages.

Ever wished you could easily package up that special tool or application and share it effortlessly? Well, you're in for a treat! Today, we're thrilled to guide you on creating a Chocolatey package containing a nifty EXE file.

Dive Into The Documentation Magic

Be sure to check out Day 1 before proceeding below, so you can be sure you have everything you need!

Creating Chocolatey packages might seem like magic, but fear not – we've got the spellbook right here for you! Check out our official documentation for an in-depth guide on crafting CLI packages.

Join Us For More Chocolatey Goodness!

As we continue our 12 Days of Chocolatey, we promise even more exciting insights, tips, and best practices to enhance your Chocolatey experience. Tomorrow holds another adventure, so stay tuned!

Celebrate the magic of Chocolatey, and may your software installations be as smooth as a perfectly wrapped chocolate truffle!

12 Days Of Chocolatey Packaging - Day 3 - Creating an Embedded Zip Package

Chocolatey Team — Fri, 08 Dec 2023 00:00:00 GMT

🎄✨ Get into the festive coding spirit! 🚀✨ Unwrap the secrets of Chocolatey with our Christmas-themed guide on creating ziptastic packages, making software deployment as joyous as opening a present! 🌟🍬 Click below to embark on a tech adventure! 🎁🍫

Be sure to check out Day 1 before proceeding below so you can be sure you have everything you need to spread some "zippy" cheer!

👉 All set? Dive into Chocolatey Zip Packages 🚀🎅🏻 #CodeCheerfullyThisChristmas

12 Days Of Chocolatey Packaging - Day 2 - Creating MSI Packages

Chocolatey Team — Thu, 07 Dec 2023 00:00:00 GMT

🎄✨ Unwrap the Gift of Automation this Christmas with Chocolatey MSI Packages! 🎁🍫

This holiday season, let's add a sprinkle of tech magic to your festivities! 🚀✨ Ever wondered how Santa efficiently deploys all those amazing presents? Well, we've got a digital surprise for you! 🎅🏻✨

Step into the world of Chocolatey, the package manager for Window, that makes software deployment as delightful as a cup of cocoa by the fireplace! 🌟✨ In our easy-to-use guide, we'll show you how to create your own Chocolatey MSI package, bringing the joy of seamless software installation to your Windows wonderland. 🌐🔧

Ready to spread the cheer? If you missed Day 1, head there first before clicking the link below and let the festive packaging begin! 🎉🍬

👉 Unwrap the Magic of Chocolatey MSI Packages 🎁🍫

Wishing you a tech-tastic holiday season filled with joy, code, and lots of virtual Christmas lights! 🎄🌟 #TechJingleAllTheWay 🚀🎅🏻

12 Days Of Chocolatey Packaging - Day 1 - Preparing Your Environment

Chocolatey Team — Wed, 06 Dec 2023 00:00:00 GMT

On the first day of coding, my IDE sent to me
An environment setup, thanks to Chocolatey.

And so it begins! 12 Days of Chocolatey Packaging!

Over the course of the next 12 Business Days we will work together to become Master Chocolatiers!

We've got to start somewhere, and today we'll walk through setting up your workstation to begin creating Chocolatey Packages! If you'd like, you can follow along each day on our Chocolatey Test Environment.

Ready To Get Started?

Let's head on over to Day 1 - Preparing your environment!

Chocolatey Central Management v0.12.0 Released

Stephanie Hays — Tue, 28 Nov 2023 00:00:00 GMT

We are thrilled to announce the v0.12.0 release of Chocolatey Central Management. This update closes 53 issues, reflecting our commitment to refining Chocolatey Central Management for you.

Discussed below are the main changes included in this release, but we also have a full set of release notes available providing more detail.

Deployment Plans: Your Way

In response to user feedback, we've added the ability to create Deployment Plans from pretty much... anywhere! Creating Deployment Plans is now a breeze with enhanced flexibility. Whether you're targeting a single outdated package on all affected Computers, all outdated packages on one or all Computers, or even creating Deployment Plans directly for a specific Computer or Group – the power is in your hands.

Duplicate Groups and Deployment Steps

Save valuable time by duplicating existing Groups and Deployment Steps effortlessly. Need another Deployment Step identical to an existing one? A simple click on the "Duplicate" button effortlessly replicates all the required information.

Insightful Group Details

We've heard from our users that in some cases, due to permissions, it was not possible to see the details of a Group. In this release, we've created an enhanced Group Details screen that will report on all of the Groups and Computers contained within the Group, as well as any additional Group-specific information.

Dashboard Upgrade

The Dashboard now offers crucial insights:

The number of Computers that haven't reported recently.
Total Deployment Plans in Draft, Ready, or Active states.

And the best part? We provide a "Last Updated" feature, ensuring you're always viewing the most current information.

Bug Fixes and User Interface Polishing

We have addressed issues like user impersonation, unnecessary permissions cluttering the user interface, and date format inconsistencies. We've also polished the user interface, ensuring a more consistent and visually appealing experience.

Documentation Clarity

Our documentation has undergone meticulous review to ensure correct capitalization and usage of terms like "Deployment Plan" and "Deployment Step".

Other Information

Curious for more details? Explore the complete release notes for a comprehensive look at all the changes.

Chocolatey Software Sponsors PackagingCon 2023 in Berlin!

Paul Broadwith — Mon, 16 Oct 2023 00:00:00 GMT

We are thrilled to announce that Chocolatey Software is proudly sponsoring PackagingCon 2023, the conference for packaging professionals, taking place in Berlin from October 26th to 28th. As leaders in the world of software package management, Chocolatey Software is excited to be part of this event that brings together experts, innovators, and enthusiasts from the packaging industry.

About PackagingCon

PackagingCon is the ultimate gathering for professionals and enthusiasts passionate about packaging technology, automation, and best practices. The conference will feature engaging talks and networking opportunities for attendees to connect, learn, and share insights on the latest developments in packaging and package management.

Chocolatey Software's Role

At Chocolatey Software, we are committed to advancing the field of software package management, particularly on Windows platforms. We are proud to be a sponsor of PackagingCon 2023, and we are eager to showcase our expertise in the industry.

Paul Broadwith's Talk: 'WinGet and Chocolatey: A Real-World Look at Package Management Tools on Windows'

One of the highlights of PackagingCon 2023 will be our Technical Engineering Manager, Paul Broadwith's, insightful talk titled 'WinGet and Chocolatey: A Real-World Look at Package Management Tools on Windows.' This talk will provide attendees with a overview into the world of package management on Windows, offering valuable insights on how WinGet and Chocolatey compare on simplifying software deployment and management.

This talk is not to be missed for anyone looking to enhance their knowledge of Windows package management tools.

Join Us at PackagingCon 2023!

If you are passionate about packaging technology and software package management, PackagingCon is the place to be. Don't miss this opportunity to connect with industry leaders, expand your knowledge, and learn from experts like Paul Broadwith.

To register for PackagingCon, and secure your spot at Paul's talk, visit the official conference website.

We look forward to seeing you in Berlin for PackagingCon 2023, where innovation and knowledge in the packaging industry will take center stage.

Important Update: Changes to Chocolatey CLI Install Script

Paul Broadwith — Fri, 06 Oct 2023 00:00:00 GMT

We recently made a small but significant change to the Chocolatey CLI install script that stops installation if the destination chocolatey folder exists at all.

This change in the installation behavior is aimed at reducing errors and stopping the contents of the folder being unexpectedly overwritten.

What's Changing?

Previously, when you attempted to install Chocolatey CLI using our install script, it would proceed regardless of whether the chocolatey folder already existed on your system. This could sometimes lead to unexpected consequences when that folder was not empty.

With this update, the installation script will first check if the chocolatey folder exists. If it does, the script will skip the installation process to prevent any issues. If the folder doesn't exist, the installation will proceed as usual, ensuring a clean and trouble-free installation.

How Does It Affect You?

If you are a new Chocolatey user or if you haven't installed Chocolatey CLI on your computer yet, you won't notice any significant changes. The installation process will proceed as expected.

For existing Chocolatey users who may already have the chocolatey folder on their computer, this change will prevent installation and potential issues for files and folders contained within it. If you do not need the chocolatey folder, simply remove it and run the Chocolatey CLI install script as normal. Always take a backup beforehand, just in case.

Where you have existing code, modules or integrations that relied on the previous behavior of the Chocolatey CLI install script, changes will need to be made. Ensure that the chocolatey folder does not exist before running the Chocolatey CLI install script and the installation will work just as it did before.

If you have any questions, and you are using Chocolatey CLI open-source, please reach out on Community Chat. For customers, please run choco support to find out your options.

Chocolatey Central Management v0.11.0 Released

Rain Sallow — Wed, 20 Sep 2023 00:00:00 GMT

We are thrilled to announce the v0.11.0 release of Chocolatey Central Management. In this blog post, we'll highlight the key new features.

New Features

Import / Export Deployment Plans

In Chocolatey Central Management v0.11.0, we have added the ability for you to import and export deployment plans in JSON format. Exporting can be done from either the Actions menu in the Deployment Plan tables, or the Export buttons on individual Deployment Plan pages.

See our newly-updated documentation for more information on importing and exporting Deployment Plans.

Export Computer Software Configuration to `packages.config`

Also newly added is the ability to export a Computer's currently installed packages as a package.config file to snapshot the packages installed and allow you to replicate a machine's Chocolatey packages onto another machine in a single install command.

See our documentation for full examples of how this works!

Deployment Plan Retention Policies

Chocolatey Central Management v0.11.0 also adds the ability for administrators to set retention policies for Deployment Plans. No longer will you have to manually tidy up old Deployment Plans!

See our retention policies documentation for more information.

All Computers (Automatic Group)

Starting in v0.11.0, Chocolatey Central Management adds a new All Computers (Automatic Group). This Group is managed by the system and will be maintained automatically as computers check in. At any given point in time, all computers that Chocolatey Central Management is aware of will be present in this Group.

See our documentation on the All Computers (Automatic Group) for more information.

Deployment Status Email Notifications

As of v0.11.0, Chocolatey Central Management will be able to send out email notifications when a Deployment Plan is completed, to inform you whether it completed successfully or not. This will only work if you have SMTP email already configured.

See our documentation on Deployment Status Notifications for more detailed information.

Other Changes

More information on other changes can be found in the latest release notes.

Derek Walker Joins Chocolatey as Infrastructure Operations Engineer

Chocolatey News Team — Wed, 13 Sep 2023 00:00:00 GMT

We are excited to announce that Derek Walker has joined the Chocolatey Team as an Infrastructure Operations Engineer!

Derek's journey into the world of IT can be traced back to his early encounters with computers. He got his first PC in middle school and started building his own a few years later. His first taste of Chocolatey was during his time working at a Managed Service Provider (MSP). Over the years, he has used PowerShell and various deployment tools to automate tasks and make life easier.

Derek has experience in a variety of technical roles including helpdesk, networking, and systems administration. He is currently pursuing a Bachelor's degree in Computer Science at the University of Illinois, Springfield and is an AWS Certified Solution Architect. His real passion is DevOps. Focusing on CI/CD pipelines and infrastructure as code to automate complex tasks.

"I'm honored to have the opportunity to be a part of Chocolatey and contribute to the community" says Derek. "I look forward to the responsibility of maintaining and improving Chocolatey's infrastructure."

Derek will be based remotely in Johnston, Iowa.

Guest Appearance on .NET Rocks

Gary Ewan Park — Thu, 31 Aug 2023 00:00:00 GMT

On the 10th August 2023, I joined Richard Campbell and Carl Franklin on a Riverside call to record an episode of .NET Rocks.

We chatted about a range of topics, including:

How Chocolatey CLI has been updated to use .NET Framework 4.8, rather than .NET Framework 4.0.
How you can use Chocolatey CLI both personally, as well as in an Organisational context.
Shipping v2.0.0 of Chocolatey CLI.
And lots of other things that I am now struggling to remember :smile:

I had a great time being interviewed by Richard and Carl, and I am interested to hear what you thought of the episode. If you have any questions, then please don't hesitate to reach out to me, and I will do my best to respond as quickly as possible.

Chocolatey Software Featured on Linus Tech Tips

Stephanie Hays — Thu, 27 Jul 2023 00:00:00 GMT

import Iframe from '@choco-astro/components/Iframe.astro';

<p class="lead mt-4">At Chocolatey Software, we are thrilled to share an exciting moment of recognition in the world of technology. Recently, we caught the discerning eye of none other than Linus Tech Tips – a renowned YouTube channel celebrated for its insightful tech reviews and captivating content. We couldn't be prouder to have been featured on this influential platform!</p>

Linus Tech Tips graciously showcased Chocolatey Software's capabilities, shedding light on how it has transformed the way Windows users handle software installations and management.

<div class="callout"> <p><q>We can even string together dozens of packages and have our new machine set itself up while we go out and wash the car.</q></p> <p><cite>- Linus Tech Tips</cite></p> </div>

At Chocolatey Software, our mission has always been to simplify software management, enhance security, and streamline workflows. Join the growing Community of users who have already embraced the convenience and power of Chocolatey Software. You can also download Chocolatey CLI today for your personal use or explore the robust features of Chocolatey for Business.

Helpful Links:

Major New Release of Chocolatey Products

Paul Broadwith — Wed, 31 May 2023 00:00:00 GMT

We are thrilled to announce the highly anticipated release of Chocolatey CLI, Chocolatey GUI, Chocolatey GUI Licensed Extension, and Chocolatey Agent version 2.0.0, and Chocolatey Licensed Extension version 6.0.0. These releases bring a wealth of exciting new features and enhancements that will further elevate your package management experience. In this blog post, we'll highlight the key additions and important considerations for upgrading.

We strongly recommend you read the in-depth upgrade guide for the new releases alongside this blog post. We have also provided a shorter overview of the changes.

New Features

NuGet v3 Feed Support

One of the major updates in this release is the inclusion of NuGet v3 feed support. This empowers users to leverage the extensive NuGet v3 repository managers that are available and easily integrate Chocolatey with those NuGet feeds, opening up a world of possibilities for your software management needs.

.NET 4.8 Framework Requirement

To ensure optimal performance and compatibility, the new versions of Chocolatey CLI now requires the .NET 4.8 framework. Upgrading to the latest .NET framework will enable you to take full advantage of the enhanced capabilities and security features offered by Chocolatey CLI.

Important Considerations

Using a Sonatype Nexus Package Source

If you use a Sonatype Nexus repository as a package source, you need to be aware of a bug in NuGet v2 repositories. See our upgrade guide for more information.

Removal of Side-by-Side Installs

With these new releases, we have decided to remove support for side-by-side installs. You can find more information on this in our upgrade guide.

Changes to `choco list` Command

As outlined in the 1.0.0 releases, we intended to change the behaviour of the choco list command. As part of the 2.0.0 release, we have completed that change. It now lists only the local packages installed on your system and displays an error if you use the --local-only, -l or -lo option. If you have automations, scripts or integrations that rely on the --limit-output or -r options, this change will not break your workflow as the removed options are ignored in this context. We recommend that you remove those options from your automations or scripts as this behaviour may change in a future release.

Package Version Normalization

Due to updated semantic version requirements imposed by the newer iterations of the NuGet libraries, some version numbers may appear differently than they did in Chocolatey CLI v1.x. As of Chocolatey CLI v2.0.0:

Version numbers that have fewer than three parts will have the version filled out to three segments (for example, 1.2 will be normalized to 1.2.0).
Version numbers that have leading zeroes in any part will have those leading zeroes removed (for example, 1.001.2 will be normalized to 1.1.2).

This normalization is applied to the generated nupkg when using choco pack, and will also affect any displayed versions of packages from remote sources.

Other Changes

More information on other changes can be found in our upgrade guide, or overview.

Summary

The release of the new major versions of Chocolatey products marks a significant milestone in the evolution of package management. With the introduction of NuGet v3 feed support, the requirement of .NET 4.8 framework, and various other enhancements, these new versions offer increased compatibility and expanded functionality.

It is important to be aware of the changes and take the necessary precautions when upgrading, and ensure that you review any customizations or configurations made to previous versions.

If you have any doubts about upgrading, any areas that you are just uncertain about or have any questions at all about upgrading, please don't proceed. Help is available.

Happy packaging with Chocolatey 2.0.0!

Celebrating Our 12th Year

Paul Broadwith — Tue, 21 Mar 2023 00:00:00 GMT

This day, 12 years ago, Chocolatey CLI was born with the first commit made to GitHub. The first version of Chocolatey CLI, 0.6.0, was released just a few days later. Back then, the Chocolatey Community Repository didn't exist, so it was published to the NuGet.org repository. With Rob Reynolds as a solo developer working on the project alone, he built a thriving community and created a popular commercial solution.

Rob no longer works on Chocolatey alone. With a diverse and geographically dispersed team, we collaborate, innovate and deliver Chocolatey products for our customers and community to ensure they have the best software automation solution for Windows.

Community Repository Downloads

At our birthday celebration last year, we started our journey looking at downloads from the Chocolatey Community Repository. This year we want to continue with that tradition!

The Chocolatey Community Repository is the largest repository of Windows packages available. Up from 435M downloads in 2021, we saw an increase of 35M downloads in 2022 taking us to 470M for the year.

If you want to see what those numbers were in years before 2020, see our 11th birthday blog post.

Product Releases

Last year saw us releasing more product versions than all previous years. Up from 29 in 2021, we released 36 product versions last year, including:

For 2023 we are set to match that number with 19, mainly alpha and beta versions, already released!

The Last Year

There have been some notable changes over the last year that we wanted to share with you:

Chocolatey Central Management Deployments is the feature our customers are most excited about. Adding the ability to recur and duplicate existing deployments was a warmly received addition.
Over the past 12 months, we have produced 13 distinct videos on our YouTube channel as part of our monthly Product Spotlight and Coffee Break livestreams. These videos cover a range of topics, including discussions of recent releases and upcoming changes, as well as interviews with members of the Chocolatey Team and Community Moderators.
The Chocolatey Community Test Environment was upgraded from Windows Server 2012 R2 to Windows Server 2019. An easy task, on the surface. But with thousands of packages being verified each month, it is a task that must be approached with planning, purpose and tests. Lots and lots of tests.
We started work to uplift our Chocolatey products to .NET 4.8 and began to add support for NuGet v3 feeds. Several alpha and beta versions have been released to date.

The Future

Our focus for the next year is improvements to the Chocolatey Community Repository and moderation services, and the upcoming release of Chocolatey CLI v2.0.0 with support for NuGet v3 feeds and the .NET 4.8 framework.

Our customers, and community, drive us and our products. We are grateful to our community and our customers and we do not take for granted the support we receive, every single day.

Thank you for being part of our journey to 12!

Chocolatey CLI v2.0.0 Alpha Release

Paul Broadwith — Tue, 24 Jan 2023 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

Today is the release of the first alpha version of Chocolatey CLI v2.0.0 that we have been working on for the last few months. This release sees an update to .NET 4.8 and adds support for NuGet v3 feeds, a popular feature requested by our Customers and Community.

With any alpha release comes the accompanying warnings.

<Callout type="warning"> This is a pre-release version of Chocolatey CLI and it is NOT suitable for production use! A pre-release version will have bugs that could have a detrimental impact to your environment. Ensure all necessary due diligence steps are taken before using in your environment. </Callout>

<Callout type="warning"> This pre-release version of Chocolatey CLI does NOT work with the Chocolatey Licensed and will prevent the loading of the Chocolatey Licensed Extension if it is installed. </Callout>

In short, alpha releases mean alpha issues. While we actively encourage you to test this and provide feedback to make the product better, we want you to do that in a safe and isolated environment, away from production.

If you are a Chocolatey For Business customer with Chocolatey Licensed Extension installed, Chocolatey CLI will run as open-source as loading of the Chocolatey Licensed Extension has been disabled for this alpha release.

For a list of other currently known issues, please see this GitHub discussion.

If you run into any problems when using this alpha version of Chocolatey CLI, you can help us by adding a comment on this discussion. Adding issues in one place allows us to easily collate, triage and fix them. Please ensure you add any alpha related issues only to that discussion as we will not be accepting any GitHub issues for this release.

If you simply have questions about this new alpha release, please reach out on our Community Chat.

Updating Package Moderation Services to Windows Server 2019

Josh King — Fri, 20 Jan 2023 00:00:00 GMT

When you submit a package to the Chocolatey Community Repository, it enters a moderation queue where it passes through a number of automated services to validate, verify, and scan it, before passing to a human for final approval.

Two of those services, appropriately named Package Verifier and Package Scanner, go as far as to actually install your package in a sandbox to verify that the package behaves as you'd expect it to.

For many years now these services have used a sandbox running Windows Server 2012 R2. This assisted in ensuring compatibility with many of the Operating Systems that Chocolatey itself supports. If a package could be successfully installed on Windows Server 2012 R2, then users of the Chocolatey Community Repository could have high confidence that it will install for them too, regardless of the version of Windows they're using.

Time marches on however, and while Chocolatey still supports older Operating Systems, other software and large portions of the internet increasingly don't. This means that the sandbox was missing several features that software and packages expect from the Operating System that they're being installed on. Given this we've recently been working on a new sandbox running Windows Server 2019 to better meet the expected installation environment required by the majority of packages.

I'm pleased to say that this work is complete and both Package Verifier and Scanner have been using this new sandbox for several months. As with all things in IT Operations, no one noticed this change and so that means we did a good job!

What does this change?

A number of packages take dependencies that require a reboot on installation. The prime culprit for these dependency related reboots are the various versions of .NET Framework. The new Package Moderation Services sandbox has .NET Framework 4.8 pre-installed and so a reboot is no longer required, and packages can be verified successfully now.

Some websites have dropped support for older "cipher suites" which made it difficult for the moderation services running on Windows Server 2012 R2 to download installers from these websites. The new sandbox, running a new Operating System, has these newer cipher suites built-in allowing it to download installers, and other files, from those websites.

Numerous packages required certain Operating System updates to be installed and would take these updates as dependencies, as they should. The problem is that Windows updates require a reboot, and this would break the verification process. The new sandbox includes all current patches, so a reboot will no longer be needed.

What does this mean for package maintainers?

Package maintainers don't need to do anything at this point.

In the coming weeks we'll begin to remove some of the existing exemptions that packages have had due to issues related to the previous sandbox version. We'll be keeping a close eye on these packages as new versions are submitted, to ensure that they make their way through the automatic moderation process as we expect them to. We'll work with you to re-assess the need for exemptions if they continue to fail when tested again.

If you do note any odd behavior with your packages, I would encourage you to please reach out on the #community-maintainers channel of our Community Chat.

What about the Chocolatey Testing Environment?

Given that the new sandbox has been in use by the Package Verifier and Package Scanner services without issue for some time now, we've publicly released the image for use in the official Chocolatey Testing Environment!

Starting today, you can pull the new Windows Server 2019 Vagrant box, versioned 3.0.0, from Chocolatey's Vagrant Cloud!

For details about setting up, or upgrading, the Chocolatey Testing Environment do check out the project's README.

Wrap up

This update has been a long time coming, and I'm personally very pleased to see it take shape.

I wanted to thank all of our Community members that have asked, and patiently waited, for this change. A special thanks to those maintainers and moderators that have had to dig into verification failures and decide when an exemption has been required.

If you want to discuss any of these changes further, please join us on our Community Chat.

Two Billion Installs?

Paul Broadwith — Fri, 09 Sep 2022 00:00:00 GMT

It was just over 2 years ago when we announced 1 Billion package installations from the Chocolatey Community Repository. It took us 9 years to get to that number. But here we are now at 2 Billion package installations in a less than a quarter of that time.

The 1 Billion package installations happened on 17 May 2020. At that time we had just under 8,000 unique packages and just over 92,000 total packages. Today we have grown those numbers to just over 9,500 unique packages and a staggering 165,000 total packages! Chocolatey hosts the largest community repository of Windows packages of any software or package manager on Windows today available for use to both our community and customers.

This is all thanks to the hard work by our awesome community of volunteer Community Moderators, individual package maintainers and the Chocolatey Community Chocolatey Packages maintainers. Thank you to each one of you.

Announcing Chocolatey Central Management 0.10.0

Paul Broadwith — Tue, 30 Aug 2022 00:00:00 GMT

We are very happy to announce the release of version 0.10.0 of Chocolatey Central Management! This is a large release of features and bug fixes and represents a significant leap forward towards version 1.0.

Discussed below are the main changes included in this release, but we also have a full set of release notes available providing more detail.

Deployments

The Basic Deployment provides the ability to run specific Chocolatey CLI commands for a package. As a direct result of customer requests, we have added the ability to add a version or pre-release option to the Deployment Step.

You can now duplicate an existing Deployment using the Action button and specify the period Deployment will repeat when you create it.

Finally for Deployments, Chocolatey Central Management will email the user who scheduled a Deployment, if it fails to start.

Security

To enhance security for users logging into Chocolatey Central Management, we have added the option for email to be used as a second factor of authentication. When this is enabled by the Administrator, a user logging in will be sent an email, to their registered email address, with the code needed to log in.

Licensing

To ensure the continuation of your license without interruption, we have added a reminder when your Chocolatey For Business license is due to expire within 90 days. If you are on a trial of Chocolatey For Business, this reminder period is 7 days. You can dismiss the reminder for 48 hours, but it will continue to remind you until the license has been renewed.

Computer Retention Policy

We've added an option to delete stale Computers that have not checked into Chocolatey Central Management for a period of time. The time period is 365 days by default, but is configurable.

User Interface

As is traditional, we've saved the best to last! You can now toggle light and dark mode for the Chocolatey Central Management user interface.

Release notes

For more information on the features, improvements and bug fixes that were included in this release, please see the release notes.

Learn more

Check out the documentation.
Learn about other features available in Chocolatey for Business.
Contact us to find out more and set up your evaluation of Chocolatey for Business today.

Upcoming Changes to Package Validator

Paul Broadwith — Fri, 26 Aug 2022 00:00:00 GMT

The primary service responsible for ensuring that a submitted package is valid, is called, unsurprisingly, Package Validator. It has been the backbone of the package moderation services since 2015 and the first service a package goes through on its approval journey to the Chocolatey Community Repository. As Chocolatey products evolve, the Package Moderation Services evolve and the rules and guidelines evolve with them. We have made some changes to the Package Validator rules to shift some guidelines to requirements and bring in some new requirements from 1 September 2022.

Before I go into the rules themselves, let's be clear:

The rules only affect packages submitted to the Chocolatey Community Repository.
The rules only affect new package versions submitted and do not affect existing package versions submitted.

In short, if you submit a package version to the Chocolatey Community Repository on, or after, 1 September 2022, these rules will be applied.

There are four types of Package Validator rules that are used:

Requirements: these are mandatory.
Guidelines: these are strong recommendations.
Suggestions: these are suggestions to help improve the quality of the package.
Notes: these are checks that cannot be automated and are for a human moderator to work through.

Each of these rules are used in different ways. For example, packages that do not meet rule requirements will fail and maintainers will be notified. All other rule types will allow the package to proceed to the next stage of the Package Moderation Services, but a human moderator may ask the maintainer to make changes to a package after their validation checks of the package.

The new rules that have been added to Package Validator are requirements, and are shown below:

Minimum description field length in package metadata. A package description must be a minimum of 30 characters (excluding leading and trailing whitespace) in the package .nuspec file. This was previously only a guideline that has now become a requirement.
Package metadata should not contain email addresses. There is currently a requirement rule to not include email addresses in the authors or owners field in the package .nuspec file. This has been enhanced to check all the fields in the package .nuspec file.
Chocolatey 'private' variables can no longer be used. We have recommended for some time that some Chocolatey variables should not be used in packages, so any recent packages are unlikely to be affected by this rule. Those variables are:
- ChocolateyToolsLocation
- ChocolateyBinRoot
- chocolatey_bin_root
- ChocolateyPackageFolder
- PackageFolder
- ChocolateyChecksum32
- ChocolateyChecksum64
- ChocolateyChecksumType32
- ChocolateyChecksumType64
- DownloadCacheAvailable
Download helper cmdlets require a checksum. When using the Chocolatey helper cmdlets that download a file, the Checksum or Checksum64 parameter must be used to validate the download. Those helper cmdlets are:
- Install-ChocolateyPackage
- Install-ChocolateyZipPackage
- Install-ChocolateyPowershellCommand
- Install-ChocolateyVsixPackage (only supports the Checksum parameter)
- Get-ChocolateyWebFile
Use of Ftp and Web download helper cmdlets must use Get-ChecksumValid to validate checksum. The Get-FtpFile and Get-WebFile cmdlets do not have a Checksum or Checksum64 parameter, but the files downloaded by these cmdlets must still have their checksum validated separately using Get-ChecksumValid in the package scripts.
Prevent use of non-Chocolatey download cmdlets. Package maintainers cannot use non-Chocolatey helper cmdlets in packages to download files. These include:
- iwr
- Invoke-WebRequest
- Start-BitsTransfer
- curl
- wget
- Invoke-RestMethod
- irm
- Any cmdlet or function containing the name DownloadFile
- Any cmdlet or function containing the name GetResponse

The new rules will take effect from 1 September 2022. These new requirements are a formal, automated, implementation of what our team of Community Moderators have been implementing, manually, for some time now, and we anticipate the impact to packages, and package maintainers, to be minimal. However, if there is an impact to a package, the package maintainer can request a temporary exemption to give them time to make changes that will comply with the new rules.

If you have any questions or concerns about these changes, then please reach out on the #community-maintainers channel of our Community Chat.

Scott Sader Joins Chocolatey as Chief Information Security Officer

Chocolatey Team — Mon, 25 Jul 2022 00:00:00 GMT

We are excited to announce that Scott Sader has joined the Chocolatey Team as Chief Information Security Officer (CISO)!

Scott has been an "IT guy" since he got his first computer, a 33 MHz 486, which was blazingly fast for its time. Its 2400 baud modem was more than capable of connecting him to the local BBS (bulletin board system), and his love of technology exploded from there. He would build his next computer himself as a teenager, bankrolled by funds from his first IT job at an ISP (internet service provider).

Nearly 25 years later, Scott joins Chocolatey Software as Chief Information Security Officer, having held nothing but IT jobs throughout his professional career. He has worked in virtually all areas of IT, from networking, systems, support, software development, and most recently, security for the past 14 years. He holds a B.A. in Computer Information Systems, an M.B.A. in management and finance, and numerous certifications, including CISSP (Certified Information Systems Security Professional).

Scott is passionate about automation, once teaching formal classes on VBScript before cutting his teeth on PowerShell 1.0. He has written countless applications using PowerShell, primarily in its early days, many of which are still in use today. He is excited to join an automation company, Chocolatey Software, and hopes that they may one day let him write some code … or at least look at it!

In his free time, Scott likes to hang out with his two sons, partake in anything technology-related, ride his motorcycle, and watch a wide variety of sports. He will be based remotely in Lawrence, Kansas, USA, making occasional visits to the office in Topeka.

Announcing Chocolatey Central Management 0.9.0

Chocolatey Team — Fri, 17 Jun 2022 00:00:00 GMT

We are very happy to announce the release of version 0.9.0 of Chocolatey Central Management! This release contains a major overhaul of the underlying framework technologies that Chocolatey Central Management is built on, and a few selected features and bug fixes.

Discussed below are the main changes included in this release, but we also have a full set of release notes available providing more detail.

Removal of support for SQL Server 2008 / 2008 R2

Since the initial release of Chocolatey Central Management it has been possible to use SQL Server 2008 / 2008 R2 to host the database that is required. Starting with this release SQL Server 2008 / 2008 R2 are no longer supported for the Chocolatey Central Management database and we recently published a blog post on this change.

Updated target .NET Framework

All components of Chocolatey Central Management (database, service, and web) have been updated to .NET 6 which is supported by Microsoft until December 2024. .NET Core 3.1, used in previous versions, is only supported to December 2022.

Chocolatey Central Management packages require a licensed computer for installation

Following on from our previous blog post, all of the Chocolatey Central Management packages now make use of the Chocolatey CLI licensed cmdlets. As a result, the computer that you install the Chocolatey Central Management packages onto, must be properly licensed.

Computer "friendly names"

Chocolatey Central Management would only show the hostname of a computer that it is managing. We have added a requested feature to allow the use of a "friendly name" instead. See this GitHub issue for more information.

Release notes

For more information on the features, improvements and bug fixes that were included in this release, please see the release notes.

Learn more

Check out the documentation.
Learn about other features available in Chocolatey for Business.
Contact us to find out more and setup your evaluation of Chocolatey for Business today.

Announcing SQL Server Requirement Changes in Chocolatey Central Management

Paul Broadwith — Thu, 02 Jun 2022 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

Since the first stable release of Chocolatey Central Management all the way back in 2019, SQL Server 2008 has been required as a minimum if you were using your own database server. With the next release of Chocolatey Central Management that requirement changes to SQL Server 2012.

SQL Server 2008 was first released back in July 2012 with Mainstream support ending in July 2014 and Extended support in July 2019. Since that time Microsoft have made Security Updates available for Extended Support customers. That cycle comes to an end in July of this year if you are not using Azure. In short, SQL Server 2008 has served us all well, but it's time we moved on.

With the next release of Chocolatey Central Management, 0.9.0, slated for later this month, SQL Server 2012 or later will be required. If you use SQL Server 2008 / 2008 R2 as your database server for Chocolatey Central Management then you have three options to allow you to use the new version:

Upgrade your database server to at least SQL Server 2012, but preferably a later version of SQL Server that will give you a longer lifecycle.
Migrate your Chocolatey Central Management database to a new database server that is at least SQL Server 2012.
Do not upgrade to any version of Chocolatey Central Management later than 0.8.0.

<Callout type="warning"> While only one Chocolatey Central Management package applies database changes, installing or upgrading any of the packages to a version later than 0.8.0 while you are using SQL Server 2008 / 2008 R2 for the database, will cause Chocolatey Central Management to stop working. </Callout>

To help protect our customers, we have added checks to the Chocolatey Central Management packages that will try to detect the version of SQL Server being used and stop the installation if it does not meet the minimum requirements. Due to the complex format of version information returned by SQL Server, these checks do their best to protect you, but they may get it wrong. You must ensure that you are using SQL Server 2012, as a minimum, for the Chocolatey Central Management database. If you know you meet the minimum requirements of SQL Server 2012 and the package fails to detect this, you can skip the checks by adding --params="'/OverrideSqlServerCompatibilityCheck'" to the Chocolatey CLI command line when upgrading or installing.

I hope this gives our customers enough information to plan for the upcoming release of Chocolatey Central Management 0.9.0. If you do have any further questions, you can find your support options by running choco support from the command line.

Boxing The Third Major Release Of Boxstarter!

Manfred Wallner — Wed, 27 Apr 2022 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

Boxstarter version 3.0 marks the beginning of a new era of Boxstarter and Chocolatey.

Until version 3.0, Boxstarter has been using an old version of chocolatey.dll that could not be updated and caused a series of bugs which are long gone in current Chocolatey CLI releases. Version 3.0 aims to deliver the features you love about Boxstarter, backed by a new mechanism, at it's core, to allow usage of arbitrary versions of 'native' Chocolatey CLI allowing the old version of chocolatey.dll to be gone!

What Is Boxstarter?

Boxstarter was created by Matt Wrock in 2012 and transitioned to Chocolatey Software, Inc. in 2018.

Think of it as a set of PowerShell modules and utilities that wrap around Chocolatey CLI to enable you to solve problems you'd otherwise tackle with products such as Chef, Puppet, Ansible etc.

<Callout type="info"> Boxstarter enables repeatable, reboot resilient Windows environment installations made easy using Chocolatey packages. When it's time to repave either bare metal or virtualized instances, locally or on a remote machine, Boxstarter can automate both trivial and highly complex installations. Compatible with all Windows versions from Windows 7/2008 R2 forward. </Callout>

The Problem with Boxstarter v2

All Boxstarter releases prior to version 3.0 used a mechanism to 'monkey patch' the internal PowerShell session Chocolatey CLI uses to run it's install/uninstall scripts in.

Due to the nature of this mechanism, certain extensions (such as the Chocolatey Licensed Extension) could not be loaded and the user would be faced with warnings or error messages at runtime:

Error when registering components for 'chocolatey.licensed.infrastructure...

This trick of injecting Boxstarter magic into Chocolatey CLI stopped working with version 0.9.9 which forced Boxstarter to stick with version 0.9.8.

As a consequence, Boxstarter used chocolatey.dll version 0.9.8 for all Chocolatey CLI commands that ran through Boxstarter, ignoring what the latest available (or already installed) version was.

What Changed in Boxstarter v3.0

The core logic that calls choco <command> from its helper functions changed from the 'monkey patch' variant to an all-new extension-based approach.

In the new release, Boxstarter will actively look for choco.exe in $env:ChocolateyInstall and utilize that instead of the bundled chocolatey.dll. Because of this change, each call to Chocolatey CLI will run in its own PowerShell session, fixing a couple of nasty bugs that were caused by the re-use of the initial session the Boxstarter.Chocolatey module was imported to. Boxstarter now comes with the package version of Chocolatey CLI and will install this version if it is not already installed on the target computer.

Besides the changes in Boxstarter itself, a lot of organizational changes happened in the background.

The CI/CD process was improved and releases should be quicker and easier to follow.

Best Features Of Boxstarter

Reboot Resiliency

This is probably the most widely known feature of Boxstarter.

<Callout type="info"> Open BoxstarterShell, use Install-BoxstarterPackage and pass -Credentials. If the system requires a reboot during/after installation, it will automagically reboot and continue where it left off. </Callout>

There may even be multiple reboots in a deeply nested dependency chain or explicitly when done via a Boxstarter script.

Install-BoxstarterPackage <PACKAGENAME> -Credential (Get-Credential)

Remote Installations

Take your automation skills to the next level and install packages remotely!

Install-BoxstarterPackage takes a ComputerName parameter. You can also pass credentials for multiple hosts! Needless to say it's easiest if the user of the current PowerShell session has WinRM permissions on the remote host.

$myHosts = @('devtest-1', 'devtest-42')
$packages = @('firefox', 'vscode')

$myHosts | ForEach-Object {
  Write-Host "please provide credentials for '$_'"
  @{
    ComputerName = $_
    Credential   = Get-Credential
  }
} | ForEach-Object {
  Install-BoxstarterPackage -PackageName $packages -ComputerName $_.ComputerName -Credential $_.Credential
}

Creating Advanced Boxstarter Scripts

Every package you want to install requires to be packaged and may have dependencies, install and uninstall scripts, etc. That's great, but with Boxstarter, everything can be a package (ok, to be fair, everything can be a chocolateyInstall.ps1)!

The primary use case is to create a simple PowerShell script that utilizes both Chocolatey CLI and Boxstarter commands. (i.e. from the Boxstarter WinConfig module.)

Now point Install-BoxstarterPackage towards that file (it even can be a URL/gist raw link :wink:). And to gain reboot-resiliency superpowers, add the -Credential parameter.

<#
call this script via BoxstarterShell:
$cred=Get-Credential domain\username
Install-BoxstarterPackage -PackageName <path-to-script>.ps1 -Credential $cred
#>

# NuGet package provider. Do this early as reboots are required
if (-not (Get-PackageProvider -Name NuGet -ErrorAction SilentlyContinue)) {
    Write-Host "Install-PackageProvider"
    Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Scope AllUsers -Confirm:$False

    # Exit equivalent
    Invoke-Reboot
}

# Windows features
choco install TelnetClient -source windowsfeatures
choco install Microsoft-Windows-Subsystem-Linux -source windowsfeatures

# Remove unwanted Store apps
Get-AppxPackage Facebook.Facebook | Remove-AppxPackage -ErrorAction SilentlyContinue
Get-AppxPackage Microsoft.MinecraftUWP | Remove-AppxPackage -ErrorAction SilentlyContinue
Get-AppxPackage Microsoft.MicrosoftSolitaireCollection | Remove-AppxPackage -ErrorAction SilentlyContinue
Get-AppxPackage -AllUser -Name Microsoft.Office.Word | Remove-AppxPackage -ErrorAction SilentlyContinue
Get-AppxPackage -AllUser -Name Microsoft.Office.PowerPoint | Remove-AppxPackage -ErrorAction SilentlyContinue
Get-AppxPackage -AllUser -Name Microsoft.Office.Excel | Remove-AppxPackage -ErrorAction SilentlyContinue
Get-AppxPackage -AllUser -Name Microsoft.MicrosoftOfficeHub | Remove-AppxPackage -ErrorAction SilentlyContinue
Get-AppxPackage -AllUser -Name DellInc.PartnerPromo | Remove-AppxPackage -ErrorAction SilentlyContinue
Get-AppxPackage -AllUser -Name Microsoft.Office.OneNote | Remove-AppxPackage -ErrorAction SilentlyContinue
Get-AppxPackage -AllUser -Name Microsoft.MicrosoftSolitaireCollection | Remove-AppxPackage -ErrorAction SilentlyContinue
Get-AppxPackage -AllUser -Name Microsoft.SkypeApp | Remove-AppxPackage -ErrorAction SilentlyContinue
Get-AppxPackage -AllUser -Name Microsoft.YourPhone | Remove-AppxPackage -ErrorAction SilentlyContinue
Get-AppxPackage -AllUser -Name *XBox* | Remove-AppxPackage -ErrorAction SilentlyContinue

# additional software everyone needs
choco install firefox
choco install 7zip
choco install git
choco install vscode

# because we use PowerShell a lot!
Update-Help -ErrorAction SilentlyContinue

# some winconfig
Update-ExecutionPolicy RemoteSigned
Set-WindowsExplorerOptions -EnableShowFileExtensions -EnableExpandToOpenFolder

# install all available win updates
Install-WindowsUpdate -AcceptEula -GetUpdatesFromMS

# ensure UAC is enabled (security!)
Enable-UAC

1-Click Installer

In addition to creating advanced Boxstarter scripts, it's possible to create clickable URLs that enable you to get going with a given installation script without the need to download and install Chocolatey CLI or Boxstarter itself first.

See Microsoft's Windows Dev Box Setup examples.

You can easily create your own 1-Click Bootstrapper links like this http://boxstarter.org/package/url?<link to boxstarter ps1 script>

What's Next?

There are a couple of things on the agenda of the Boxstarter Team (big thanks to Paul and David for their ongoing support!), yet it is hard to put a timeframe on any of it.

In the long run we're going to clean up a bunch of code, put some work into PowerShell 7 and move away from Windows PowerShell 2 support in line with Chocolatey CLI. And the Boxstarter website needs to be updated to add the new features.

A 'Linux compatible' version of Boxstarter that can be used in CI/CD environments is something I am very keen on implementing (as soon as above tasks have been dealt with :smile:).

I'm happy to be part of the team that worked on getting Boxstarter back to be aligned with Chocolatey again and very much looking forward to the use-cases that will evolve from here.

Want To Give It a Try?

Install Boxstarter with Chocolatey!

choco install boxstarter

If you want to take the new version 3.0.0 beta for a spin, run:

choco install boxstarter --version 3.0.0-beta-20220427-21 --prerelease

After install, you should find a shortcut to launch "BoxstarterShell" on the Windows desktop and in the Start Menu.

BoxstarterShell is basically a shortcut to open a new PowerShell session and load the required Boxstarter modules that are available after install. See the Boxstarter documentation for more information and help.

Chocolatey CLI Not Affected By 7-Zip CVE-2022-29072

Paul Broadwith — Tue, 19 Apr 2022 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

In light of the recent CVE raised against 7-Zip, we wanted to provide reassurance to our customers and community. The CVE confirms that it covers all versions up to and including 21.07, the version that is used in Chocolatey CLI. As the 7-Zip components that are bundled with Chocolatey CLI are not those stated in the CVE, Chocolatey CLI is not affected.

CVE-2022-29072 Details

The CVE states:

<Callout type="info"> 7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process, </Callout>

The CVE author created a GitHub repository that shows the use of the 7-Zip help file, 7-zip.chm, and a .7z archive file to gain escalated privileges on the system. To exploit a system, the user must open the 7-Zip help and drop a .7z archive file onto the open help file. This is not something that a user would do in the normal process of working with 7-Zip.

Is Chocolatey CLI Vulnerable?

If you browse the tools folder in the Chocolatey installation directory (by default this is C:\ProgramData\chocolatey) you will see that Chocolatey CLI does not ship with the 7-Zip help file, 7-zip.chm or the 7zFM.exe file that are required by the CVE. Chocolatey CLI is therefore not affected by this CVE.

`7zip` Chocolatey Package

The latest version of the 7zip Chocolatey package is 21.7 which is vulnerable according to the CVE. Once 7-Zip have released a new version, the 7zip package will be automatically updated and pushed to the Chocolatey Community Repository by the package maintainer.

Note that the 7zip Chocolatey package removes the leading zero from the version number therefore 7-Zip version 21.07 is the 7zip Chocolatey package version 21.7.

Recommendations

The CVE author suggests that the 7-Zip help file, 7-zip.chm, is removed from the file system. By default, 7-Zip installs to C:\Program Files\7-Zip. This will stop the help file from being displayed which means that you cannot drag and drop a .7z archive file onto it.

If further information, or recommendations become available we will update this post.

Summary

We hope this post reassures our customers and community that Chocolatey CLI is not vulnerable to the recent CVE for 7-Zip and why it is not vulnerable.

For Security related issues, please see our documentation for responsible disclosure. If you are a licensed Customer with valid Maintenance and Support, then please do reach out to Support (run choco support to find out your options) or use our Community Discord Chat if you have further questions.

Recommendations on Installing & Upgrading Chocolatey Licensed Clients

Paul Broadwith — Fri, 15 Apr 2022 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

Our goal in the recent releases of Chocolatey CLI and Chocolatey Licensed Extension has been to make it easier for customers upgrading the Chocolatey licensed clients. Here we look to review some of the changes we have made and the recommendations for a compatible and supported configuration.

The Chocolatey licensed clients we will be focusing on are:

Chocolatey CLI
Chocolatey Licensed Extension
Chocolatey GUI
Chocolatey GUI Licensed Extension
Chocolatey Agent

Chocolatey CLI uses package dependencies that ensure specific packages and versions are installed prior to installing the package you requested. For Chocolatey products we can ensure that all the required package versions are installed. For example, if you were to install chocolateygui.extension then it would make sure that the following tree of packages, with these package versions as a minimum, are installed:

Package Name / Dependency	`chocolatey`	`chocolatey.extension`	`chocolateygui`
`chocolatey` v1.1.0
`chocolatey.extension` v4.1.0	v1.0.0
`chocolatey-agent` v1.0.0		v4.0.0
`chocolateygui` v1.0.0	v1.0.0
`chocolateygui.extension` v1.0.0		v4.0.0	v1.0.0

<Callout type="info"> Newer package versions may be available at the time of installation, and Chocolatey will pick the highest available that matches the defined dependency range. </Callout>

While Chocolatey CLI can ensure that direct package dependencies are satisfied, it cannot ensure that indirect package dependencies are satisfied. For example, if you currently have chocolateygui version 0.18.1 installed along with chocolateygui.extension version 0.2.1, and you first upgrade to chocolateygui version 0.19.0, you will see errors if you attempt to run Chocolatey GUI as the chocolateygui.extension package also needs to be updated.

Recommended Install / Upgrade Order

Based on direct package dependencies, the recommended order to install or upgrade is:

chocolateygui.extension
chocolateygui
chocolatey-agent
chocolatey.extension
chocolatey

This will ensure that all dependencies, both direct and indirect, are installed.

Telling You When Incompatible Versions Detected

With the release of Chocolatey CLI version 1.1.0 and Chocolatey Licensed Extension version 4.1.0, we tell you when you may be getting into an incompatible and unsupported configuration.

If you have a Chocolatey Perpetual License you have access to use the versions of Chocolatey licensed products while your Maintenance and Support agreement is active. This may mean that you do not have the latest version of the Chocolatey Licensed Extension. While we recommend that you always use compatible versions of Chocolatey licensed products, as we highlighted above, as a Perpetual License customer this may not be possible.

Where you have a version of Chocolatey Licensed Extension installed that may not be compatible with the version of Chocolatey CLI you are upgrading to, we have added a warning:

<Callout type="warning"> You are installing a version of Chocolatey that may not be compatible with the currently installed version of the chocolatey.extension package. Running Chocolatey with the current version of the chocolatey.extension package is an unsupported configuration. See https://ch0.co/compatibility for more information.

If you are also modifying the chocolatey.extension package, you can ignore this warning.

</Callout>

While in this incompatible and unsupported configuration we have added a warning before and after any Chocolatey CLI command is run to ensure that it's clear that you may be in an incompatible and unsupported configuration:

<Callout type="warning"> You are running a version of Chocolatey that may not be compatible with the currently installed version of the chocolatey.extension package. Running Chocolatey with the current version of the chocolatey.extension package is an unsupported configuration.

See https://ch0.co/compatibility for more information.

If you are in the process of modifying the chocolatey.extension package, you can ignore this warning.

Additionally, you can ignore these warnings by either setting the DisableCompatibilityChecks feature:

`choco feature enable --name="'disableCompatibilityChecks'"`

Or by passing the `--skip-compatibility-checks` option when executing a command.

</Callout>

If you know what you are doing, you can disable these warnings by adding the --skip-compatibility-checks to any Chocolatey CLI command or by enabling the feature disableCompatibilityChecks using choco feature enable --name="'disableCompatibilityChecks'".

For Perpetual License Customers, the options to ensure you are in a compatible and supported configuration are:

Renew the Maintenance and Support, upgrade the Chocolatey Licensed Extension to the latest version and then upgrade Chocolatey CLI. Reach out to the Sales Team for more information.
Stay with the Chocolatey Licensed Extension and Chocolatey CLI versions you use and that you know are compatible. We would recommend you pin to those versions so that you do not accidentally upgrade them in future.

Recommended Way To Upgrade All Packages

When upgrading all packages using the choco upgrade all command either directly, through a scheduled task or using a package such as choco-upgrade-all-at-startup there are some considerations that need to be made. The order in which packages are upgraded in can potentially cause you to get into an incompatible and unsupported configuration. To avoid this situation, upgrade the Chocolatey licensed clients in the recommended order above, before running any choco upgrade all.

To help with this we have added a new feature excludeChocolateyPackagesDuringUpgradeAll:

<Callout type="info"> :choco-info: NOTE

`excludeChocolateyPackagesDuringUpgradeAll` - Exclude Chocolatey Packages During Upgrade All - When enabled, all official Chocolatey packages will be added to the comma-separated list of package names that should not be upgraded when upgrading 'all'. Any packages specified in the 'upgradeAllExceptions' configuration setting will still be respected. Licensed editions only (version 4.1.0+).

</Callout>

When this feature is enabled it will prevent all installed Chocolatey official packages (which includes those we talk about here) from being upgraded as part of a choco upgrade all command. This feature is disabled by default, but we recommend you enable it using choco feature enable --name="'disableCompatibilityChecks'" and then upgrade the Chocolatey official packages in the order we recommended above. This feature may be enabled by default in a future release.

Release Notes

For more information on the releases, please see the Chocolatey CLI release notes and Chocolatey Licensed Extension release notes.

Learn More

Check out the documentation.
Learn about other features available in Chocolatey for Business.
Contact us to find out more and set up your evaluation of Chocolatey for Business today.

Chocolatey Products Not Affected By Spring4Shell Vulnerability

Chocolatey Team — Fri, 01 Apr 2022 00:00:00 GMT

On Thursday 31 March 2022 VMWare published CVE-2022-22965 describing a vulnerability in Spring. Since that time we have had a number of customers contacting our Support Team to ask if Chocolatey products are vulnerable.

VMWare provide Spring, a very popular Java based library for more quickly developing Java-based applications. The CVE VMWare published identified an issue in the Spring MVC and Spring WebFlux features of versions 5.3.0 to 5.3.17 and 5.2.0 to 5.2.19, while older, unsupported versions of Spring are also affected.

Are Chocolatey Products Affected?

Chocolatey products do not run on, or use, Java and do not use the Spring library. The Chocolatey For Business products below are therefore NOT vulnerable:

Chocolatey CLI
Chocolatey Licensed Extension
Chocolatey Agent
Chocolatey GUI
Chocolatey GUI Licensed Extension
Chocolatey Central Management

While we call out the above Chocolatey For Business products specifically, no Chocolatey products, business or open-source, use the Spring library and are therefore NOT vulnerable.

Chocolatey For Business Quick Deployment Environment (QDE)

Our Quick Deployment Environment enables customers to get up and running with Chocolatey For Business in as little as 20 minutes. We provide this in Azure and also as a Quick Start Guide. In the past we have also provided this as a virtual machine image that you can import into your hypervisor of choice.

Whatever flavour of QDE you have, it has three components which we have confirmed are NOT vulnerable.

Sonatype Nexus Repository OSS

Sonatype have confirmed that Nexus uses the logback logging library and not Spring and is therefore not vulnerable. Sonatype provides more information on it's website.

Jenkins

The Jenkins team have confirmed that Jenkins Core does not use the Spring library and they provide more information on their website.

Chocolatey Central Management

As confirmed above, Chocolatey Central Management does not run on, or use, Java and is therefore NOT vulnerable.

Other Products

The most common repository managers used with Chocolatey are Sonatype Nexus and JFrog Artifactory and we recommend both of those products to customers. While we have confirmed that Sonatype Nexus is not vulnerable above, we wanted to confirm JFrog Artifactory is also NOT vulnerable.

We hope this post answers your question as to whether Chocolatey products are vulnerable. However, if you are a Chocolatey For Business customer and have more questions, please reach out to our Support Team as normal. You can find out your options on how to do so by running choco support from the command line.

Guest Appearance on RunAsRadio

Gary Ewan Park — Thu, 31 Mar 2022 00:00:00 GMT

On the 17th February 2022, I joined Richard Campbell over a Microsoft Teams call to record an episode of RunAsRadio.

Why yes, that is me as an 8-bit pixelated picture!

I have been a long time listener of both RunAsRadio and .NET Rocks, so I was thrilled to be able to be a guest on the show!

We chatted about a range of topics, including:

It was Chocolatey's 11th Birthday recently
We finally shipped v1.0.0 of Chocolatey CLI
How you can use Chocolatey both personally, as well as in an Organisational context
We touched briefly on how you can integrate Chocolatey with systems like Microsoft Intune
And lots of other things that I am now struggling to remember :smile:

I had a great time being interviewed by Richard, and I am interested to hear what you thought of the episode. If you have any questions, then please don't hesitate to reach out to me, and I will do my best to respond as quickly as possible.

Response To Chocolatey Being Used In French Phishing Campaign

Paul Broadwith — Thu, 24 Mar 2022 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

A recent phishing campaign against targets in France used Chocolatey to install software on the target computers. There has been clickbait headlines, speculation and incorrect suggestions to the use of Chocolatey in this attack that I wanted to provide a response for reassurance of our customers and community.

What Happened?

On March 21, 2022, Proofpoint "observed new, targeted activity impacting French entities in the construction and government sectors" that "used macro-enabled Microsoft Word documents to distribute the Chocolatey installer package". You can find the full article on the Proofpoint website.

The key points in the article that involve Chocolatey are:

Chocolatey is installed.
Chocolatey is used to install the python package which also installs pip.

How Did The Attack Work

The steps are outlined in the Proofpoint article.

Serpent Infection Chain (Proofpoint)

For the attack to be successful:

Macros must have been permitted to run on the targeted computer (in modern versions of Microsoft Office these are disabled by default).
The PowerShell script that is used to install Chocolatey must have been permitted to run with Administrator privileges.

Without both of those requirements, Chocolatey would not have been installed. And the python package, and pip, would not have been installed.

If you've installed Chocolatey before you'll know that you need Administrator privileges to do that. If you don't have those privileges, Chocolatey simply won't install. And in that case the attack would fail.

Providing Clarity

Some reports have provided inaccurate or misleading information and I wanted to address those here.

Evade Detection

The Proofpoint article says:

<Callout type="info"> "Chocolatey is also being used to evade detection by security software as it is commonly used in enterprise environments to manage software remotely and could be on an allowed list in IT environments." </Callout>

Chocolatey doesn't evade detection by any security software. In some environments, the IT Team have prevented all software by default from running and add the software that is allowed to run to a whitelist. What is being suggested here is that because Chocolatey is popular in enterprise environments, it may have been added to those whitelists.

While Proofpoint are not suggesting that Chocolatey is evading detection, I can understand how it might be read that way.

Abuse Of Chocolatey

In some reports it's been mentioned that installing Chocolatey, python and pip, is an abuse of Chocolatey. Both Python and PIP are also used as is PowerShell, but none of those have been described as being abused. Chocolatey is just being used to install software, which is what Chocolatey was designed to do. It's worth noting that the Proofpoint article points out that the use of Chocolatey is used legitimately to install Python and PIP and then the script runs something malicious.

Chocolatey itself is installed from the Chocolatey Community Repository at a rate of 35K installs per hour, so we spoke with Proofpoint to see if there was anything special about the requests that we could target to help prevent or slow down this attack. Unfortunately the script that is run is installing Chocolatey like everything else.

Questions From Our Customers and Community

Chocolatey takes security seriously. We appreciate that while we know and understand that this attack simply used Chocolatey in the way it is used hundreds of thousands of times per day, our customers and community may not. I wanted to address some questions that have been asked.

Was Chocolatey exploited for this attack?

No, Chocolatey was not exploited for this attack. Chocolatey was used to install a legitimate package, (python), from the Chocolatey Community Repository.

Was a package infected?

No. The python package has a total of 10.5M downloads with the latest stable version having almost 117k downloads since it was released on March 16. The package was scanned by 50 to 60 AV engines using Virus Total with no detections.

Was Chocolatey used to install backdoors?

No. Chocolatey was used to install a legitimate package, (python), from the Chocolatey Community Repository.

Recommendations

The recommendations I make below are not new, but it is always important to reinforce them whenever possible:

We would recommend that people pause when a UAC prompt is raised on a computer if they opened something (Microsoft Word) that would not normally require elevation.
Your regular login does not have Administrator privileges. If an Administrator privileged account is needed, use a secondary account that is only used for the administrative tasks.
Turn off macros in Microsoft Office. Newer versions already have it turned off by default.

Summary

It's understandable that our customers and community will be concerned when issues such as these surface. I hope this clears up the confusion and misinformation that has surfaced recently.

This One Goes To 11! Celebrating 11 Years Of Chocolatey.

Chocolatey Team — Mon, 21 Mar 2022 00:00:00 GMT

Eleven years ago today the start of Chocolatey was born. Way back then, Rob Reynolds, founder of Chocolatey Software, Inc. committed the first lines of code with the simple goal of offering a universal package manager for Windows. Eleven years later and we have a fantastic community and both a commercial and open-source toolset.

Community Repository Downloads

Over the years the downloads from the Chocolatey Community Repository have really accelerated! In 2015, we saw an increase of almost 50 million downloads. But that was surpassed in 2019 by an increase of over 180 million downloads!

To help us manage the load and help sustain the Community Repository for the community, we implemented Rate Limiting in September 2019. This reduced the downloads in subsequent years as organizations set up Chocolatey for their internal use.

Product Releases

Over the last 11 years we have released 238 product versions, not including pre-releases. That's just over 21 per year on average!

In the early years there was a flurry of activity while the core features of Chocolatey CLI and Chocolatey GUI were added. 2015 to 2016 saw the new Chocolatey Licensed Extension, following on with Chocolatey Agent in 2017. In 2020 Chocolatey Central Management was born and Boxstarter moved to the Chocolatey organization.

Since 2020 the number of stable versions released has increased. This year we are on track to surpass that again with 15 in the first quarter of 2022 alone.

Our History

Since the blog post celebrating 5 years of Chocolatey back in 2016, there have been many notable changes such as:

A new Chocolatey logo.
The first ever Chocolatey Fest!
Managing your Chocolatey packages with Microsoft Intune integration.
Chocolatey For Business Azure Environment was created to provide an easy way to get up and running with Chocolatey For Business, quickly.
One billion installs from the Chocolatey Community Repository.

There are many more events in our long history. To know where you are going, you need to know where you have come from, and we have created a timeline to remind us of that.

Milestone Releases

To celebrate 11 years of Chocolatey, we are today releasing major versions of a number of products:

The Future

This has been a long journey. We are extremely grateful to our community and our customers and humbled by the amazing support we receive every single day.

The Chocolatey Community Repository would not be where it is today without the early community pioneers. And it would not be going from strength to strength without our strong community of package maintainers and moderators.

And Chocolatey would not be where it is today without that dream of a universal package manager for Windows.

Thank you for the last 11 years. It's been fun. Here's to the next 11!

Announcing Script Builder - Bulk Install Chocolatey Packages!

Stephanie Hays — Tue, 08 Mar 2022 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

Script Builder allows you to bulk install Chocolatey packages in just a few clicks. It provides clear, step-by-step instructions on how to get packages into your environment quickly and easily by generating scripts or code for your configuration management tool. Just add packages to Script Builder and choose your integration method to get started!

Script Builder has been a work in progress for some time now and owes its existence to customer feedback. We deployed this back in October last year and since then it has been in 'preview'. After some great feedback we've tweaked it, and it's now ready for the big debut.

If you've ever wondered what command to run or what code to use for your configuration management tool, then Script Builder has got you. As an individual user, it will give you the command to run to install your selected packages and will even let you save it as a packages.config file! We have built-in support for Ansible, Chef, PowerShell DSC and Puppet configuration management tools for use in your organization. Even though that covers the most popular configuration management tools in use within our customers organizations, we don't limit you to those tools, or even require you to use one.

With Script Builder we aim to help our customers and users to get up and running quickly with Chocolatey in their environments.

<Callout type="info"> The selections you make, and information you provide in Script Builder, are saved within the browser on your computer and will not be available on other computers. </Callout>

<Callout type="info"> Your browser may block multiple pop-ups when choosing to bulk download packages resulting in only 1 package being downloaded. To avoid this, be sure to add community.chocolatey.org to your list of approved sites that allows pop-ups and redirects. </Callout>

Adding and removing packages

<Callout type="info"> Package versions are always included in generated scripts. In a future release a toggle will be provided to remove version numbers. </Callout>

Packages can be added or removed from Script Builder virtually anywhere:

From the main packages list.
From the package page.
And even from the Version History table on the package page. Multiple versions of the same package cannot be added to Script Builder.

Just click the green + to add and the red - to remove!

Individual integration method

If you want to know the shell command to run to install your selected Chocolatey packages, then this is the method for you. You even have the option of downloading a packages.config file!

Using Script Builder as an individual user is easy. Just follow these steps:

After adding your packages, review the list.
Select the Individual integration method.
Choose to copy the installation script or download as a packages.config file.

Yes. It is that simple.

Configuration management integration methods

If your organization uses a configuration management tool then we support the most popular ones our customers use:

Ansible
Chef
PowerShell DSC
Puppet

We also provide a Generic method. This helps if you use another configuration management tool or otherwise want to use Chocolatey inside your organization.

<Callout type="warning"> The organizational use of the Chocolatey Community Repository is not recommended. Please see our documentation to use Chocolatey for internal / organizational use. </Callout>

Just follow these steps to use Script Builder for your organization:

After adding your packages, review the list.
Verify your chosen integration method. Select from a Generic PowerShell, Ansible, Chef, PowerShell DSC, or Puppet script.
Enter the url of your internal package repository. You cannot proceed without providing it. See our documentation for options and information on using Artifactory Pro, Nexus, and ProGet.
After reading and selecting the preferred option, get the packages into your environment by following the instructions.
Copy the installation and configuration scripts, and download the packages if needed.

We want your feedback!

Script Builder is simple and powerful, but we strive to make it better, for you.

We are always open to constructive feedback on all Chocolatey products. While Script Builder has been around on our Community Repository website since October 2021, we want to hear about your experiences and thoughts. You can share them with us by raising a discussion or if you find a bug or have a suggestion to enhance Script Builder, you can raise an issue.

Announcing Chocolatey.Chocolatey Ansible Collection 1.2.0

Chocolatey Team — Wed, 16 Feb 2022 00:00:00 GMT

We are happy to announce the release of version 1.2.0 of the Chocolatey Ansible Collection!

Discussed below are the main changes included in this release but we also have a full set of release notes available.

Changes in `win_chocolatey`

Added `state: upgrade` Option

We have updated the documentation to clarify the behaviour of state: latest and state: present particularly when used with version:. We also added state: upgrade as an alias for the existing state: latest.

Note that using state: present in combination with version: will result in an error if a different version of the target package is already installed. If you want to upgrade packages, use state: latest or state: upgrade.

Example Usage

- name: upgrade choco
  win_chocolatey:
    state: upgrade
    name: chocolatey

Added `choco_args:` Option

We have added the ability to provide Chocolatey CLI arguments through the choco_args option. This allows you to provide additional parameters directly, including licensed arguments for Chocolatey For Business customers.

This option takes a list of parameters to pass to Chocolatey CLI, which will be added after any explicitly-set options in the Ansible task. This means that explicitly setting the version option, or any other options, will take precedence over anything provided in choco_args.

Example Usage

- name: install package with sensitive params
  no_log: true
  win_chocolatey:
    state: present
    name: package_name
    choco_args:
    - --package-parameters-sensitive
    - '/ConnectionString:"{{ my_connection_string }}"'

Release Notes

For more information on the breaking changes, features, improvements and bug fixes that were included in this release, please see the release notes.

Learn More

Check out the documentation.
Learn about other features available in Chocolatey for Business.
Contact us to find out more and setup your evaluation of Chocolatey for Business today.

Announcing Release of Chocolatey GUI 0.20.0 and Chocolatey GUI Licensed Extension 0.4.0

Chocolatey Team — Thu, 10 Feb 2022 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

While we have a full set of release notes available for both Chocolatey GUI and Chocolatey GUI Licensed Extension, we have highlighted a few important updates below.

<Callout type="info"> If you use Chocolatey GUI Licensed Extension you will need to install v0.4.0 to use Chocolatey GUI v0.20.0. </Callout>

Change To Required .NET Framework

Chocolatey GUI 0.20.0 now requires .NET Framework 4.8 whereas previous versions required .NET Framework 4.5.2.

Control Package and Installation Arguments

A popular request from our community and customers is to have the ability to control arguments that can be passed to Chocolatey when installing a package from Chocolatey GUI. For example, to allow passing of a package parameter to control whether a desktop shortcut should be created or not. I am very happy to announce that this feature is now available when installing a package, and you can find out more information about it in the documentation.

Change Display Language

In previous versions of Chocolatey GUI, it would detect the Windows System locale, and if this was supported, Chocolatey GUI would update to show its UI in this language. With the release of Chocolatey GUI 0.20.0, it is now possible to select which language you would like to use. Find out more information about this in the documentation.

View Remembered Arguments

From within a package details page in Chocolatey GUI, it is now possible to see the remembered arguments that were stored when the package was installed. This can be very useful when trying to perform upgrades, and to know how a package was installed. Check out the documentation for full information on this feature.

Release Notes

For more information on the breaking changes, features, improvements and bug fixes that were included in this release, please see the Chocolatey GUI release notes and the Chocolatey GUI Licensed Extension release notes.

Learn More

Check out the Chocolatey GUI documentation.
Check out the Chocolatey GUI Licensed Extension documentation
Learn about other features available in Chocolatey for Business.
Contact us to find out more and setup your evaluation of Chocolatey for Business today.

Chocolatey CLI Docker Images Now Available On Docker Hub

TheCakeIsNaOH — Tue, 25 Jan 2022 00:00:00 GMT

The official Windows and Linux Docker images for Chocolatey CLI are now available on Docker Hub. Simply run docker pull chocolatey/choco to download the latest image.

This is the first official Chocolatey CLI build that runs on Linux (via Mono), although unofficial builds have previously been created by a community member. There is more information about running on non-Windows systems on the Chocolatey documentation site.

The Windows Container Image

The chocolatey/choco:latest-windows image for Windows containers is based on the servercore:ltsc2016 image, which has full support for the .NET Framework. Chocolatey, and Chocolatey Licensed Extension, are fully functional, and most packages will work, except packages that contain installers that require a GUI to run and other installers that are incompatible with running inside a container. In addition, Package Builder and Package Uploader GUI, that come with Chocolatey For Business, will not work for the same reasons.

The Linux Container Image

The chocolatey/choco:latest-linux image for Linux containers is based on mono:6.12, which itself is based on a Debian image.

Chocolatey CLI on non-Windows platforms has a specific focus of creation and maintenance of packages. See the docs for more information.

At the moment the Chocolatey Licensed Extension does not work in a Linux container and may actually result in a broken Chocolatey CLI install if you attempt to install it. We would recommend that licensed customers do not license Chocolatey on the Linux container or, if that is not an option, use the Windows container instead.

Why Docker Containers?

Containers are useful for the same reasons that virtual machines are useful; being able to create an isolated environment in which to run software. With Docker containers it is fast and easy to download and run a prebuilt environment.

Using a Docker container, packages:

Can be tested in a repeatable, isolated environment before deployment to a repository.
With Chocolatey For Business, the testing could be preceded by automatic internalization of the package.
If your packages are maintained in a CI system, the Chocolatey Docker container could be an easy environment in which to do the update.

Why Both A Linux And Windows container?

There are two big reasons that I wanted to create a Linux based image, as well as a Windows one.

The first is that the Linux based images have a number of advantages over Windows images. They are much smaller, so less bandwidth and disk space are used, they are quick to start up and they can be run with minimal memory requirements. More operating systems support Linux containers, as they can be run on both Windows and MacOS systems, which also translates to better support for them in external tools.

The second reason is selfish. Chocolatey CLI can now run on all of my machines! Instead of having a Windows server for maintenance of internal packages, I can now do this right next to my internal Sonatype Nexus repository instance.

How To Use The Docker Images

The Basics

First up, you need Docker installed on your system. If you're running Windows, that's easy because you are running Chocolatey, right? Just run choco install docker-desktop -y. For non-Windows systems, consult the Get Docker documentation.

Once Docker is installed, you can pull down the image with the 'latest' tag by running docker pull chocolatey/choco:latest. See the tags list for the full list of available tags.

Now you can create a container from the image with docker run --rm -it chocolatey/choco <command>

To explore the container, use a command line shell as the command, e.g. cmd.exe for Windows and bash for Linux. For example, docker run --rm -it chocolatey/choco cmd.exe.

Host Files Access

Now that you can run a container, there is a good chance you want to access files on the host, from inside the container. You may want to pack and push a package for example. This can done with the --volume argument, for example docker run --rm -it --volume=<path on host>:<path in container> chocolatey/choco <command>

For more information on the --volume argument, see the Docker documentation.

Using A Container For Automatic Package (AU)

You can build on and modify Docker images depending on your needs. For example, if you want update packages with AU then the Windows image Dockerfile below could be used to build the image with it.

FROM chocolatey/choco:latest-windows

RUN choco install au --yes

CMD PowerShell.exe

AU also runs on Linux and the Dockerfile below can be used to build an image with it installed.

FROM chocolatey/choco:latest-linux

RUN apt-get update && \
    apt-get upgrade -y && \
    apt-get install -y wget apt-utils gnupg apt-transport-https

RUN wget https://packages.microsoft.com/config/debian/10/packages-microsoft-prod.deb && \
    apt-get install ./packages-microsoft-prod.deb -y && \
    apt-get update && \
    apt-get install -y powershell

RUN pwsh -Command Install-Module AU -F

WORKDIR /root
CMD pwsh

Once you have the Dockerfile you can build the image by running docker build -t <image name> . from the same directory as the Dockerfile. Then you can run the newly created image with docker run --rm -it <image name> <command>.

I'm really excited about the ability to run Chocolatey across both Windows and Linux and I hope this blog post outlines how you can use the official Chocolatey Docker images.

Announcing Release of Chocolatey CLI 0.12.0 and Chocolatey Licensed Extension 3.1.0

Chocolatey Team — Tue, 18 Jan 2022 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

Discussed below are the change highlights included in this release but we also have a full set of release notes available.

<Callout type="info"> If you use Chocolatey Licensed Extension you will need to install v3.1.0 of Chocolatey Licensed Extension to use all the new functionality that has been added to Chocolatey CLI v0.12.0. </Callout>

Choco Template Command

The choco new command allows you to use more than just than the standard Chocolatey template. You can install custom templates from the Chocolatey Community Repository or create your own. To create a new package from a template you'll you need to specify it by name each time. To make the package template the default requires some file system manipulation and is not a good user experience. We have added a new defaultTemplateName config option that you can use to set the default template.

We have also added a new choco template command that allows you to list the package templates you have installed using the choco template list command and get information on specific templates using the choco template info --name <TEMPLATE NAME>.

Chocolatey and Non-Windows Systems

We have completed a lot of work to get Chocolatey working on non-Windows systems such as Linux which will aid a lot of our users in their DevOps pipelines. With Linux being the primary operating system of choice for containers, it makes sense for us to enable our users and business customers to use their existing Linux container infrastructure. While Chocolatey is The Windows Package Manager, it can run package admin operations on Linux and install / upgrade templates. We have also officially released our Chocolatey Docker containers for both Windows and Linux.

Release Notes

For more information on the breaking changes, features, improvements and bug fixes that were included in this release, please see the release notes.

Learn More

Check out the documentation.
Learn about other features available in Chocolatey for Business.
Contact us to find out more and setup your evaluation of Chocolatey for Business today.

All Of The '24 Things I Learned About Chocolatey' In One Place!

Chocolatey Team — Fri, 24 Dec 2021 00:00:00 GMT

For the holidays this year we put together a fun fact or interesting feature each day during December. We called it the 24 TIL's of Chocolatey.

A TIL is a commonly used acronym for today I leared. Which is apt, because we posted in our Discord today-i-learned channel alongside Twitter. But, in case you missed them here is each TIL listed below in order:

Day 1: Chocolatey was first released on 23 March 2011. That makes Chocolatey 10 years old!
Day 2: If you already have software installed on your computer, but you want to manage it with Chocolatey going forward, then there is a solution to it without installing the software again. One way of doing this is to use the --skip-powershell switch. By running choco install vlc --skip-powershell, Chocolatey CLI will install the latest vlc package, but not run any of the PowerShell scripts, including chocolateyInstall.ps1. So the software won't actually be installed again. Once that is done you can run choco upgrade vlc to upgrade to the next latest version when it's available!
Day 3: You can enable PowerShell tab completion for use with Chocolatey CLI. Find out more in our docs, or watch this fantastic video created by our Senior Software Developer, Gary Ewan Park.
Day 4: Windows requires the majority of software installations to be done with elevated privileges. Chocolatey works really well when combined with gsudo, so that you can run sudo choco install <packageName> from a non-elevated terminal!
Day 5: Did you know you can extend the functionality of the Chocolatey CLI using extensions? Extensions are PowerShell modules that are created as Chocolatey packages and installed, upgraded and uninstalled in the familiar way! See the docs for more information.
Day 6: Chocolatey remembers arguments previously used during package installations and can reuse these arguments during upgrade by enabling the feature useRememberedArgumentsForUpgrades (running choco feature enable --name=useRememberedArgumentsForUpgrades) or by passing in the switch --use-remembered-arguments. See the docs for more information.
Day 7: Did you know that you can extend the choco new command to use your own custom templates? This makes creating tailored Chocolatey packages, with your own conventions, really simple! See the docs for more information.
Day 8: Did you know that the Chocolatey documentation site is fully open source? And we welcome contributions! You can learn how to contribute using this video playlist.
Day 9: Did you know that if you run choco upgrade <packagename> that Chocolatey CLI will helpfully install the package if it's not already installed? If you want to turn off this behaviour, then run choco feature enable --name=skipPackageUpgradesWhenNotInstalled to enable the feature. See the docs for more information.
Day 10: Did you know that if you are a Chocolatey For Business customer, you can pin a package and store the reason why? Add the --pin-reason=<NOTE> switch to the normal choco pin command to do so! See the docs for more information.
Day 11: Did you know that Chocolatey For Business customers can add their organizational logo to Chocolatey GUI? See the docs for more information.
Day 12: Did you know that the Chocolatey Automatic Uninstaller attempts to uninstall the software a package may have installed, even if the package does not include an uninstall script? You can manage its behaviour using the autoUninstaller feature. See the docs for more information.
Day 13: Did you know that in Chocolatey For Business you can use auditing to find out who installed a package and when? Just run choco list -lo --audit. If it was installed through Self Service it will show you the original requesting user as well! See the docs for more information.
Day 14: Chocolatey includes its own PowerShell Host that will time out calls to Read-Host or any other prompt for choice when -y is passed. This means you can prompt the user during package install / upgrade if necessary, but it will not block headless deployments. You can use the system PowerShell host using the --use-system-powershell switch or by enabling the powershellHost feature. See the docs for more information.
Day 15: Did you know that Chocolatey supports FIPS compliant organizations? Simply enable the useFipsCompliantChecksums feature to use FIPS compliant generated checksums. See the docs for more information.
Day 16: Did you know you can add all the Chocolatey packages you want to install, with parameters, to a packages.config file and install them with one command? This is fantastic when you get a new computer! See the docs for more information.
Day 17: Did you know Chocolatey CLI provides enhanced exit codes for the search, list, info and outdated commands? Enable the useEnhancedExitCodes feature and exit code 2 is returned if the command does not produce any results. This is really handy in scripts! See the docs on the individual commands for more information.
Day 18: If you use Chocolatey For Business in Self-Service / Background Mode you can restrict the commands / actions that end users can perform by configuring backgroundServiceAllowedCommands. By default install and upgrade are allowed but uninstall is not! See the docs for more information.
Day 19: Did you know in Chocolatey CLI you can stop install, upgrade or uninstall of packages when a reboot request is detected. Simply enable the features useEnhancedExitCodes and exitOnRebootDetected. See the docs for more information.
Day 20: Did you know you can export your currently installed packages in Chocolatey GUI using the Export button? Did you know can also do this in Chocolatey CLI using the export command? Once the export is complete, you will have a packages.config file you can use in a choco install packages.config command on any other computer! See the docs for Chocolatey GUI and Chocolatey CLI.
Day 21: Chocolatey shims executables to keep your PATH clear and runs the target where it is, meaning required dependencies are all used from the original location! We like to call this "batch redirection that works". See the docs for more information.
Day 22: Did you know that Chocolatey For Business can show all installed Chocolatey packages in Programs and Features on Windows? This allows reporting tools that only see Programs and Features software, to report on Chocolatey packages too! Simply enable the showAllPackagesInProgramsAndFeatures feature. See the docs for more information.
Day 23: Did you know that you can add parameters to a package when you create it? Package parameters is one of the most powerful features of Chocolatey packages! It allows the installation / upgrade to be customised by allowing the user to provide information to the package in the form of license names, keys or even switches to allow, for example, shortcuts to be created on the desktop (or not). Whatever your imagination allows! We even provide a Chocolatey helper function Get-PackageParameters to help you parse them! See the docs for more information on creating Package Parameters and on the Chocolatey helper.
Day 24: Did you know that the Chocolatey Community Repository hit 1 BILLION package downloads in May 2020 and is at 1.6 BILLION today? See our blog post for that milestone and the Chocolatey Community Repository timeline (work in progress).

We hope you learned some things from our TIL's this December.

While 2021 will go down in the history books as a difficult year for all of us, we're excitedly looking forward to what is to come in 2022 and how we can continue to empower our customers with the power of simple.

Chocolatey Products Not Affected By Log4j Vulnerability

Chocolatey Team — Mon, 13 Dec 2021 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

On Friday 10 December 2021 NIST published CVE-2021-44228 describing a vulnerability in Log4j. Since that time we have had a number of customers contacting our Support Team to ask if Chocolatey products are vulnerable.

Apache provide Log4j, a very popular Java based logging library. The CVE NIST published identified an issue in the JNDI features of versions 2.0.0 to 2.14.1 of Log4j. Several Chocolatey products use log4net, a .NET logging library also from Apache. While it has a similarly sounding name, it is not vulnerable and has no known security vulnerabilities at the time of this writing.

Are Chocolatey Products Affected?

Chocolatey products do not run on, or use, Java and do not use the Log4j logging library. The Chocolatey For Business products below are therefore NOT vulnerable:

Chocolatey CLI
Chocolatey Licensed Extension
Chocolatey Agent
Chocolatey GUI
Chocolatey GUI Licensed Extension
Chocolatey Central Management

While we call out the above Chocolatey For Business products specifically, no Chocolatey products, business or open-source, use the Log4j logging library and are therefore NOT vulnerable.

Chocolatey For Business Quick Deployment Environment (QDE)

Whatever flavour of QDE you have, it has three components which we have confirmed are NOT vulnerable.

Sonatype Nexus Repository OSS

Sonatype have confirmed that Nexus uses the logback logging library and not Log4j and is therefore not vulnerable. Sonatype provides more information on it's website and we have used the code in that article to verify both our Azure and virtual machine QDE environments.

Jenkins

The Jenkins team have confirmed that Jenkins Core does not use the Log4j logging library and they provide more information on their website. However, the Jenkins team do point out that plugins added to Jenkins may include Log4j.

The Chocolatey For Business QDE environments include additional Jenkins plugins and we have used the methods provided in the article to confirm that they are NOT vulnerable. If you have added plugins to Jenkins in your QDE environment then you will need to use the methods Jenkins provide to confirm the vulnerability of those plugins. Chocolatey is not responsible for any plugins that have been added to your QDE environment.

Chocolatey Central Management

As confirmed above, Chocolatey Central Management does not run on, or use, Java and is therefore NOT vulnerable.

SQL Server Express (QDE Virtual Machine Image)

As mentioned above, we have in the past provided QDE as a virtual machine image that you can import into your hypervisor of choice. This image uses SQL Server Express as the database for Chocolatey Central Management.

While the current Log4j vulnerabilities are for versions 2.0.0 to 2.14.1, NIST has recently created a CVE for a Log4j vulnerability in version 1.2. While Chocolatey products do not run on, or use Java, SQL Server includes version 1.2.17 of Log4j at the path C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars\. Microsoft have provided some general guidance on Log4j2, along with guidance specifically for SQL Server confirming that the JAR files should be removed if they are not required. It would also appear that these libraries are only used if Java is used to interact with SQL Server. See the following posts for more information on this issue:

Apache provides more information on version 1.x of Log4j:

<Callout type="info"> Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability. </Callout>

We recommend concerned customers manually move the Log4j files, provided with SQL Server in C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars, to a Zip archive. Once the files have been moved from the file system to the Zip archive, restart the Chocolatey Central Management SQL Server instance and monitor until you are sure there are no issues. If you experience issues, the files can be restored from the Zip archive and restart the SQL Server instance again.

Other Products

Forescout have put together an analysis of the ongoing Log4j issues that provides more technical information.

Announcing Chocolatey Licensed Extension 3.0.0

Chocolatey Team — Thu, 09 Dec 2021 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

We are very happy to announce the release of version 3.0.0 of Chocolatey Licensed Extension! This is a major release including breaking changes and a long-awaited feature.

Discussed below are the main changes included in this release but we also have a full set of release notes available.

This release was also the subject of our December 2021 Chocolatey Explained livestream.

<Callout type="info"> The chocolatey.extension package has an updated dependency on Chocolatey CLI v0.11.1+. </Callout>

Package Builder / Package Internalizer

<Callout type="warning"> This is a breaking change in the requirements for using packages generated with Package Builder and Package Internalizer. </Callout>

Packages generated using Chocolatey Licensed Extension 3.0.0 and later will only work on licensed clients. This change also means that the for-public option has been removed from the choco new command. Packages that are destined for the Chocolatey Community Repository should be created without any commercial arguments to the Chocolatey CLI.

For more information about this change, and the rationale behind it, please see our previous blog post.

Microsoft Intune Integration

Using Chocolatey Licensed Extension 3.0.0 it is now possible to convert Chocolatey packages into Chocolatey Intune packages, and push them to your Intune tenant. This enables you to rapidly on-board any Windows software into Intune without being restricted to MSI/MSIX installers or Windows Store software.

This feature has been driven by our customers and we're very glad to have been able to address this need.

For additional information on this feature, check out the docs.

Release Notes

For more information on the breaking changes, features, improvements and bug fixes that were included in this release, please see the release notes.

Learn More

Check out the documentation.
Learn about other features available in Chocolatey for Business.
Contact us to find out more and setup your evaluation of Chocolatey for Business today.

Help Chocolatey, Open Source and Earn That T-Shirt with Hacktoberfest 2021!

Chocolatey Team — Tue, 12 Oct 2021 00:00:00 GMT

It's that time of year again. It's October. And that means it's also Hacktoberfest!

Chocolatey is once again joining in this year and allowing our fantastic community to keep up the frankly awesome work on our open source projects by submitting those pull requests! Introduced last year, Digital Ocean are again offering an exclusive t-shirt or to have a tree planted in your name.

Chocolatey Hacktoberfest Repositories

This year we have added even more repositories for you to cut your Hacktoberfest teeth on. You can find 24 of our open source repositories available this year:

13 repositories in the Chocolatey GitHub Organization, and
11 repositories in the Chocolatey Community GitHub Organization.

How Do I Get Involved?

That's easy!

Many repositories have a CONTRIBUTING.md document that provides details on how to contribute to the repository. If one is not available, then follow the steps below:

Raise an issue in the Issues tab of the repository. This allows your bug / feature / enhancement to be discussed.
If, after discussion, you get agreement for your bug / feature / enhancement, then raise a Pull Request.
Your Pull Request will be reviewed, discussed and merged!

Our Senior Software Developer, Gary Ewan Park, has created a short playlist of videos to help walk you through contributing to our docs repository. While it is focused on that repository, it is knowledge that you can easily apply to other repositories too! Digital Ocean have also provided resources on how to create your first pull request as well as video to walk you through it.

Hacktoberfest is a great way to brush up on your development skills and help out the open source community at the same time. At the time of this writing, there are 139 events being hosted all over the world including an event hosted by our very own Technical Engineering Manager, Paul Broadwith with our Senior Software Engineer, Gary Ewan Park, as a speaker!

So get those pull requests in, brush up on your developer skills and help the open source community thrive!

Announcing Recent Chocolatey Releases - Many Of Them!

Chocolatey Team — Thu, 16 Sep 2021 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

You may have noticed the over the last few weeks we have been pushing out new package versions for a large number of the Chocolatey products. This included updates to:

The main driving force behind all of these releases was a security vulnerability that was identified in one of the core external libraries that is used by Chocolatey, log4net. To exploit this vulnerability an attacker would need Administrator access, given how the Chocolatey install folder is secured by default. And if an attacker needed Administrator access already, they would therefore not need to exploit the vulernability!

Here at Chocolatey, we take security very seriously, so once identified, we set about updating all the Chocolatey products that use this log4net library, making sure that they all continue to work together correctly. Along the way, we were also able to squash a number of bugs, and add a number of new features.

It has been a long road, but all in all, we are really happy with what we have been able to achieve, and we are looking forward to bringing more releases of these products in future.

Package Prerequisites

Due to the nature of the changes, there have been some changes to the package depedencies. The new package dependencies are as follows:

Package Name	chocolatey	chocolatey.extension	chocolateygui
chocolatey v0.11.1
chocolatey.extension v2.2.0	v0.11.0 *
chocolateygui v0.19.0	v0.11.1
chocolateygui.extension v0.3.0	v0.11.1		v0.19.0
chocolatey-agent v0.12.0		v2.2.0

<Callout type="info"> The chocolatey.extension package was published before v0.11.1 of Chocolatey was released, that is why it doesn't take a dependency on the v0.11.1 package of Chocolatey. We recommend immediate upgrade to v0.11.1 of Chocolatey if you have v0.11.0 installed. </Callout>

<Callout type="warning"> Due the nature of how Chocolatey package dependencies work, we can ensure that all the required package versions are installed. For example, if you were to install chocolateygui.extension then it would make sure that the following tree of packages are installed:

| Package Name            | Version |
| ----------------------- | ------- |
| chocolateygui.extension | v0.3.0  |
| chocolateygui           | v0.19.0 |
| chocolatey              | v0.11.1 |

However, there is nothing that can be done to ensure that indirect dependencies are satisfied.  For example, if you currently have chocolateygui v0.18.1 installed along with chocolateygui.extension v0.2.1 and you first upgrade to chocolateygui v0.19.0, then you will see errors if you attempt to run Chocolatey GUI, since the chocolateygui.extension package also needs to be updated.

Based on the package releases, the recommended installation/upgrade order is the following:

* chocolatey-agent
* chocolateygui.extension
* chocolateygui
* chocolatey.extension
* chocolatey

This will ensure that all dependencies, both direct and indirect, are installed.

</Callout>

Release Notes

For more information of the features, improvements and bug fixes that have gone into these releases, please see the release notes:

Chocolatey CLI
- v0.11.1
- v0.11.0
Chocolatey Licensed Extension
- v2.2.0
Chocolatey GUI
- v0.19.0
- v0.18.2
Chocolatey GUI Licensed Extension
- v0.3.0
Chocolatey Agent
- v0.12.0

Learn More

Check out the documentation.
Learn about other features available in Chocolatey for Business.
Contact us to find out more and setup your evaluation of Chocolatey for Business today.

Chocolatey Licensed v3 Changes Require Nodes To Be Properly Licensed

Chocolatey Team — Thu, 09 Sep 2021 00:00:00 GMT

Summary

We are about to release a major update to the Chocolatey Licensed Extension that includes a number of bug fixes, some features like Intune Integration, and an important change for clarity around licensing.

One thing we've heard from organizations over the last few years is that there is some confusion regarding licensing - "What counts as a license?", "How many licenses do I need?", etc. This point can be especially confusing when it comes to features such as Package Builder and Package Internalizer, as the packages are built/internalized on one machine and then deployed to many machines. We want to clarify licensing to reduce confusion and ensure folks have the correct license counts. In short - everywhere those packages go, those machines count in licensing.

At Chocolatey Software, we've provided Chocolatey Central Management to help organizations using Chocolatey for Business (C4B) get better metrics on licensing counts, but we've found that organizations can still get into trouble when employees install things without consideration for the number of licenses available in your inventory. The additional features in this release move to make it clearer on the number of Chocolatey licenses an organization is using. This ensures your organization has accurate license counts when it comes to licensing audits and helps you avoid costly fines and sanctions for being out of compliance.

What Are We Doing?

Packages built/internalized with commercial features in Chocolatey Licensed Extension v3 and later will ensure that the endpoints/nodes are licensed by adding checks to the packaging itself. Most organizations are already properly licensed on all endpoints, and will just need to upgrade clients to the newest version. There are no changes to the licensing agreements, and we don’t expect this to have any significant impact for most of our customers.

We do recognize that English is not everyone's first language, so it is possible that there may be a few organizations that are impacted by this change, and that is to be expected. It's better to find out you are out of compliance by an internally deployed tool such as Chocolatey Central Management, versus an external organization such as FAST (Federation Against Software Theft) or The Software Alliance (BSA).

Why Are We Making These Changes?

In doing this, the benefits for organizations are that the licensing is much clearer, so it can reduce costly fines that can come when software out of compliance:

We are removing confusion surrounding the use of packages that are built/internalized with commercial features (Package Builder/Package Internalizer).
We are ensuring that all endpoints are licensed so that our support team is providing the best possible service to our end users.
We are protecting organizations from costly licensing mishaps that can occur when licensing is misunderstood.
We are protecting organizations from employees who install what looks available without consideration for software inventory counts.

When Will These Changes Be Effective?

This will be effective in Chocolatey Licensed Extension v3.0.0 (chocolatey.extension package). Once you start building/internalizing packages with this version, you'll need to update your clients to at least version 3 (3.0.0) as older licensed versions will not be compatible with packaging changes coming in v3.

FAQs

Will I need to update all of my clients when I upgrade to v3.0.0 of the Chocolatey Licensed Extension?

Yes, as the checks that have been added will require that. You'll see a warning and error message on any clients you forget to upgrade. When you see that message, you'll just need to upgrade the clients and then the package installations will work nicely again.

I have clients that are using unlicensed editions of Chocolatey, do I really need to have those endpoints licensed?

Yes, you've always needed to have those endpoints properly licensed as part of the licensing agreements, although the software hasn't really enforced that for you. This is simply a change to help ensure that endpoints do get licensed.

I don't like the extra time it takes to get an endpoint licensed.

There are two extra steps - add the license (can be done through a package) and install the Chocolatey Licensed Extension package. It adds up to about 20-30 seconds of extra time to your provisioning. The steps are located at Licensed Extension Setup, and there are some quick scripts to get this setup quickly. Reach out to support if you need help with this aspect - our team will be happy to assist you in enhancing your scripts to work with licensed endpoints.

I have the Chocolatey For Business (C4B) edition of Chocolatey. Do these changes affect it?

Yes, Chocolatey for Business (C4B) edition requires endpoints/nodes to be licensed. This edition is for organizations, and where the features of Package Builder and Package Internalizer are most used.

I have the Architect edition of Chocolatey. Do these changes affect it?

No. Chocolatey Architect edition is targeted at building packages for your customers and their pipelines, but not managing the endpoints/nodes themselves. In that type of licensing scenario, the endpoints are not required to be licensed, so these changes will not apply to that edition of Chocolatey.

I have the MSP edition of Chocolatey. Do these changes affect it?

Yes, the MSP edition requires endpoints/nodes to be licensed, just as Chocolatey for Business (C4B) does.

I have the Professional edition of Chocolatey. Do these changes affect it?

No. Chocolatey Professional does not include Package Builder (the full generation of packages) or Package Internalizer, so these changes will not affect that edition. Chocolatey Professional is targeted at end users/consumers that are managing their own machines and just want better features to work within the community offerings.

I have ephemeral environments, this sounds like extra work for a machine that might be up for just a few minutes.

I have other questions or concerns related to these changes.

Please reach out to your representative or contact us (choose "Other") if you have any questions or concerns that we were unable to address here.

Announcing the Chocolatey for Business QDE Azure Environment

Chocolatey Team — Wed, 25 Aug 2021 00:00:00 GMT

Your complete Chocolatey for Business (C4B) environment up and running in 20 minutes! We are excited to announce that our popular C4B Quick Deployment Environment (QDE) is now available on the Azure Marketplace.

Windows Software installation & management is only as good as the packaging process, and more importantly your ability to quickly update patches / new versions. Setting up a complete workflow can be complex and time-consuming. To make this easier we developed QDE. Based on Chocolatey’s infrastructure architecture recommendations, pre-loaded with key productivity application packages, and now available in Azure Marketplace.

Our customers tell us that implementing a modern automation approach has helped accelerate deployments and save time. Contact us to find out more.

A True Azure Environment

Chocolatey for Business QDE Azure Environment gives you everything needed to get up and running with a complete C4B environment using several Azure services.

The heart of the solution is a Virtual Machine that runs Chocolatey Central Management (CCM), Nexus Repository, and Jenkins.

This is supported by an Azure SQL Server, which is able to scale depending on the size of your environment. The entire solution sits behind an Application Gateway, enabling seamless HTTPS for all components of the environment. Finally, all user accounts are created with unique passwords which are stored in an Azure Key Vault.

The Chocolatey for Business QDE Azure Environment is ideal for testing C4B as part of your evaluation.

IMPORTANT: Please ensure you have obtained a Chocolatey for Business (C4B) trial license from the Chocolatey team prior to starting with QDE Azure, or contact us.

Try It Yourself

In order to try out the Chocolatey for Business QDE Azure Environment, you'll need to have a few things ready to go:

A Chocolatey for Business license, get in touch to start a trial.
Access to an Azure subscription with Contributor permissions.
A domain name you'd like the solution to sit behind, and
- The ability to add a public CNAME record for this domain.
- An SSL certificate for the chosen domain name, with exportable private key.

With those prerequisites in hand, head over to the Chocolatey for Business QDE Azure Environment listing on the Azure Marketplace and choose Get It Now.

Configuring your environment is a three-step process.

First, the basics. You create a new resource group for the solution to be deployed to and in which Azure region it will be located. You then choose a prefix which will be applied to all components of the solution, and then upload your license file.

Second, domain configuration. Provide your domain name and the matching SSL certificate. As the private key is included in the certificate, you need to provide the import password. We ask for this password twice as it is important that it is correct.

Third, package internalization. To kickstart your Chocolatey for Business environment, you can automatically internalize your first batch of packages.

We have created several package bundles using popular packages, but you can choose to internalize additional packages by ticking the boxes next to the package name or by providing a comma-separated list of packages names from the Chocolatey Community Repository.

Finally, review your settings and click Create to start the deployment of your Chocolatey for Business QDE Azure Environment.

The deployment generally takes 20 to 45 minutes depending on how many packages you have chosen to internalize. When complete, you'll need to set your domain name to point at your new environment.

Accessing Your Chocolatey for Business QDE Azure Environment

With your deployment complete, your Chocolatey for Business environment is now ready for use. You can access the various services via a web browser. As an example, if your domain name was example.com you would access:

Service	Address	Username
Chocolatey Central Management	https://c4b.example.com	ccmadmin
Nexus Repository	https://c4b.example.com/nexus	admin
Jenkins	https://c4b.example.com/jenkins	admin

To get access to the passwords stored in the Azure Key Vault, you will need to grant yourself access.

Learn More

Check out the documentation.
Find Chocolatey for Business QDE Azure Environment on the Azure Marketplace.
Learn about other features available in Chocolatey for Business.
Contact us to find out more and setup your evaluation of Chocolatey for Business today.

Announcing Chocolatey Central Management 0.6.0

Chocolatey Team — Thu, 05 Aug 2021 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

We are very happy to announce the release of version 0.6.0 of Chocolatey Central Management! This is a major overhaul of the underlying framework technologies that CCM is built on.

Discussed below are the main changes included in this release but we also have a full set of release notes available.

Updated Target .Net Core Framework

All components of Chocolatey Central Management (database, service, and web) have been updated to use .NET Core 3.1. Previous versions of Chocolatey Central Management used .NET Core 2.2 which was supported to only December 2019. When we switched to .NET Core 2.2, it was believed that it would be supported for a longer period of time, but instead .NET Core 3.1 was released, which is supported through to December 2022.

Within this release, all the existing functionality on Chocolatey Central Management remains intact, but we get the extra security and performance benefits by upgrading to .NET Core 3.1.

Audit Retention

<Callout type="warning"> This is a breaking change in how audit logs are retained within Chocolatey Central Management. Audit history will begin to be removed as soon as you install version 0.6.0. If you want to retain all audit logs, we would recommend that you first back up the entire database before upgrading to version 0.6.0. </Callout>

In an attempt to control the size of the Chocolatey Central Management database, it is now possible to control the retention policy for the audit logs table within the Chocolatey Central Management application.

For additional information on enabling/disabling this feature, as well as controlling the length of time (in days) that audit logs should be retained for, check out the docs.

Release Notes

For more information on the features, improvements and bug fixes that were included in this release, please see the release notes.

Additional 0.6.1 Release

Shortly after releasing version 0.6.0 of Chocolatey Central Management we identified an issue which prevented the installation of the chocolatey-management-service package under a specific, but unusual, environment. The issue was quickly resolved and version 0.6.1 of Chocolatey Central Management was published. Please see the release notes for further information. Note that no changes to the functionality of Chocolatey Central Management were made for this 0.6.1 release.

Learn More

Check out the documentation.
Learn about other features available in Chocolatey for Business.
Contact us to find out more and setup your evaluation of Chocolatey for Business today.

Cory Knox Joins Chocolatey as Junior Software Engineer

Chocolatey News Team — Tue, 01 Jun 2021 00:00:00 GMT

We are excited to announce that Cory Knox has joined the Chocolatey team as a Junior Software Engineer!

Cory has been using Chocolatey for many years, using it both at home to help manage his family's computers, and at work for easy configuration of his individual workstation. He has spent the last several years searching for ways to make life easier for administering systems.

Cory first got his PowerShell feet wet with Exchange 2007, and ever since then has been looking for ways to automate everything possible with PowerShell. For the past decade, he has been managing end-user computing devices using a mix of SCCM, PowerShell scripts, and sometimes batch scripts. Not content to click his way through things, he's always looking for ways to automate repetitive tasks.

"Having spent years using Chocolatey, I am really excited to join the team and contribute my knowledge and expertise to help it grow." says Cory.

Cory will be based remotely in Vernon, British Columbia, Canada.

Using Jenkins Behind A Proxy

Chocolatey Team — Tue, 18 May 2021 00:00:00 GMT

Backstory

Recently during a support incident, we encountered a proxy configuration that we had yet to see when using Jenkins. In this particular instance, web traffic using ssl (HTTPS) was being intercepted, and a Trusted Root certificate provided by the Proxy Server handed to the browser. This configuration was causing Jenkins to be unable to use the proxy server, as the cacert file Jenkins uses was blissfully unaware of the existence of those Trusted Root certificates.

The fix

In order to overcome this issue the following steps were taken:

Shut down the Jenkins service with Stop-Service jenkins
Export the Trusted Root certificates from the LocalMachine certificate store to .cer files
Use keytool to import the Trusted Root certificates into the Java cacert file.
Start the Jenkins service with Start-Service jenkins

Code

The following PowerShell script does all of the heavy lifting to quickly overcome this issue:

[CmdletBinding()]
Param(
    [Parameter()]
    [String]
    $ExportPath = 'C:\certs',

    [Parameter(Mandatory=$true)]
    [String]
    $CertificateSubjectFilter
)

begin {
    if(-not (Get-Command keytool)){
        throw "keytool is required for this script to work"
    }

    if(-not (Test-Path $ExportPath)){
        $null = New-Item $ExportPath -ItemType Directory
    }
}

process {

    #Use a counter to increment
    $counter = 1
    Get-ChildItem Cert:\LocalMachine\Root |
    Where-Object { $_.Subject -match "CN=$CertificateSubjectFilter*" } |
    Foreach-Object {
        Export-Certificate -Cert $_ -Type CERT -FilePath "$ExportPath\$($_.Thumbprint)_$counter.cer"
        $counter++
    }

    Get-ChildItem $ExportPath -Filter *.cer |
    Foreach-Object {
        keytool -import -trustcacerts -alias $($_.BaseName) -keystore 'C:\Program Files (x86)\jenkins\jre\lib\security\cacerts' -file $($_.Fullname) -noprompt -storepass changeit
        
    }

}

Josh King Joins Chocolatey as Infrastructure Operations Engineer

Chocolatey News Team — Mon, 10 May 2021 00:00:00 GMT

We are excited to announce that Josh King has joined the Chocolatey Team as an Infrastructure Operations Engineer!

Josh has been part of the Chocolatey community since 2014 when he packaged some software he used at work and was frustrated with keeping it up-to-date on multiple computers. He has seen his share of software management strategies that, in hindsight, would have been much easier if Chocolatey had been used.

Despite having a passion for automation, Josh isn't truly happy unless he's deep in the nuts and bolts of IT infrastructure, both physical and virtual. Even better is being able to merge those two passions via Infrastructure as Code.

Josh has always been at home around technology. Growing up he would often procure old computers, from neighbors and local auction sites, and even went as far as to build himself a "gaming PC" out of a 486DX2 desktop.

"I've been using Chocolatey for a very long time, and it's an honour to be able to give back as a member of the team" says Josh. "I'll be responsible for, among other things, helping to ensure that Chocolatey's community services are reliable and available for everybody to use."

One of many projects Josh is looking forward to is moving several components of Chocolatey's community repository to a new home.

"It's an interesting challenge, and not something that happens often. If I do my job right, you shouldn't even know we did anything!"

Josh is a co-organizer of the Australia and New Zealand PowerShell & DevOps User Group, an active member of the PowerShell community, and a Microsoft MVP. He will be based remotely in Hawke's Bay, New Zealand, with his wife and kids.

Kim Nordmo Joins Chocolatey as Package Engineer

Chocolatey News Team — Mon, 10 May 2021 00:00:00 GMT

We are excited to announce that Kim Nordmo has joined the team as a Package Engineer in a full time capacity. Kim has been a member of the Chocolatey community for some time as a package maintainer and moderator!

Kim started using Chocolatey in the middle to late 2015, when he needed to automate the installation and upgrading of packages for his own personal machine when moving from Linux to Windows.

During the fall of 2016 Kim became a community member and started maintaining Chocolatey packages in the chocolatey-packages repository, and became a part of the moderator team during the early winter of the same year. The Community Chocolatey Packages was the first project that Kim submitted a pull request to, and later added the ability to limit users ability to push new versions of packages for existing Unapproved packages.

Over the years between then and now, Kims Open Source Contributions to Chocolatey have included answering questions in the Community Chat channels, Disqus comments and GitHub issues, creating and maintaining Chocolatey packages, acting as one of the moderators for packages submitted to community.chocolatey.org, as well as adding the ability to limit package version pushes on unapproved packages.

"I find it very interesting to be joining Chocolatey software, and I am looking forward to helping it continue to grow in the future" says Kim.

Kim will be based remotely in Narvik, Norway.

James Ruskin Joins Chocolatey as Packaging and Infrastructure Engineer

Chocolatey News Team — Mon, 03 May 2021 00:00:00 GMT

We are excited to announce that James Ruskin has joined the Chocolatey team as a Package and Infrastructure Engineer!

James has been using Chocolatey for many years, both at home and at work. He started out as a SysAdmin using it to automate image creation, keep applications updated without disturbing users, and in scripts that set up his home network.

In the years since, as a DevOps Engineer, he has graduated to using it when scripting deployment of far larger virtual environments running software-as-a-service - after internalizing the packages for consumption from private feeds, of course.

He lists his strengths as PowerShell, Infrastructure-as-Code, and "a vague obsession with pipelines."

"I'm thrilled to be a part of Chocolatey," says James, "It's such a keystone in Windows automation, which is something I'm shockingly enthusiastic about, and I'm really looking forward to being able to help more folk automate problems away!"

He will be based remotely in Cambridge, UK.

Package Scanner Added To Moderation Process

Chocolatey Team — Wed, 28 Apr 2021 00:00:00 GMT

At the beginning of 2016, a service that would later become known as the Package Scanner Moderation Service, was added to the Chocolatey arsenal. When a package was submitted to the Chocolatey Community Repository, all the files that were included within that package, or downloaded as part of the installation of that package, would be submitted to VirusTotal for scanning. Once completed, the details of any detections would be shown on the package page. See the Google Chrome package page as an example:

On top of this, if you are using a licensed version of Chocolatey, then these results will be respected, meaning that any package that contains a file with higher than a configurable number of detections, wouldn't be allowed to be installed. All in all, this is a great security feature.

When this service was introduced to the Chocolatey Community Repository, it was the responsibility of our team of package Moderators to check the results that were returned from VirusTotal, prior to approving a package. As of 27th April 2021, the Package Scanner Moderation Service has now been fully integrated into the overall Package Moderation Service. As a result, any package submitted to the Chocolatey Community Repository, will now have to have completed its VirusTotal scan before being marked as approved on the site. This increases the overall security of all packages, and this is something that we take very seriously at Chocolatey.

Going forward, the Package Scanner Moderation Service will automatically flag all packages using the following criteria:

Not Flagged
- There were no detections found on any of the files within, or downloaded by, the package
Flagged - Note: At least one file within this package has greater than 0 detections, but less than, or equal to, 5
- At least one file within, or downloaded by, the package had between 1 and 5 detections associated with it. Given the nature of false positives within virus scanners, this package is likely very safe to install. As such, a package that falls into this category will be automatically approved, if it is a trusted package.
Flagged - Warning: At least one file within this package has between 6 and 10 detections
- At least one file within, or downloaded by, the package had between 6 and 10 detections. You should take extra steps to ensure that it is safe for you to install. Any package that falls into this category will require to be moderated by a human Moderator.
Flagged - Error: At least one file within this package has greater than 10 detections
- At least one file within, or downloaded by, the package had greater than 10 detections. This is a high number of detections, and you should take extra precautions to ensure that this is safe for you to install. Any package that falls into this category will immediately be sent back to the Package Maintainer to investigate but is going on with the package.

The introduction of this additional flagged status, i.e. Note, Warning, Error, will mean that any package which was submitted to the Chocolatey Community Repository before the 27th April 2021, will not have this flag. As such, an additional warning will be provided on the package page. The details of the virus scan results can still be viewed, it is just that the overall marking of the package will not provide this indication.

If you have any questions or concerns about these changes, then please reach out on our Community Chat or through the Chocolatey Google Group.

Announcing Internal Infrastructure Changes

Chocolatey Team — Fri, 22 Jan 2021 00:00:00 GMT

The Chocolatey Community Repository is a community-driven collection of over 8000 packages (and over 1B downloads of those packages) that Chocolatey hosts and provides for free to the community. We run a number of automated services to support this growing collection of packages and establish a baseline of package quality:

Package Validator
- Inspects the packaging scripts (chocolateyInstall.ps1, chocolateyUninstall.ps1, etc) to ensure that they adhere to rules in place for package quality.
Package Verifier
- Attempts the installation and uninstallation of a package, to ensure that it succeeds.
Package Scanner
- Submits all binaries associated with a package to VirusTotal and collects/reports the results back.
Package Cacher
- Inspects the downloads that a package performs and caches them.
Package Cleanup
- Keeps track of all package submissions and performs housekeeping on those packages that are not progressing, and finally rejects them after a period of inactivity.

Most infrastructure is not open, and there are good reasons for this. A lot of times infrastructure is very specific to an organization and does not lend itself well to being open. We have seen time and again secrets being inadvertently leaked from organizations to their open repositories.

Right now we have our internal infrastructure both internal and open. As we start to look to the future we want to deconstruct some of this into smaller components which will allow us to move faster and provide better services to our user base.

We have already started to improve the Chocolatey Community Website by separating its components. You may have already seen this in action with the release of the new Chocolatey documentation site (repository can be found here https://github.com/chocolatey/docs) as well as the Chocolatey blog.

To achieve speed and to honor our value of simplicity, we also need to take our internal infrastructure internal.

You can still report issues and suggest features for the Chocolatey Community Repository, and its supporting services, by going to the Chocolatey home repository on GitHub.

If you have any questions or concerns about these changes, then please reach out on our Community Chat or through the Chocolatey Google Group.

From the Mad Scientist Laboratory - Internalizing Icons for Internalized Packages

Stephen Valdinger — Thu, 17 Dec 2020 00:00:00 GMT

The Chocolatey Package Internalizer feature available in Chocolatey For Business (C4B) allows you to consume a package from the Chocolatey community repository, and rewrite the packaging to be completely offline.

This allows for the complete offline installation of that package. This is essential for business users where uptime matters, and reliance on a 3rd party can't be trusted. For more information on why organizations should maintain their own repository of Chocolatey packages, see here.

This process works wonderfully, and is often unnoticed if your endpoints have a direct connection to the internet, or you are not leveraging Chocolatey GUI. This is because the icons are retrieved from the <iconUrl> field inside of the nuspec file. There are many reasons why icon files could potentially not be loaded.

Air gapped networks
Restrictive content filter
Proxy configuration
Etc etc etc

This provides a less than ideal experience for users of Chocolatey GUI when using Tile View or when on the Details page of a particular package inside the application.

You may also wish to maintain the icons in your own infrastructure as it again removes a level of reliance on 3rd party resources for your Chocolatey Packages. The following blog post will walk you through setting up the necessary repository infrastructure, and provide code you can use to accomplish bringing icons for packages internal.

Configuring Your Repository Server

We'll be using Sonatype Nexus in this blog post. They use the term "Raw" for a repository that can hold any file type. Your repository server may use another term like "Generic", but it is the same thing. Our Nexus repository will have a hostname of nexus.fabrikam.com, and connect over http on port 8081.

Steps:

Login to Nexus
Click the Gear Icon in the top nav bar
Select Repository
Select Raw (hosted) for the repository type
Give the repository a name, select the appropriate blob store (default in our example), and apply any other policies you need.
Click Create Repository

Gif Overview

The Script

Here's the code you'll need to get this working in your environment. Once saved, you can execute it like this (I'll use splatting to keep things readable):

You'll need the following parameters:

InternalizeDownloadPath

name: InternalizerDownloadPath
type: string
mandatory: true
description: This is the path to the download folder created when you run something like 'choco download vlc --internalize'.

IconRepository

name: IconRepository
type: string
mandatory: true
description: The raw (Generic) repository you wish to push your icon files too.

PackageRepository

name: PackageRepository
type: string
mandatory: true
description: The Nuget repository where you store your chocolatey packages. The script will push the updated packages to this location.

Credential

name: Credential
type: System.Management.Automation.PSCredential
mandatory: true
description: This is a set of credentials with access to push items to both your Icon and Package repositories in your repository server.

ApiKey

name: ApiKey
type: string
mandatory: false
description: The api key used to push nuget packages to your repository. If you have used `choco apikey` to add your api key to your Chocolatey config, this is not necessary. Otherwise, please provide an api key with this parameter.

Complete Script

<#
  .SYNOPSIS
  Internalize package icons for internalized packages

  .PARAMETER InternalizerDownloadPath

  This is the path to the download folder created when you run something like 'choco download vlc --internalize'

  .PARAMETER IconRepository

  The raw (Generic) repository you wish to push your icon files too

  .PARAMETER PackageRepository

  The Nuget repository where you store your chocolatey packages. The script will push the updated packages to this location

  .PARAMETER Credential

  This is a set of credentials with access to push items to both your Icon and Package repositories in your repository server

  .PARAMETER ApiKey
  
  The apikey used to push nuget packages to your repository. If you have used `choco apikey` to add your api key to your Chocolatey config, this is not necessary. Otherwise, please provide an api key with this parameter.

  .EXAMPLE
  $params = @{
      InternalizerDownloadPath = 'C:\internalized\download\'
      IconRepository = 'http://nexus.fabrikam.com:8081/repository/icons/'
      PackageRepository = 'http://nexus.fabrikam.com:8081/repository/choco/'
      }

    .\InternalizePackageIcons.ps1 @params

  .NOTES
    Run this script AFTER you have internalized your packages, and point it at the 'download' folder created during that process
#>
[cmdletBinding()]
param(
    [Parameter(Mandatory)]
    [String[]]
    $InternalizerDownloadPath,

    [Parameter(Mandatory)]
    [String]
    $IconRepository,

    [Parameter(Mandatory)]
    [String]
    $PackageRepository,

    [Parameter(Mandatory)]
    [PSCredential]
    $Credential,

    [Parameter()]
    [String]
    $ApiKey
   
)

process {
    $nuspecs = $(Get-ChildItem $InternalizerDownloadPath -Recurse -Include *.nuspec,chocolateyInstall.ps1)

    Write-Verbose "Downloading icons and replacing values in nuspec files"

    foreach ($nuspec in $nuspecs) {

        [xml]$xml =$nuspec | Where-Object { $_.Extension -eq '.nuspec' } | Get-Content
        $iconurl = $xml.package.metadata.iconUrl
        $icon = ($iconurl -split ('/'))[-1]
        $iconPath = Join-Path 'C:\icons' "$icon"

        if ($iconurl) {

            $null = Invoke-WebRequest -Uri $iconurl -OutFile "$($iconPath)" -ErrorAction SilentlyContinue

            $user = $Credential.UserName
            $password = $Credential.GetNetworkCredential().Password

            $credPair = "{0}:{1}" -f $user, $password
            $encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::Utf8.GetBytes($credPair))

            $params = @{
                Headers         = @{
                    Authorization = "Basic $encodedCreds"
                }

                UseBasicParsing = $true
                ContentType     = 'text/plain'
            }
            
            if ($iconPath -eq 'C\icons\') {
                $null
            }
            else {
                $newUrl = "$($IconRepository)$icon"
                Write-Verbose "Uploading: $iconPath"
                $null = Invoke-WebRequest -Uri $newUrl -Method Put -infile $iconPath @params -ErrorAction SilentlyContinue

                #Write new URL
                $xml.package.metadata.iconUrl = $newUrl
                $xml.Save($($nuspec.FullName))

                $Script:RepackageDirectory = Split-Path -Parent -Path $InternalizerDownloadPath

                $chocoPackArgs = @('pack',"$($nuspec.FullName)","--output-directory='$RepackageDirectory'")
                & choco @chocoPackArgs
            }

        }

    } 

    Write-Verbose "Uploading modified packages to repository"

    Get-ChildItem $RepackageDirectory -Recurse -Filter *.nupkg | Foreach-Object {
        
        $chocoPushArgs = @('push',"$($_.FullName)","--source='$PackageRepository'")

        if($ApiKey){
            $chocoPushArgs += "--api-key='$ApiKey'"
        }

        if($($PackageRepository.Split(':')[0]) -match 'http'){
            $chocoPushArgs += '--force'
        }

        & choco @chocoPushArgs
    }

    Remove-Item C:\icons -Recurse -Force

}

Example

This is an example of internalizing icons using the information from this blog post as parameter values. Please update accordingly in your own environments.

$params = @{
InternalizerDownloadPath = 'C:\packages\download'
IconRepository = 'http://nexus.yourcompany.com:8081/repository/icons/'
PackageRepository = 'http://nexus.yourcompany.com:8081/repository/ChocolateyPackages/'
Credential = (Get-Credential)
}

. .\InternalizePackageIcons.ps1 @params

Conclusion

You made it! If you followed along, you should now have a repository where you can store your package icons, and all the code necessary to make your Chocolatey packages completely, totally, 100%, without question offline. Thanks for reading, and come back next time when the Mad Scientist strikes again!

A Story About Windows Automation

Mukesh Sharma — Fri, 11 Dec 2020 00:00:00 GMT

Imagine IT as a factory. Imagine walking through the IT factory and seeing that Windows software management is the combination of tasks, workers, and machines seeking to transform the raw materials piling up at Goods Inward (software releases, patches, and tickets) into packages that can be distributed to endpoints (locations, endpoints, and users).

However, in the real world, this factory can go really wrong.

Goods Inward pile up in a queue of software releases not deployed, patches not applied, and tickets not handled. The size of this neglected queue has a financial cost that can be measured (TODO / DevOps).
In the middle, the manufacturing is run by overworked and under-resourced Windows Sys Admins who do their best with an ad-hoc, haphazard and inconsistent process.
Goods Outward isn’t a well-managed repository, it’s a mish-mash of shared drives, USB sticks, and -- gasp -- DVDs. Stuff gets lost, duplicated, and often requires rework which is a cost to the business, essentially like throwing cash out of the window.
Distribution is manual, usually "sneakernet", with Sys Admins having to “walk the floor” and install packages by hand on endpoints. This process is adhoc, prone to mistakes, and very slow and inconsistent.
The targets/endpoints become out of date and their users become frustrated. A failure of the IT factory is the root cause of Shadow IT.

In the middle of this painful situation, you’ll often find an IT hero performing Sys Admin heroics to keep things going.

You can easily recognize them:

They are involved in everything like that's a good thing (it isn't).
They complain about the size of the Goods Inward queue -- "let’s trim the queue by skipping releases, patches, and prioritizing tickets."
They complain about the system's difficulty, such as the tools they have, and how they operate in a hazardous environment.
They have to help with distribution which takes them away from fixing the other areas they complain about, in fact, they see a day trip to a remote office as a break.
This Sys Admin is a hero to some, but disliked by others who see them as an anthropomorphic personification of the poorly performing factory.

This is what Edward Deming meant when he said: "Bad systems beat a good person every time". Our hero might not be to blame, but it transpires they are the weak link. Specifically, the Windows Sys Admin is often the constraint in the system they work in.

In the novel, The Pheonix Project, the IT hero was the character Brent who was on the critical path of every IT project. But he couldn’t cope with all the Goods Inwards, so everything ground to a halt. That stopped the flow to distribution, which meant customers didn't get their stuff, and sales plummeted.

In the context of the Theory of Constraints, Brent was the constraint. If you want to know where to start to fix a system, then start with the constraint: in our imaginary failing factory, we need to help the Windows Sys Admin to fix the Windows software automation process to fix the factory.

This is exactly what Chocolatey’s Quick Deployment Environment (QDE) was created to do - by adding QDE and automating the Windows software management process, you automate the factory and free up the SysAdmins who have more time to spend proactively improving the system instead of fighting fires.

Learn more about how we can help on your Windows Automation Journey - https://chocolatey.org/business

Announcing Central Management Deployments Scheduling, API and Support for Semi-Connected Environments

Chocolatey Team — Mon, 16 Nov 2020 00:00:00 GMT

With the paint not even dry on the new release of Chocolatey Central Management, we are excited to tell you all about it. We have a lot of new features to share that we know you have been waiting for!

Register For Our Webinar

To showcase our new features there is no better way than to see it working! We’ll be demoing all the great features in a webinar on December 3rd, 2020. Register to reserve your place now.

If you can’t make it, don’t worry. The webinar will be recorded and be available to watch soon after the presentation using the same registration link.

What is Chocolatey Central Management Deployments

If you’re not familiar with Chocolatey Central Management Deployments then our previous blog post announcing its release will help you understand what Deployments are, and how you can use them to easily manage your Windows endpoints. You can also find more information on our documentation pages.

Start Central Management Deployments On A Schedule Or During a Maintenance Window

This is an exciting new feature to help you schedule deployments for a specific time period such as during a maintenance window, allowing you to manage your endpoints in line with your current procedures or workflows.

You can add a schedule to any deployment by selecting a start time. If you need to use an end time, for a maintenance window for example, you can add that as well!

Find out more about working with Central Management Deployments.

Support Semi-Connected Environments with Central Management Deployments

With organizations allowing staff to work from home, we’ve been hearing from customers who want to use Central Management Deployments in environments where the endpoints are not always online.

To allow you to deploy to these environments, Central Management Deployments now allows you to set a Machine Contact Timeout to wait for a machine to be connected to the network before it is given a deployment step (and even make it wait indefinitely for those machines to check in).

Find out more about working with Central Management Deployments in a Semi-Connected Environment.

Automate Central Management with the new API

To cover the Central Management API in depth we will have a blog post available soon! If you can’t wait, join our webinar on December 3rd where we will be also show you how to create a recurring deployment using the API!

To make it even easier to work with the Central Managements API, we are releasing a PowerShell module called ChocoCCM that is now available in the PowerShell Gallery which you can install with:

Install-Module -Name ChocoCCM

The ChocoCCM module also provides functions to work with:

Roles
Groups
Computers
Deployments
Outdated Software
Reports

Chocolatey Quick Deploy Environment Includes All These Great Features!

Chocolatey Quick Deploy Environment (QDE) is a unified architecture that includes:

Sonatype Nexus Repository OSS as your package repository.
Jenkins as your automation engine, letting you run tasks both on-demand and on a schedule and also helps you auto-internalize packages from the Chocolatey Community Repository using included PowerShell scripts.
Chocolatey Central Management. No introduction is necessary!
Internal Deployment scripts to help you configure the solution.

QDE now includes the latest release of Central Management, so you can try Scheduling, API automation and work in a semi-connected environment using one solution straight away.

To get QDE into your Chocolatey For Business environment, please reach out to us so we can work to get you set up.

We’re Not Finished...

This is the sixth release of Central Management and our second release of Deployments. We have a lot more to come in future releases, all driven by the needs and pain points of customers.

We're also enhancing the documentation for CCM, including supporting materials and videos, that you’ll soon be able to access.

When Can I Get Deployments?

If you are a current customer, please see the documentation for upgrade - you can grab the latest release now! You can also reach out to your Chocolatey Software representative for more details. If you are not a current customer, you can also reach out to our team to get started. We are excited to get it in your hands!

And remember, to see all of these great new features in action register for our webinar on December 3rd, 2020.

Ryan Richter Joins Chocolatey as Support Engineer

Chocolatey News Team — Mon, 17 Aug 2020 00:00:00 GMT

We are excited to announce that Ryan Richter has joined the Chocolatey team as a Support Engineer!

Ryan as a young kid was always tearing into something. Be it working on cars in the garage or later building computers and writing code in college.

Ryan has worked in technical support roles for most of his career, mainly within the educational sector. He started as a student computer technician at his local college, and later led the support team for an educational services MSP before joining Chocolatey.

Ryan says, "I've always gotten the greatest joy out of helping others learn new things, it's incredible to see the spark you can light in someone through helping them learn a new skill or tool."

When Ryan isn't battling the support ticket queue you can find him out playing a round of golf, wrenching on cars, and collecting movie steelbooks.

He will be based remotely in Baltic, Ohio, USA

Announcing Central Management Deployments - Manage Simple or Complex Scenarios with Ease

Chocolatey Team — Thu, 21 May 2020 00:00:00 GMT

We are gearing up for the 3rd release of Chocolatey Central Management (CCM), and this one will include an amazing feature that many of you may have been waiting for - managing endpoints with a full Chocolatey solution! We are really excited to share with you what Central Management Deployments will offer and how you can get your hands on it!

{/* TOC depthFrom:2 */}

Join Our Webinar!
Why Did We Create Central Management Deployments?
What is Central Management Deployments?
What Does Central Management Deployments Look Like?
More to Come
When Can I Get Deployments?

{/* /TOC */}

Join Our Webinar!

We are doing a webinar on June 23rd, 2020. Reserve your spot now and we'll see you there! We may even have a special surprise to share at the end.

Can't make it? Missed it? Don't worry, we have you covered - it's being recorded and will be available soon after the presentation. Follow the same link to access the recording after the webinar has ended.

Why Did We Create Central Management Deployments?

We often hear from Windows System Engineers that they are looking for a simple and easy way to manage Windows endpoints that offers advanced functionality when they need it. As Chocolatey Software has been a leader in Windows automation for over nine years, it was a natural progression to offer a simple and intuitive solution for managing remote Windows endpoints, especially given Chocolatey’s guiding principle of making hard concepts approachable.

What prompted Chocolatey Software to create a solution for managing endpoints, and why was it the number one feature request?

In working with System Engineers, we found folks are looking for a solutions that is:

Simple - Simple to learn and use
Secure - Modern security practices demand modern approaches
Efficient - Should not wait hours and hours on the system
Advanced - Able to handle advanced scenarios
Conventions - Handles defaults for most scenarios, but overridable
Multiple Step Targets - Able to work with multiple steps across possibly different computer endpoints at each step
Low Maintenance - should not require heavy architecture and should be easy to maintain
Scalable - Able to easily scale when necessary
Capable of Managing All Software - Not all software comes w/installers, but all software can have security findings.

There are existing solutions out there that for one reason or another have fallen short of expectations:

Some require specialized training
Some are overkill for organizational needs
Simpler solutions don't fully support more advanced scenarios when they are needed
Even when those solutions are implemented correctly, they still cannot manage all Windows software without Chocolatey

To draw on the last point a bit more, almost every endpoint management solution out there only reports software inventory based on what is listed in Programs and Features. We've found that software listed in Programs and Features only accounts for about 50-80% of the software that is being managed on Windows machines. With Chocolatey, you can manage 100% of the software you need to deploy. Security conscious organizations need to be able to report on and manage 100% of things that can have security findings.

What is Central Management Deployments?

We are excited to add Deployments to Chocolatey Central Management (CCM). This will enable teams to securely manage endpoints w/PowerShell scripts and states of Chocolatey packages directly. The CCM web interface helps with easy set-up, management, and reporting on deployments to endpoints. This will be part of the Chocolatey for Business (C4B) offering and current customers will be able to take advantage of it when released.

Central Management (including Deployments) provides a fantastic set of features that give organizations complete software management. Organizations using configuration management (like Puppet, Ansible, Chef, etc) will find that Central Management is complementary to what they provide. While configuration managers do really well with ensuring state and correcting configuration drift, when it comes to orchestration (especially cross machine), configuration management is quite limited. CCM Deployments provides IT teams the ability to easily orchestrate simple or complex scenarios in a fraction of the time over traditional approaches.

With the initial release of CCM Deployments, you will find the following functionality:

Create target groups to deploy to
Create a deployment with one or more steps
Each step can target multiple groups, and different groups in each step if desired
Script a Chocolatey package
With additional permissions, run a full PowerShell script instead
Choose how failures in each step are handled
Reorder steps
Control permissions on who can deploy Chocolatey packages and who can run full scripts
See progress on active deployments
View logs for computers that executed a deployment step
Report on completed deployments including exporting to PDF for sharing with executive staff

With multiple steps being able to target different groups, Deployments really enables you to manage complex scenarios when you need to. As an example if you have a website with a database backend, you may need to take the site offline first and upgrade the database before you upgrade the website. This is easily achieved with CCM Deployments.

What Does Central Management Deployments Look Like?

Let's go through a quick preview.

Top Level Deployments Screen

Coming into the the Deployments section of the site, you are greeted with different sections.

The sections are:

Drafts - these are deployments that are still being created and are not ready to be used
Ready - these are deployments that are ready to go, they are just waiting to be started
Active - these are deployments that are currently executing
Completed - these are deployments that have finished, with whatever status they might have ended up in

Creating And Editing A Deployment

If we have a deployment that is in draft/ready status, we can look over the aspects of it:

If we want to edit any of the steps for a deployment that has not been activated, we bring up that step and take a look at the different sections. The script side has basic and advanced types. This is basic:

Note the advanced items (which are not expanded by default):

Execution timeout in seconds - how long to let the command run before timing out? Defaults to 4 hours.
Valid exit codes - what exit codes indicate success? Defaults to 0, 1605, 1614, 1641, 3010.
Machine contact timeout in minutes - how long to attempt contact with a computer before timing out. This is set at 20 minutes in the first release. In a future release we'll allow you to configure this, but this is set by default in this release.
Fail overall deployment if not successful - Should the deployment status show failed if this step is not successful? Defaults to true.
Only run other deployment steps if successful - Coupled with the previous item, should the deployment stop if this step is not successful on every computer? Or should it execute other steps? Defaults to false.

If you have additional privileges, you can make/edit advanced scripts:

Note there is a section with script tips that is not expanded in the image above (Show script tips). Some folks are experts at writing PowerShell and other folks may need a refresher from time to time.

Once we've decided on our script, we need to target groups/collections of computers:

Reporting

When we move a deployment to active, it will begin to run and we can start seeing the details of the deployment as it progresses:

We can drill into the details of a particular step: <div class="text-center"><img class="mb-3" src="https://img.chocolatey.org/chocolatey-for-business/CCM_Deployments_Reports_StepDetails_SM-lg.png" alt="View Deployment Report - Deployment Step Results" title="View Deployment Report - Deployment Step Results" /></div>

Note that the log comes back for each computer in a step. If there is an error we can open up the log and go right to each error the system detects: <div class="text-center"><img src="https://img.chocolatey.org/chocolatey-for-business/CCM_Deployments_Reports_ErrorLog_SM-lg.png" alt="View Deployment Report - Step Computer Log Details" title="View Deployment Report - Step Computer Log Details" /></div>

More to Come

As you can see, the initial release of Central Management Deployments has a lot to offer! Deployments serves as the foundation for many other things we want to light up with Chocolatey Central Management (CCM), and we have some future enhancements we'll be adding to Deployments itself as we move into future release phases for CCM.

We're also enhancing the documentation for CCM, including supporting materials and videos, and hope to share that with you soon!

After everything releases, we'll rev the version of Quick Deployment Environment (QDE) to include CCM w/Deployments so folks will have another way of getting up and running quickly.

When Can I Get Deployments?

The timeline for release is early to mid-June, with betas going out to select customers soon. Reach out to your Chocolatey Software representative for more details. If you are not a current customer, you can also reach out to our team to get started. We are excited to get it in your hands!

One Billion Installs!

Rob Reynolds — Tue, 19 May 2020 00:00:00 GMT

Wow. We are blown away we've reached this point - all we can say is that we have a wonderful community that really works hard to ensure great software selection and packages! We started this all over 9 years ago and at the time we had no idea it would grow into what it is today. Thank you folks for all the years of support and getting us to this point.

On Sunday morning the community repository quietly rolled over into tres comas of installations. Yes, the community has reached a billion installs (that is billion with a "B") from the Chocolatey Community Repository. If we were not anticipating the event, we might have missed the notice. We quickly captured this screenshot to note the change over:

And if you check now (scroll down a little on the home page), you would see that a couple of days have passed and the community is already up by almost 3 million more installs? We did a post at five years and at the time we were up to 36 million installations. If my math is correct, in the last 4+ years we've jumped up by 964 million! That is an almost exponential upward curve to look at compared to the first 5 years! It's really been something to watch our community take off like it has and we thank you for it! We've been working on some things in the background and we've stared sharing more of them, stay tuned as we continue to make some exciting announcements!

How to Deliver Work From Home in Unprecedented Times with Chocolatey Self-Service Anywhere

Mukesh Sharma — Tue, 05 May 2020 00:00:00 GMT

Important

The customer success team at Chocolatey is helping teams use Chocolatey Self-Service to deliver Remote Work during the COVID-19 pandemic.

We wrote this article to share what we've learned with our customers, in case you can use this information to get the best out of Work From Home (WFH) arrangements.

This won't help keep your dog quiet or the kids focused on their home schooling, but it might help you and your colleagues have the right tools to be productive while locked down at home.

We're all in this together and we'll keep sharing best practices that we discover with our customers and community.

There's lot of information here and we appreciate not everyone has time to read all of it, so we wanted to get straight to the point:

Work From Home is new for many previously office-based users, their IT support and their business leaders.
Even if some staff are seasoned WFH pros, having to suddenly change to WFH puts pressure on people, process and technology.
Delivering an effective WFH capability is technically challenging.
We'll show how Chocolatey customers are using the Self-Service feature to get the top productivity apps into the hands of users.

You can also skip straight to the "How" section to get started.

Get help directly from Chocolatey:

Contact Chocolatey
Visit the Community </div>

About This Article

Chocolatey's tools for packaging, distribution and management of Windows software is built by and for people solving everyday IT problems. There's no bigger problem today than the worldwide COVID-19 pandemic, and the business response has been to ask individuals to implement Work From Home -- wherever they can.

Chocolatey for Business (C4B) customers are using the Self-Service capability to overcome the challenges and deliver work from home. We wanted to share our learnings from our customers' experience to help others.

This information has been put together primarily for IT Managers and Systems Administrators who are responsible for enabling Remote Working / WFH using Microsoft Windows software. However, it's also informative for the end-users who are Working From Home and the business leaders who are accountable for delivery. If everyone knows what's possible, collaboration is easier.

What You Will Get From This Article

We want this article to be as helpful as possible so we have split it into four sections so you can quickly find the most appropriate information:

Lorem ipsum	Lorem ipsum
What's your situation?	We describe the situations that our customers are experiencing with COVID-19 and WFH.
Challenges ahead	What are the pitfalls, problems and common challenges with setting up software and devices that use Microsoft software for Remote Working.
Using Self-Service	Inform you about how our customers are using Self-Service to solve some of the technical Work From Home challenges.
Action plan	Give you an action plan for how to deliver Remote Work/Work From Home with Microsoft Windows and Chocolatey.
</div>

We'd Love Your Feedback

We warmly welcome questions, feedback and comments that can improve what we do so we can help others.

<ul id="how" class="list-circle list-circle-success-fade list-circle-md"> <li class="h3 list-circle-content-1">How Work From Home is One Answer to COVID-19 Lockdown</li> </ul>

The global community is working together to prevent further spread of the COVID-19 virus. This is having an unprecedented impact on lives and livelihoods, resulting in national lockdowns and closure of business locations.

In response, organizations, their IT staff, end users and leadership are entering into new working practices to move from office-based work to Remote Working / WFH where possible. Questions we are hearing include:

<ol class="list-circle list-circle-counter"> <li>What tools do I (as an end-user) need to work from home?</li> <li>What tools do I (as a leader) need to give to my staff so they can be productive and safe at home?</li> <li>How do I (as an IT admin) get the right tools to the right people at home?</li> </ol>

Work From Home isn't as simple as just surfing the internet at home.

Business as Usual for The Seasoned Professionals

For some Work From Home is long-established business as usual.

Highly technical staff such as, advanced technical support and application developers have been working from home as standard for years, as have freelancers and others.

These old-hands at WFH have the culture, process and tools already established. They are used to doing everything online: video conferencing, messaging, document collaboration. They have the right tools, environment and already setup i.e laptop, software, good home wifi and a quiet working location.

Not everyone is a deeply technical and seasoned WFH professional.

WFH is a Jarring Experience for Many

The sudden move to WFH can be a new experience for staff that are normally office-based, as well as the IT systems administrators that have to enable WFH. Their business leaders are seeing their steady-state world tumble down a mountain-side.

"COVID-19 is shaking up the business organizations across the world, and the answer to this is doing IT in a different, more WFH, way."

What We've Heard from the Chocolatey Community and Customers

At Chocolatey, we work every day to support organizations to improve their IT through our Microsoft Windows application packaging, distribution and management.

Over the past few weeks we have increasingly and urgently witnessed a number of real challenges to providing WFH.

<ul class="list-circle list-circle-success-fade list-circle-md"> <li class="h3 list-circle-content-2">Understanding the Technical Challenges to Delivering Work From Home</li> </ul>

For the technical challenges of delivering work from home -- sometimes for the first time -- there are three key groups affected.

<ol class="list-circle list-circle-counter"> <li> #### How End-Users are Impacted by Work From Home If you've always done the daily commute and worked at a desk in an office, it can be a big shock to be suddenly working from home.

  Aside from the big changes in lifestyle, there are technical challenges to help end-users work from home, getting the right tools to the right person.

  Typical challenges the end-user will face are:

  <ul class="list-style-type-disc mb-3">
    <li>Do I have all the tools at home that I normally have at the office?</li>
    <li>If I have the tools, do they work the same, or are they slower, or not fully functional?</li>
    <li>How do I avoid downtime at home without the reliable office network?</li>
    <li>How do I get the tools I need if I don't have the bandwidth for lots of downloads?</li>
    <li>What if I don't have the technical skills to install the work from home tools?</li>
    <li>What if technical support is too busy to help me be productive?</li>
  </ul>

  Shifting from the office to home raises a number of challenges to end-users, impacting their productivity. Not having the right software, and having problems getting the right software, slows teams down.

  To compound the end-user challenges, they often find their own IT Support is unresponsive.  This unplanned WFH event has caught them without the resources and tools and they are struggling.

</li> <li> #### IT Staff Struggle to Cope with the New Demands Under Time-Pressure COVID-19 wasn't planned and it happened very quickly. This gave IT staff little time to build and test an effective and efficient work from home rollout, or hire more resources to help them.

  And now, much like panic buying in the shops has led to shortages  of essentials, there is a shortage of spare IT equipment for work from home end-users and no time to hire more technical staff to help.

  Anecdotes we hear from IT staff:

<ul class="list-style-type-disc mb-3">
  <li>Immediate purchase of hundreds or thousands of new devices that all required configuration and software</li>
  <li>Small IT teams don't have the bandwidth to provision all the new setups</li>
  <li>IT teams not used to Remote Working don't have the skills or know-how</li>
  <li>Process, procedures and tools for WFH don't exist</li>
</ul>

  The blast radius of COVID-19 on the IT department is large. It not only directly affects IT Admins and Help Desk, it also impacts Security and Service Management staff. **How can IT ensure their governance processes are still effective when staff and technology has been distributed beyond the office perimeter?**

</li> <li> #### Business Leadership Juggle Productivity, Cash Flow and Risk

  As if the business environment wasn't damaged enough by COVID-19 with revenue drying up, demand crashing and suppliers failing, now the human lockdown is driving productive staff out of the office to work from home.

  While all responsible and right-minded leaders will embrace and support work from home, it doesn't mean they can ignore the challenges it brings. They are still responsible for governance and risk management of the business.

  Typical comments we hear from leaders:

  <ul class="list-style-type-disc mb-3">
    <li>Do our WFH staff have the right tools to keep business and the value stream operating in times when revenue is under severe pressure?</li>
    <li>Are we supporting our WFH so they feel empowered and trusted?</li>
    <li>Are WFH users using properly licensed software?</li>
    <li>Is our data secure outside of the office?</li>
    <li>Is there a risk of shadow IT and cutting corners because IT can't respond effectively?</li>
  </ul>

  Leaders have often felt more secure when the workers, process, applications and data are on-premises. This has always been more a feeling than fact. Those that have been working from home successfully for years can attest to this.

  However, if an organization cannot successfully deliver work from home then the feelings will become fact that "Work only works in the workplace". This is not a satisfactory outcome because **during the COVID-19 lockdown work from home MUST succeed.**

</li> </ol> <div class="table-bordered table-striped table-w-50">

KEEP THE WHEELS TURNING	DON'T LET WHEELS FALL OFF
Support people to be productive	Ensure governance and compliance
Keep revenue coming in	Avoid data breaches and bad PR
</div>

One of the technical answers to this corporate culture shift for Chocolatey for Business customers is to use the Self-Service module:

Get the right tools at the right time (now) to the right people at home.

</div>

<ul class="list-circle list-circle-success-fade list-circle-md"> <li class="h3 list-circle-content-3">How Chocolatey Customers are Using Self-Service to Deliver Work From Home</li> </ul>

Deploying software to remote desktop and endpoint devices is not always easy, especially in highly regulated and locked down environments. This can be even more challenging if you don't have the skills or your IT team is overworked.

It's not optional for the business to ensure that work from home staff have the most up to date software deployed to their desktops.

Self-Service Anywhere allows non-administrators to easily access and manage IT approved software from the office, from home, or anywhere they have an internet connection.

Self-Service and Enhanced User Experience

You want staff to get the tools they need to do their job, but you don't want work from home users to start installing their own software, often downloaded straight from the internet, and storing sensitive corporate data in unsecured applications. But this is what can happen -- and it's called Shadow IT -- if they don't get prompt support from corporate IT.

End-users expect the Apple experience. Software should be deployed to them with no 'admin rights' even in highly regulated & locked down environments. They demand a user-friendly, consistent, reliable approach without the need for manual intervention or by waiting in a queue for help from central IT.

The compromise is to offer an consumer-grade App Store experience from within your organization, and that's what Chocolatey for Business Self-Service is for.

Self-Service Installations for Non-Administrators

End users working from home shouldn't require any technical skills or assistance to install any software, but the software they use must be secure otherwise corporate data is at risk.

There's a reason why hackers are increasing their phishing activities in the hope that insecure home users will drop their guard and be easy pickings beyond the corporate perimeter.

IT Staff use Chocolatey for Business to give work from home end-users the following:

Software is deployed and updated to users with no 'admin rights' and in highly regulated locked down environments.
End-users have an interface to install and upgrade software.
The software process is user-friendly, consistent, reliable approach without the need manual intervention.
Behind the scenes there is still central management and control aligned with organizational policies. Endpoint users can only deploy software based on policies and user rights (i.e self-service marked packages).
Software installed by C4B is completely locked down so non-administrators cannot make changes to configurations. Attempted abuses can be logged and audited.
Organizations can customise the look and feel with their own corporate branding.

<ul class="list-circle list-circle-success-fade list-circle-md"> <li class="h3 list-circle-content-4">Your Six-Step Action Plan to Deliver a Better Work From Home Experience</li> </ul>

Given the situation we are all in with COVID-19, the challenges we all face and with Chocolatey Self-Service being one of the technical answers to getting the right tools into the hands of working from home end users: how do they do it?

<ol class="list-circle list-circle-counter"> <li> #### Provide a Computer or Securely Reuse a Home Device This is essential but can be problematic as there is a shortage of laptops and computers due to the unprecedented and unplanned demand for home working.

**Chocolatey can help distribute software securely to corporate and non-corporate devices.**

</li> <li> #### Implement Modern Infrastructure to Support Remote Workforce Leveraging automation and a more DevOps approach will help IT teams accelerate deployments and enable users faster.

**Chocolatey has developed a [Quick Deployment Environment](https://chocolatey.org/docs/quick-deployment-environment) based on infrastructure architecture recommendations. Available as Microsoft Hyper-V or VMware (and convertible to other formats) that can have teams up and running in approx 2 hours.**

</li> <li> #### Make Sure the Home Worker has Good Internet Access Even mobile phone tethering is pretty good these days with 4G access, where available. Let users expense their wifi and internet costs.

**Chocolatey can help with low bandwidth with its low-bandwidth-friendly compression and caching for software distribution.**

</li> <li> #### Distribute New Apps for New Working Practices Give your staff the latest tools for chat and video conferencing and new guidelines on how to use them so that they aren't constantly interrupted.

**Chocolatey has prepared a [Quick Deployment Environment](https://chocolatey.org/docs/quick-deployment-environment) with pre-installed key productivity application packages. Additional application packages can be easily added.**

</li> <li> #### Dedicated Workspace Make sure you have a quiet place to work where kids aren't building lego spaceships or eating/distributing porridge :smile:

**Chocolatey is not likely to help you in this department unfortunately.**

</li> <li> #### Have a Strict Routine There are lots of tips and tricks from seasoned work from home veterans on LinkedIn and Twitter that we don't need to repeat.

**What Chocolatey can promise is that if it's managing your software for you, then it won't disrupt your new routine or hurt your productivity.**

</li> </ol>

Final Thoughts & Next Steps

After the first few weeks of working from home, some organizations have easily slipped to normal operations with their teams continuing to work in a productive fashion. However on the other hand, there are organizations that are beginning to see the cracks in their remote working approaches, and now recognize that they need a more scalable and secure solution. Either way it's beginning to feel like remote working could be the new norm for most of us, and ensuring a more consistent and robust approach will form part of IT planning.

If you're an existing Chocolatey for Business customer please complete this form and we can help you get set-up with Self-Service Anywhere and provide access to the Quick Deployment Environment (QDE) Virtual Machine.

If you're new to Chocolatey and are interested in learning more, or just want to quickly set-up Self-Service for your remote users please contact our team.

<a class="btn btn-success" href="https://chocolatey.org/contact/sales"><i class="fa-solid fa-paper-plane"></i> Get the Quick Deployment Environment Now</a>

Enable Remote Work Without Compromising Security / Quick Deployment Environment

Rob Reynolds — Wed, 01 Apr 2020 00:00:00 GMT

<hr class="mt-0 mb-3 w-75 mx-auto" /> <h4 class="text-center mb-0"><i>"How do you enable remote workers without compromising security?"</i></h4> <hr class="my-3 w-75 mx-auto" />

I don't start this off lightly. We are in unprecedented times. If someone told me a little over a month ago that near all businesses across the world would suddenly be working from home due to a pandemic, I wouldn't have believed you. Neither would half of the population. You probably wouldn't have believed it. You probably find it hard to believe even still.

Yet, thousands of us are now working from home. And we don't know for sure when we'll all be back in the workplace. You may have now found yourself suddenly supporting all of those work from home coworkers and are finding the infrastructure that worked in those in office scenarios suddenly lacking. You may suddenly be operating with reduced staff and still need to provide the same level of support to your coworkers.

Now you are looking at what options you have. You have a few concerns to think about. How to enable your new remote workers and how to keep the software they are using up to date to avoid any security issues, especially considering that they may be working in less secure networks than you had inside the workplace.

How do you enable these semi-connected or disconnected experiences without losing out on security?

Self-Service Anywhere

As part of the current pandemic, Chocolatey Software is responding in a number of ways. One of those ways is to enable organizations like yours to implement more modern infrastructure that better supports a remote workforce.

Chocolatey's recommended and proven architecture has maximum flexibility to support not only workers in offices across the globe, but can also support remote workers with ease. With Chocolatey, you can keep your coworkers up to date and protected. You can protect your infrastructure, and you can ensure that it's mostly business as usual throughout this time.

One of the best ways to protect those laptops is to remove that administrative privilege so that even if someone did get access to it, they could do little damage. Chocolatey even has an answer here that will not put an undue burden on you in ensuring those laptops stay up to date. It's called Self-Service, which allows those folks to be able to manage software you've approved on their machines without administrative privileges. The best thing about the Chocolatey infrastructure is that you can run Self-Service Anywhere.

We've set up a solutions page specifically about this here.

Ready to Go Environment

Another thing we've done in response to this time is prepared a full environment based on our Chocolatey infrastructure architecture recommendations. Currently, it takes about two days to get everything provisioned, stood up, and ready to go - optimistically. We have prepared a Quick Deployment Environment (QDE) appliance that you can set up in Hyper-V or in your VMware infrastructure and be up and running in hours.

This will get you up and running in no time at all, with everything you need to enable your remote workers and keep them up to date. Please head to this form and fill that out and we'll be in contact with you very soon to help you.

If you are a current customer, please indicate that when you fill out the form.

Removing Support For Old TLS Versions On The Chocolatey Website

Chocolatey Operations Team — Thu, 23 Jan 2020 00:00:00 GMT

You may have noticed that support for older TLS versions is being removed from websites all over the internet. With the ever evolving security landscape and the perpetual game of cat and mouse between attackers and cryptography we need to ensure that we keep abreast of industry best practice.

Cryptography attacks are nothing new. While there are workarounds for many of them available, what they tell us is that some protocols are best left behind when there is a better way forward.

TLS 1.0 and 1.1 have been around a very long time now. But it is time to move on and remove support for these older, less secure, protocols. As a result the Chocolatey website will remove support for TLS 1.0 and TLS 1.1 on 3 February 2020.

Why are we doing this now?

While the removal of support for older TLS protocols started some time ago across the internet, we have committed to supporting out-of-the-box installs on Windows 7 SP1 and Windows Server 2008 which do not support TLS 1.2. With the Chocolatey software being installed first by many build scripts, removing support for these older protocols would have had a negative impact on our users.

With TLS 1.0 and 1.1 now responsible for less than 3.3% of traffic to Chocolatey.org and the end-of-life for Windows Server 2008 (and R2) on-premises* and Windows 7 occurring on 14 January 2020, support for these older protocols over potential security issues no longer makes sense.

* Customers using Microsoft Azure may qualify for an additional 3 years of Critical and Important security updates at no additional charge - see "end of support" for details.

What does this mean for you?

With modern browsers (such as Firefox, Edge, Chrome etc.) supporting TLS 1.2 for many years now, there should not be anything for you to do when browsing Chocolatey.org. Many major websites today have already removed support for these older protocols so if there was an issue with your browser and TLS 1.2 you would know about it by now.

While your operating system may support TLS 1.2 it's important to remember that it may have to be enabled. If you are working from PowerShell you can find out which protocols your system supports by running this code:

[Enum]::GetNames([Net.SecurityProtocolType]) -contains 'Tls12'

If the result is True then your system supports TLS 1.2. You can find out which protocols are being used by running:

[System.Net.ServicePointManager]::SecurityProtocol.HasFlag([Net.SecurityProtocolType]::Tls12)

If the result is True then TLS 1.2 is being used . However, you can add TLS 1.2 explicitly by using:

[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12

You can find more information on this blog post around working with TLS 1.2 in PowerShell.

If you are using the Chocolatey Client, choco.exe, then all versions from 0.10.1 support TLS 1.2 without any additional configuration noted above (provided you have at least .NET 4.5 installed as well - you may also need KB2919355 installed depending on your operating system). If you are using an older version then it is time to upgrade. The current version is 0.10.15.

Provisioning Older Machines?

If you find yourself provisioning machines such as Windows 7, Windows Server 2008, or older, you will find that those machines will not be able to communicate with the Chocolatey Community Repository after we implement this change. For those instances, you will need to use alternative installation methods for Chocolatey. We strongly recommend using the offline Chocolatey installation as it provides the most flexibility and reliability.

Conclusion

We understand that this change may put additional burden on a very small set of our user base. Given the number of major web sites who have already gone through this change we anticipate that the burden will be small. However, if you have any questions or concerns related to this announcement, please do not hesitate to contact us using the means are available to you depending on your edition - you'll find these contact methods listed on the support page.

Chocolatey Community Repository - Service Interruptions

Chocolatey Team — Wed, 15 Jan 2020 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

If you are a regular user of the Chocolatey Community Repository, no doubt in the last few months you will have noticed that from time to time there were issues. You may have even ventured over to our status page and read over details of those issues. If you haven't noticed anything, well that has to do with the intermittent-ness of the issues.

<Callout type="warning"> The direct use of the Chocolatey Community Repository is not recommended for organizational use. We recommend that you put in place a caching mechanism through the use of a “virtual repository” and cache packages when being installed for the first time. This will allow you to install a package many times without needing to reach out to the Community Repository more than once, although we recommend you look to internalize packages instead to increase reliability. You can implement a Proxy Repository including the installation of a Repository Server, such as Nexus Repository Manager v3 (or NXRM v2) which automatically caches (but does not internalize) packages from the community repository, in around 15 - 30 minutes. We have video walkthroughs for Nexus and Artifactory. </Callout>

The popularity of Chocolatey Community has been huge, and that's thanks to all of you folks out in the community getting awareness out, helping out, and contributing Chocolatey packages! However, architecture that worked well for us in the past doesn’t work well when you double the number of requests that happen every day.

A year ago we were at 30 million requests per day! Per day! That's already a big success for the Chocolatey Community Repository. Yesterday we had 60.8 million requests. We’re humbled by what this means; we’ve doubled the popularity of the Chocolatey Community Repository in one year.

What worked well at 30 million requests per day, even 40 and 50 million requests per day, just doesn't quite work the same at 60 million requests per day. So we've been seeing some issues.

Over the past few months, the Chocolatey website, as well as the Chocolatey Community Repository, have been experiencing numerous intermittent service disruptions. Users have been reporting sporadic issues accessing both these resources. We take our commitment to the Chocolatey Community very seriously and wanted to take the time to give you all some context on the growing pains we are going through, and the steps we've taken so far to work on the issues:

21 SEP 2019 - Released the redesign of our front end website - a project that had been in the works for quite awhile! Some folks voiced usability concerns and we wholeheartedly jumped in and worked to meet those concerns over the next 3 months.
26 OCT 2019 - Migrated the database from third party host to our cloud infrastructure - adding beefier infrastructure to handle the next few years of growth.
25 NOV 2019 - First noticeable issues with timeouts.
25 - 27 NOV 2019 - Applying normal maintenance, as sometimes this is all that is necessary to fix issues with timeouts.
29 - 30 NOV 2019 - After coming to the realization that we need to find new bottlenecks and fix them with the growth stage, we started to work with consultants to help look over database and health to make suggestions on what we need to do outside of changes with code we start to look at implementing.
30 NOV - 08 DEC 2019 - Work on implementing aspects of those findings and deployed changes.
08 - 22 DEC 2019 - After learning those changes were not going to hold the issues, we moved into other areas to look at and continued to work through optimizations that could be completed. Monitored closely to see if those reduced impact or worsened and took appropriate action.
23 - 27 DEC 2019 - Monitor closely and restart when issues started to occur.
30 DEC 2019 - Met with consultants again to take another look into additional areas that needed to be addressed that would reduce/remove issues.
31 DEC - 02 JAN 2020 - Implemented changes that were able to be addressed in a short timeframe.
02 JAN 2020 - Deployed changes to site and continue to monitor for issues.
02 JAN - Today - Continue to monitor closely for residual issues / optimizations that need to be addressed.

Along with what we've done so far, let's also highlight where we are going with future plans:

We are in the process of moving our infrastructure from a third party host to our cloud infrastructure, with the first phase of this completed in October 2019. Phase 2 will see the move of the rest of our infrastructure and is due to be completed by the end of Q1 2020.
While the Chocolatey Community Repository and Website have extensive caching we are optimizing this caching to catch more requests. As part of Phase 1, we have already implemented more local caching that we continue to optimize. Going forward into Phase 2 we will be implementing further caching to improve responsiveness.
In November 2018 we implemented rate limiting to improve the responsiveness of the website and it has served us well. Optimizing this limiting is an ongoing task, but we are seeing good results from this so far.
The Chocolatey API is an area where we are currently focusing so we expect to see some optimization here soon without breaking any functionality.
Along with the API, the Website is another area we’re focusing on. You can find those changes on GitHub.

The rate of the increase in requests along with the massive growth in the Chocolatey team has come together to cause the perfect storm. It’s great that our community is showing their commitment to Chocolatey by supporting us with recommendations, blog posts, packages, among many other ways.

We’re grateful to our community for all your support, and we recognize that we have not communicated with you as we should; and for that, we apologize. We hope to do a better job at that going forward.

We also want to assure you that we take these issues seriously and have plans in place to rectify them, but it will take time. We ask for your patience and understanding as we work to resolve these issues and improve our services for you all. And most of all, we appreciate all your support. Our community is committed to Chocolatey and we are committed to our community.

Lastly, we would also like to acknowledge the hard work and dedication with which the Chocolatey Development and Operations teams came together, and worked tirelessly to return the Chocolatey Community Repository to a reliable state. Our resilience through this challenge has been a great learning experience, and we are fortunate to have had this opportunity to grow.

Rain Sallow Joins Chocolatey as Software Engineer

Chocolatey News Team — Mon, 25 Nov 2019 00:00:00 GMT

We are excited to announce that Rain Sallow has joined the Chocolatey team as a Software Engineer!

Rain has been tinkering with PowerShell and C# for a few years already, but like many folks in the industry, a propensity for breaking (and fixing) technology started when they were a young child.

Rain has worked in a handful of roles, primarily tech support and IT solutions, and is keenly interested in building software and figuring out what makes it tick. She's also come to be very passionate about automating things so she can spend more time on the stuff that really matters.

In their spare time, Rain enjoys playing various musical instruments, singing, and writing code for various personal projects and interests.

She will be based remotely in Palm Beach County, Florida, USA.

Infrastructure Changes Resulting In Unavailable Services on 26 October 2019

Chocolatey Operations Team — Sun, 20 Oct 2019 00:00:00 GMT

In an effort to increase both the flexibility and stability of Chocolatey.org, we will be upgrading part of our infrastructure. This upgrade requires the website and other services be unavailable for a period of time.

On Saturday 26 October 2019 the following services will be unavailable between 3:00 and 9:00 UTC:

Chocolatey.org Website;
Community Package Repository;
Licensed Package Repository;
Package Validator;
Package Verifier;
Package Scanner;
Package Cacher;
Manage Chocolatey Packages through Boxstarter;

For all updates, and to check on progress, please use the Chocolatey.org status page.

In an attempt to mitigate the effect these changes will have, a time was chosen when use of the website and services is minimal. However, we appreciate that some will still be affected and we apologise for the inconvenience caused.

Chocolatey's Website Gets a Long Awaited Redesign!

Chocolatey News Team — Fri, 20 Sep 2019 00:00:00 GMT

Howdy! You might have noticed a few changes on the website recently. Chocolatey has grown up quite a lot since the initial design of the site and we wanted to bring a much more consistent look and feel. We looked out across the industry of websites for modern automation tools and were inspired to take a step back and a hard look at what we had. What we've come up highlights both our product and our amazing community, all on the same site!

The design is fresh, crisp, and brings many performance improvements to help you find the information you need, faster. Keep reading to learn about just a few of the key features you don't want to miss!

Where Did Everything Go?!

Here is a handy list for you to get familiar with the website navigation:

Community Packages - From the top navigation click Community > Community Packages
Documentation - To get to the Chocolatey Documentation, from the top navigation click Learn > Docs
Contact - To get to the Contact area, from the top navigation click About > Contact
Sitemap - For a quick guide to all important links on the Chocolatey website, visit our sitemap. Navigate to the bottom navigation and click Learn > Sitemap

Interactive Chocolatey Courses

You've asked for it, and now it's here! Introducing Chocolatey Courses, where you can learn everything you need to know about Chocolatey in an easy-to-consume interactive course. Each course is made of many modules, and within each module you will be tested over the material you just covered. Once you complete every module within a course, you will be awarded a digital badge. Earn badges and show them off on your profile page so everyone knows you're a Chocolatey Pro!

<img class="mb-3" src="https://img.chocolatey.org/badges/redesign-badges.jpg" alt="Chocolatey Course Badges" title="Chocolatey Course Badges" /> <a href="/courses" class="btn btn-primary">Go to Chocolatey Courses</a>

Chocolatey Videos, Case Studies, and Customer Success Stories

Along with Chocolatey Courses, we've added a Resource Library to help you find articles that may help you achieve your Chocolatey goals. In the Resource Library, you'll find Case Studies, Chocolatey Videos, Customer Success Stores, and more!

<a href="/resources" class="btn btn-primary">Go to Chocolatey Resources</a>

Community Package Repository

A Fresh New Look

The <a href="/packages">Chocolatey Community Repository</a> got a makeover! The new look features a grid view of packages, in a clean Chocolatey theme. All the same functionality still exist, only now in an eaiser to view format. At the top of each package page you'll notice a simple tabbed interface that contains commands for you to easily copy/paste for installing, upgrading, and installing.

We're excited to announce that packages have an included section for organizations as well, to really help organizations reuse packages from the community repository in recommended ways. Simply pick enter your internal repository url and copy from your chosen deployment method!

Updates for Maintainers

1. Improvements to Moderation Filtering

You've always been able to see how many packages in moderation, but now you can filter down by packages that are "Waiting for Maintainer", or "Ready for Review", etc. Click the header counts to view the packages, or drill down further with the dropdown list that appears while in the moderation queue.

2. Choose Your Default Package View

Are you a moderator who spends a lot of time in the Moderator Queue? Well, good news. Now you can make the Moderator Queue your default view, so whenever you go to the Community Packages area you'll instantly be taken to where you need to go. Changing your view is easy, simply navigate to the Moderator Queue and toggle the switch located near the search filters!

3. Legible Package Communication Area

If you are moderator/maintainer/admin you know how sometimes it has been difficult to keep up in a conversation of a package. Now, each comment is broken down and organized in a way where you can easily get to the information you need and respond appropriately.

4. Show/Hide All Files

Other Changes are Coming

Documentation - We are working on making the documentation much more consumable to allow you to easily find what you need and get the proper information, with the proper context to you in a much more approachable format.
Better Moderation Flow - We'll be streamlining some of the moderation flow.
Updated Infrastructure - We've nearly outgrown our current infrastructure and we'll be making some long-planned for changes that ensure better availability and uptime.

And these are just the more near-term changes! Stay tuned, as we have some more interesting things under wraps that we think you are going to love!

Adil Leghari Joins Chocolatey as Solutions Engineer

Chocolatey News Team — Mon, 05 Aug 2019 00:00:00 GMT

We are excited to announce that Adil Leghari has joined the team as a Solutions Engineer in a full time capacity. Adil has been a member of the PowerShell community for some time.

Adil has been a Senior Systems Analyst at a large Public Sector University, and brings his 15+ years of SysAdmin experience to his new role. He has helped maintain a large fleet of cross-platform VM applications and infrastructure, and has specialized in Configuration Managers like Ansible.

Adil has been a long-time Chocolatey Open Source user, and has used it to set up most of his personal computers for many years. He has also explored Chocolatey for Business with a private repository as an option at his previous employer.

Adil is super-passionate about PowerShell and automation. He is a co-founder of the Pacific Northwest PowerShell User Group and is an active member of the PowerShell Community server on Slack and Discord. When not working at Chocolatey, he enjoys long walks on the beach, candlelit dinners, and designing stickers.

"I have always enjoyed helping people solve hard problems with tools like PowerShell, Chocolatey, and Automation/DevOps in general", says Adil.

Adil will be based remotely in Vancouver, British Columbia, Canada.

Chocolatey Fest Will Return in 2020

Chocolatey Events Team — Sat, 27 Apr 2019 00:00:00 GMT

Last year we had a very successful Chocolatey Fest (aka WinOps SFO). Chocolatey Fest 2018 was an amazing event and we want to put on more WinOps-focused conferences, including making Chocolatey Fest a multi-day conference.

During planning for 2019, we decided to make this a year of strong focus in delivering value to our products and customers, which means that Chocolatey Fest will be back in 2020.

Find Us At These Conferences

While we are not hosting a conference this year, you will find us at the following conferences:

PowerShell Summit (Seattle, WA, USA) - April 29-May 2, 2019
ChefConf 2019 (Seattle, WA, USA) - May 20-23, 2019
PowerShell Conference Europe 2019 (Hannover, Germany) - Jun 4-7, 2019
WinOps London (London, UK) - Dates TBD (September 2019)
Puppetize PDX 2019 (Portland, OR, USA) - October 9-10, 2019
Microsoft Ignite (Orlando, FL, USA) - November 4-8, 2019

Stop by and say hi, get some free swag! If there are other automation-focused conferences you would like to see us attend, please let us know in the comments!

Stephen Valdinger Joins Chocolatey as Senior Technical Support Engineer

Chocolatey News Team — Sun, 27 Jan 2019 00:00:00 GMT

We are excited to announce that Stephen Valdinger has joined the Chocolatey team as a Senior Technical Support Engineer!

Stephen has been breaking things that plug into the wall since he was a child, and eventually learned how to fix them and turn it into a career.

Stephen has worked in a variety of roles from Helpdesk to IT Analyst, in a variety of environments, and is well versed in the unique challenges that come with implementing technology solutions in each. He's also come to be very passionate about automating things so he can spend more time on the stuff that really matters.

In his spare time Stephen enjoys getting to the family farm, getting splinters making things out of wood, and hitting golf balls onto the wrong fairway.

He will be based remotely in New Philadelphia, Ohio, USA.

Chocolatey Fest Less Than a Month to Go!

Chocolatey Events Team — Wed, 19 Sep 2018 00:00:00 GMT

Chocolatey Fest aka WinOps.org San Francisco is less than a month away! This year’s inaugural user conference, the first of its kind in North America focused on DevOps on Windows (WinOps), Chocolatey and related technologies, takes place October 8th, 2018, at the Park Central Hotel in San Francisco, California.

We’ve got a great lineup planned for you, with keynotes, track sessions and workshops centered around the topics our community cares about: automated testing and deployment, infrastructure as code, containers, security, saving time, and more.

Plus you’ll get to meet the people behind Chocolatey, and network with WinOps experts from companies like Facebook, Microsoft, Red Hat, Yelp, and others!

Maybe you’re already convinced you should attend, but your manager may need some persuading. Use the letter below as a starting point, and personalize as needed.

We are excited to see you at Chocolatey Fest!

Template - Chocolatey Fest Manager Approval Letter

Subject line: Please send me to Chocolatey Fest this October

Dear [Boss],

As our team has discovered, automation and other DevOps practices aren’t just for Linux shops; it’s increasingly important for Windows teams too. We’ve already seen some success with [name a recent automation project/initiative], and now we need to turn our attention to [name an upcoming initiative/goal].

Chocolatey Fest, a Windows automation conference in San Francisco on 8 October, can help provide the education and best practices we need to reach that goal. The conference brings together WinOps experts from Facebook, Red Hat and Yelp — companies that are leading the way when it comes to Windows automation — and highlights how their teams have use Chocolatey and related technologies to increase time to value, reduce errors, and improve security.

A ticket to Chocolatey Fest includes:

A full day of sessions on Windows automation, infrastructure as code, testing, security, and more.
Conversations centered around tools we already use (and some we’re considering), like Chocolatey, Vagrant, Docker, Puppet, Chef, Ansible, Azure, AWS and others.
An evening Hackathon with workshops centered around Docker on Windows, and best practices for deploying Chocolatey.
Networking with other sysadmins, architects and developers who are tackling some of the same challenges that we are.

The conference ticket costs just $250, and the Hackathon is free. With travel and accommodations totaling [fill in cost], the all-in cost would be [total]. With everything I would learn, that would have a value to the company above and beyond because I could do [fill in some automation needs], that would save the company [savings] over the next year!

I hope you’ll agree that Chocolatey Fest is a worthwhile investment for our company and that you’ll approve my attendance at this year’s event.

Thanks, [Your Name]

Stephanie Hays Joins Chocolatey as Front-End Web Developer

Chocolatey Events Team — Mon, 17 Sep 2018 00:00:00 GMT

We are excited to announce that Stephanie Hays has joined the Chocolatey Team as a Front-End Web Developer!

"I'm excited to have Stephanie join us at Chocolatey Software. Her unique talents compliment the team well and brings a better user experience to a world that is heavily into automation." said Rob Reynolds, Founder and CEO of Chocolatey.

Stephanie is new to the Chocolatey community, but has served as a Front-End Web Developer for the last 4 years before joining the Chocolatey Team. Stephanie has a knack for designing beautiful, user-friendly, and fast websites.

Many people refer to Stephanie as a "Wizard at CSS and Javascript". Focusing most of her work around the Bootstrap library, she is able to modify and create unique individual looks while retaining universally understandable code.

Efficiency and speed is key in the Chocolatey world, and we're pleased that she takes great joy in seeing just how small and fast she can make a website by utilizing the latest optimization tools (As reputation goes, she'll slash a website by at least a third of its size!).

Stephanie has always had an eye for design. Her love for web development started several years ago when she took an intro to web design class. Since then she has started a few small businesses, but realized it was the process of getting a website up and working that she actually enjoyed the most.

"It clicked in my head one day that I wanted to be a Front-End Web Developer. The process of choosing a color palette, designing a logo, creating a website mockup, and then making that all come to life with code- It all just makes sense to me. It really is my passion!"

One of many projects Stephanie looks forward to the most is implementing UI updates to chocolatey.org.

"I can't wait to dig in and redesign chocolatey.org! There are several components of the website that could use some updated UI design. I'm ready and up for the challenge!"

Stephanie will be based remotely near Wichita, Kansas, USA. Her cat, Miesha, also assists in website design, so you may see her meowing around. Stay tuned for exciting new updates to the look of Chocolatey in the upcoming months!

Paul Broadwith Joins Chocolatey as Senior Technical Engineer

Chocolatey News Team — Wed, 11 Jul 2018 00:00:00 GMT

We are excited to announce that Paul Broadwith, long term member of the Chocolatey community, has joined the team as a Senior Technical Engineer.

"Paul has been a force in the community, doing great things with the community repository in package maintenance, moderation, and support in helping bring new folks up to speed. I'm excited about Paul as he is going to bring some much needed structure to our back end infrastructure and processes which will help us continue to grow!" said Rob Reynolds, Founder and CEO of Chocolatey.

Paul's journey with Chocolatey started back in 2015 when he was using Chocolatey to keep his own personal computer up to date. Like most people, the chore of updating everything manually lead to it simply not being done often enough. And that's where Chocolatey clicked for him. It scratched that itch of automating software updates.

In his long IT career, Paul has focused on two important goals - automation and sharing knowledge. He quickly started creating his own packages, helping out others and answering questions in the Chocolatey Community Chat channels and mailing lists. The Chocolatey team welcomed him soon after, as a moderator for packages submitted to chocolatey.org.

With 26 years IT experience under his belt, Paul started in IT at a time when you could know everything 'IT'. But today he focuses on Windows and Linux infrastructure, Active Directory and his new passion, PowerShell.

"Joining Chocolatey Software is a dream come true for me" said Paul, "As a long time user of Chocolatey I am excited to see how I can help it grow and help others get the most from it."

Paul is the founder of the Scottish PowerShell and DevOps User Group and is an active member in the PowerShell and Open Source communities. He will be based remotely just outside of Glasgow, Scotland.

Chocolatey Fest - Chocolatey's inaugural conference on Windows automation (WinOps) is coming this October!

Chocolatey Events Team — Fri, 15 Jun 2018 00:00:00 GMT

It’s been a big year already for Chocolatey Software! We've expanded our staff, we're launching our Chocolatey Central Management for Chocolatey for Business, and have started a philanthropy for giving back to our community. We were also officially recognized by Microsoft at the recent Microsoft BUILD 2018 conference and now Microsoft is participating/collaborating in our community! Details on all those exciting areas are going to be coming out in the coming weeks, but we wanted to take a moment to give you a heads up about what we have in store that is really the Chocolatey icing on the cake!

We're excited to officially announce that Chocolatey Fest 2018 is coming to San Francisco on October 8, 2018. We’re bringing that Chocolatey goodness to Park Central Hotel near Union Square, and we hope you’ll join us. Chocolatey Fest will be the first ever independent conference in North America focused exclusively on Windows automation (WinOps)!

Even as a one day event this year, Chocolatey Fest promises a packed schedule, including keynotes on the future of WinOps from Chocolatey Software and organizations focused heavily on Microsoft Windows automation. Come to learn about WinOps as it relates to areas such as infrastructure as code, testing your infrastructure, and the future of where the industry is going. Come to meet other folks focused in Windows automation and some of the exciting things they are working on. Windows automation is at a really exciting turning point and you are right in the middle of it! It's likely you will hear talks and be involved in discussions featuring technologies such as Vagrant, Docker, Puppet, Chef, Azure, AWS, Ansible, and others.

Your time (and budget) is limited, and we know you have to make decisions when it comes to which conferences you attend each year. What sets Chocolatey Fest apart? We have a tight-knit community of engineers - together we’re building the future of Windows automation, and finding ways to make our work scalable, secure, and fun again. Who knows? You may even find Willy Wonka at Chocolatey Fest!

Of course, it doesn’t hurt that our ticket price is more competitive than most. Plus, if you’re among the first 50 registrants, you’ll save 20%.

Get your Golden Ticket now!

Your ticket includes access to all keynotes, presentations and meals, and an optional evening hackathon and workshop. Plus, you’ll get a chance to catch up with friends and meet members of the Chocolatey and WinOps community and Chocolatey Software's team.

Speak: Help make Chocolatey Fest even sweeter

Interested in speaking at Chocolatey Fest? If you’re already using Chocolatey or have a strong point of view on Windows automation, please consider submitting a talk proposal. We’re particularly interested in talks about:

Chocolatey and related automations with open source and commercial editions
Integration with Puppet, Chef, Ansible, PowerShell DSC, Salt, and other configuration management solutions
Integration with SCCM, LanDesk, ConnectWise Automate and other endpoint management solutions
Managing Repositories with Artifactory, Nexus, ProGet and other package repositories
Vagrant, Docker and other types of virtualization/containerization
AWS, Azure, and other cloud-based solutions

Submit your proposal now!

Call for sponsors

We couldn’t pull off such a great event without the help of our sponsors, and we’d love to count your organization among them.

Sponsor Chocolatey Fest

Join us!

Mark your calendar now - Chocolatey Fest is October 8, 2018 in San Francisco. We're excited to share even more details as Chocolatey Fest approaches, and we hope to see you there!

Boxstarter moves under Chocolatey GitHub Organization

Chocolatey News Team — Thu, 07 Jun 2018 00:00:00 GMT

Back in April 2012, Matt Wrock started the Boxstarter Project. The main aim of the Boxstarter project was to aid with the provisioning of a repeatable and reboot resilient Windows environment. It provided this by wrapping the Chocolatey installation/upgrade commands, and additionally provided helper commands, that would mean that you could fully configure your system, just the way you wanted it. On top of this, it was possible to do this both on your local machine, and also remotely.

Due to a change in priorities and focus, which you can read about in Matt’s blog post, Matt is no longer in a position to maintain the Boxstarter project. After discussions between Matt and Chocolatey Software, Inc., the decision has been made to move the Boxstarter project under the Chocolatey Organization on GitHub.

Over time, it is likely that some of the features that are included in Boxstarter will be ported into Chocolatey, but for the time being, Boxstarter will remain a standalone project, under the stewardship of Chocolatey Software, Inc., and the Chocolatey Community.

One of the immediate changes that has been made, and which shipped with the 2.11.0 release of Boxstarter was to sign the Boxstarter ClickOnce binary, it's manifests, and all PowerShell scripts, using the Chocolatey Software, Inc. code signing certificate.

If you have any immediate questions, please feel free to reach out on our Community Chat.

Gary Ewan Park Joins Chocolatey as Senior Software Engineer

Chocolatey News Team — Sun, 11 Feb 2018 00:00:00 GMT

We are excited to announce that Gary Ewan Park has joined the team as a Senior Software Engineer in a full time capacity. Gary had been working with the team in a part time capacity previously and has been a long time member of the Chocolatey community!

"Over the past few years, Gary has really helped take Chocolatey to the next level with his contributions and community work. Without his hard work and efforts in the community, I'm not sure Chocolatey would be where it is today. I'm also proud to call Gary a dear friend. When we started thinking of who we wanted to hire back as early as 2014, Gary has always been at the top of my list." said Rob Reynolds, Founder and CEO of Chocolatey.

Gary first started using Chocolatey in early 2013, where he was using it to automate the installation of packages on his own personal machine. At the time, Gary could see the potential for Chocolatey, becoming the maintainer of several popular packages, and in fact, Chocolatey was the first project that Gary submitted a Pull Request to.

Over the years between then and now, Gary has become a Core Chocolatey Team Member and he was officially made a member of the Chocolatey GitHub organization in 2015. His Open Source Contributions to Chocolatey have included monitoring and answering questions in the Community Chat channels, mailing lists, Stack Overflow questions, and GitHub issues, creating and maintaining Chocolatey packages, acting as one of the moderators for packages submitted to chocolatey.org, as well as working on the graphical interface for Chocolatey, the Chocolatey GUI.

Gary has over 10 years experience working as a developer on technologies such as ASP.NET, Windows Forms, WPF, SharePoint, Silverlight, and many others. Throughout his career, Gary has always looked to see how things can be automated, using the mantra that if you do the same thing more than twice, it is time for automation.

"I am very excited to be joining Chocolatey Software" says Gary, "I have been a long time user and contributor to Chocolatey, and I am looking forward to helping taking it to the next level."

Gary holds a Master's Degree in Electrical and Electronic Engineering from the University of Aberdeen. He will be based remotely just outside of Aberdeen, Scotland.

Chocolatey GUI 0.15.0 has just been released!

Gary Ewan Park — Wed, 18 Oct 2017 00:00:00 GMT

We are very happy to announce the release of version 0.15.0 of Chocolatey GUI! This is a major overhaul of the application including a huge number of bug fixes, as well as a number of features and improvements. This release has been a while in the making, but we hope that it will be worth the wait!

The following will highlight a number of the major changes that are included in this release, and you can also see a full set of release notes.

Chocolatey Lib

In previous versions of Chocolatey GUI, we shelled out directly to PowerShell to invoke the various commands that are available within Chocolatey. In this release, we are now using the official chocolatey.lib, which means we now have a much better integration with the features that Chocolatey offers. In doing this refactoring, we have also eliminated a number of the bugs that were present in the previous release, as well as significally improving the overall performance of Chocolatey GUI.

New Branding

When we switched to using WPF as the base framework for Chocolatey GUI, we introduced what we thought was a sensible colour scheme, emphasing on the "chocolatey" theme. Looking back, we think we went a little too far. In the 0.15.0 release, we have changed the branding again, which is more in-keeping with the overall Chocolatey branding.

As an example of this change, the main Chocolatey GUI application screen has gone from this:

to this:

If you are interested in seeing more of the evolution of the branding for this release, you can follow along in this commit and then this commit.

We would love to hear any feedback that you might have related to the new branding. Feel free to reach out in our Community Chat or open an issue for discussion on the Chocolatey GUI repository.

Localization of Chocolatey GUI

We know that Chocolatey GUI is used across the world, by speakers of lots of different languages. With this in mind, the decision was taken to support translation of all the major parts of Chocolatey GUI. This will be an ongoing effort, however, in this release, there is now support for English, Norwegian, German and Swedish.

If you are interested in helping support your language in Chocolatey GUI, then please reach out via an issue on the GitHub repository.

We are going to start using the amazing Transifex service to better support this effort going forward.

Release Notes

To find out information about all the features, improvements and bugs that were included in this release, have a look at the release notes.

Going forward...

Looking ahead, we have a number of things that we are thinking about for upcoming releases of Chocolatey GUI. These include things like:

Making Accessibility of the Chocolatey GUI application a first class citizen
Allowing modification of Chocolatey GUI colours/fonts - i.e. branding

Contributors

This release would not have been possible without the help of the amazing Chocolatey Community! We thank you all for your support!

The people who helped out with this release are:

Learn More

Check out the documentation.
Learn about other features available in Chocolatey for Business.
Contact us to find out more and setup your evaluation of Chocolatey for Business today.

Chocolatey’s Package Synchronizer Adds Choco Sync Command - Supports Full System Synchronization!

Rob Reynolds — Tue, 17 Jan 2017 00:00:00 GMT

import Iframe from '@choco-astro/components/Iframe.astro';

Happy New Year! We've reached a new year and we could not be more excited to tell you about the features we've been cooking up here at Chocolatey! Chocolatey's Package Synchronizer has enjoyed auto sync for existing packages. Now with the introduction of the sync command, you are able to bring all existing software installed on a system under Chocolatey management!

Automatic Sync

In Package Synchronizer v1, we added in automatic sync for Chocolatey to see changes in software installed on a system that it is tracking with Chocolatey packages. As we wanted those states to match to provide the best possible experience, licensed versions of Chocolatey detect those changes and ensure those packages stay in sync with the software in Programs and Features that they are tracking. Automatic sync is great and the best part is that it just happens, automatically, every time Chocolatey runs.

Sync Command

Now with Package Synchronizer v2, we've introduced the sync command to compliment the automatic sync. You run one command and Chocolatey will bring all software installed on the system under Chocolatey management. Here at Chocolatey we think that's pretty epic, so rather than spend too much time talking about it, we'll just show you what that looks like with a short video.

Learn More

Check out the sync command documentation.
Learn about other features available in Chocolatey for Business.
Contact us to find out more and setup your evaluation of Chocolatey for Business today.

Chocolatey’s Package Builder Now With a UI and an Exciting New Feature!

Rob Reynolds — Tue, 15 Nov 2016 00:00:00 GMT

import Iframe from '@choco-astro/components/Iframe.astro';

Chocolatey's Package Builder allows you to create fully ready to go software deployments for Windows in 5-10 seconds! There is nothing faster than Chocolatey when it comes to preparing software for an unattended deployment across your organization. Today we are excited to announce Package Builder UI and building packages directly from Programs and Features! Before we show you those features with some videos, let's reintroduce Package Builder as you may not be familiar.

Chocolatey's Package Builder

Chocolatey’s Package Builder is a tool that allows you to quickly generate high quality packaging by pointing Package Builder to an installer (msi, exe, msu, or msp) or zip. You can create packages from your organization's archive of installers and zips, scripting the entire creation of packages for your organization. There are also nice features like MSI properties automatically being added to the installer comments so you can further customize the package!

We've created a short video showing how it works.

Quickly script out creating packages for your entire organization's cache of software, allowing you to completely automate your Windows installations in moments, not months. You can do that with a simple script:

$path = '\\company.file.server\installers'


# Generate packages over supported types of files
$supportedTypes = @('.exe', '.msi', '.7z', '.zip', '.msu', '.msp')
Get-ChildItem -Path $path -Recurse | ?{
  $extension = [System.IO.Path]::GetExtension($_.Name)
  $supportedTypes.Contains($extension)
  } | %{
  Write-Host "$($_.FullName)"
  & choco new --file "$($_.FullName)" --build-package --outputdirectory $pwd
}

For every supported type, we are asking Chocolatey to wrap an entire package around the installer or zip, completely readying entire packages in about 5-10 seconds, complete with silent arguments.

Package Builder User Interface

Not every person is going to love the command line or may not be familiar with the command line. We've spent countless hours talking to customers and with their feedback we're introducing Package Builder UI. This also gives you an opportunity to transition from existing UI tools while taking advantage of powerful Chocolatey concepts!

Package Builder - Generate Packages From Programs and Features

Another way Package Builder can generate packages is based on looking at what is installed on a system in Programs and Features. You can set up a complete reference system and then use Chocolatey to generate packages from those installs. This gives you lightning quick ramp up time in both package and automating your Windows software installations!

Chocolatey And Deployment Automation

When it comes to software management automation (or software deployment automation) for Windows, ask yourself if one or more of the following questions apply:

Does your current approach to automation require manual interaction?
Do the current processes you use feel inadequate or require work arounds?
Are you managing software for both internal applications and 3rd party software on Windows? If so, are your approaches consistent?
Can you update a single piece of software across your organization in less than 2 hours? 30 minutes? 5 minutes?
Does that time still apply from the moment you determine a need to upgrade to implementation?

Hundreds of organizations in every industry have seen the power of Chocolatey and have harnessed Chocolatey's Package Builder to create packages very quickly, allowing them to quickly address software deployments, security concerns, and just meeting their internal customer needs very quickly in a scalable and reliable way. Chocolatey will make a difference in your organization as well.

Learn More

Watch all videos related to Chocolatey’s Package Builder.
Learn about other features available in Chocolatey for Business.
Contact us to find out more and setup your evaluation of Chocolatey for Business today.

Mukesh Sharma Joins Chocolatey as Chief Operating Officer

Chocolatey News Team — Fri, 14 Oct 2016 00:00:00 GMT

Chocolatey, the software management solution for Windows, recently named Mukesh Sharma as part of their executive team as Chief Operating Officer, to help drive go to market operations, business growth, and expansion into new markets.

"I’m excited to announce that Mukesh has joined the team at Chocolatey. Mukesh’s leadership, expansive experience, and unique perspective will really drive the growth of Chocolatey across the board." said Rob Reynolds, Founder and CEO of Chocolatey.

Mukesh first got excited about Chocolatey last year after hearing first hand from customers on their desire to leverage package management in the Windows environment. Mukesh joins Chocolatey from automation and DevOps player Puppet, where he led the Europe, Middle East, and Africa (EMEA) business. He brings almost 20 years of experience in sales, business development, and go to market strategies from several tech companies, including EMC, VMware, and Atos. With Mukesh on board, the company will have the opportunity to reach more markets and the right insights to grow the company as a business successfully.

"With increasing demand from the business to deliver software faster, automation continues to be at forefront of most organisations." says Mukesh. "Chocolatey has been helping multiple organisations get more out of their Windows software. I’m really excited to support Chocolatey’s move towards offering enhanced business features and continuing to support our extensive user community."

Mukesh holds a bachelor’s degree in International Business from the University of Greenwich and an Executive MBA from University of Oxford. He will be based out of Chocolatey’s new London, UK office.

For press requests - please reach out through our contact form.

Extending Chocolatey Packaging at Walmart

Derek Robinson — Thu, 13 Oct 2016 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

<Callout type="info"> Originally posted on Puppet's blog. Reposted with permission. </Callout>

At Walmart, we’re on the journey of increased automation and efficiency. We decided to stop using gold images for server deployments early on. We knew that by separating the base Windows image from the configuration and application installs, deployments would be faster and more consistent. Additionally, application teams would no longer have to wait for the server teams to recut and publish a new gold image throughout the environment every time the application teams released a new version.

Our first iteration of the new server build process used Microsoft Desired State Configuration (DSC) to configure the servers. We were elated at how quickly we were able to build servers using DSC. We had a concern, though: lack of management tooling for DSC and application installs. Originally, we created our own management tooling around DSC. It worked great initially, but development was slow, and more time was spent on the tooling than on the servers themselves.

We knew this had to be a solved problem, so we talked to our Linux teammates about Puppet. Puppet could already manage Windows servers, and with the introduction of the Puppet DSC module, we could extend Puppet management to DSC resources. We could use modules from both the Puppet and PowerShell communities, which greatly increased what could be managed.

We still weren’t sure how to handle the on-demand application installs. Originally we used the DSC package resource, but we ran into some quirks. DSC Package uses the GUID of the application to manage the install. Not only do you have to know the current GUID, but if you want to uninstall a previous version of the application, you have to know the GUID for each version that could possibly be installed. DSC Package also requires a separate configuration to download the application install file to the server. With every new application revision, no matter how minor, we would have had to change several parts of the DSC configuration.

It was then that Chocolatey came to the rescue. With Chocolatey, you don’t need a GUID, just the application version. The Chocolatey package handles all the downloading and installing. If you’re hosting internal packages, you can even embed the install file into the Chocolatey package itself to further streamline the process. All the application owner has to do is create a new Chocolatey package, and update the app version number in Puppet.

We knew that in order to increase adoption of our new tools and processes, we would have to remove as many roadblocks as possible. Since Chocolatey is a command line tool, we were able to automate portions of the package creation process. Automating package creation lowers the learning curve of Chocolatey. It also helps us get one step closer to continual delivery on Windows. We can take what we’ve done and easily hook it into tools like Jenkins to create and push new packages whenever application teams release a new version.

We started by determining the basic workflow for the users:

Ask the user for package information.
Use package information to build the package from a template.

Here’s an example of an application being packaged using our automation script. We ask only for the package name, path to the application, additional install arguments, and the maintainer name (it defaults to the user running the script if left blank).

Before beginning the packaging, the user is asked to confirm the information provided. If the user selects No, they’re able to go through the input process again.

The script calls choco new to create the package. Currently it defaults to using the embedded packaging model, so the script copies the installer file into the appropriate folder. Then it calls cpack to create the nupkg file.

While we can’t share our exact script, we can walk through some of the automation process. Using Chocolatey’s package templates, we knew could dramatically simplify the package creation process. Before templates, we had planned on using PowerShell here-strings to build out the files for the package. However, the large here-strings tended to clutter up a script, and became complicated when we used more than one packaging model.

We used the Chocolatey docs page on templates to create our own. To keep things simple, we started with only two templates: basic and embedded. Our basic template uses the standard Chocolatey practice of install files being located in an external location. Since we’re using only internal Chocolatey hosting though, we can include the installer files in the Chocolatey package itself. Using the Chocolatey docs, we created our embedded template. The chocolateyinstall.ps1 script will run the installer file inside the same folder. For the rest of this example, we’ll be using the embedded template.

From the docs, we know the default template values we can pass in. You can also find these properties from the help by running choco new –h.

packageversion
maintainername
maintainerrepo
installertype
url
url64
silentargs

By following the instructions in the docs, we can create a simple embedded template. Below is the tools\chocolateyinstall.ps1 file for the embedded template.

$ErrorActionPreference = 'Stop'; # stop on all errors

[[AutomaticPackageNotesInstaller]]
$packageName  = '[[PackageName]]'
$toolsDir     = "$(Split-Path -parent $MyInvocation.MyCommand.Definition)"
$fileLocation = Join-Path $toolsDir '[[url]]'

$packageArgs = @{
  packageName   = $packageName
  file          = $fileLocation
  fileType      = '[[InstallerType]]' #only one of these: exe, msi, msu
  silentArgs    = '[[silentArgs]]'
  validExitCodes= @(0, 3010, 1641)

}

Install-ChocolateyInstallPackage @packageArgs

To increase readability in the following example, we’ve used the backtick in PowerShell to do line continuation. We’ve also added three additional parameters at the end. The accept license property accepts license dialogs automatically. The force property creates a new package, even if there’s already one in the current directory. Since we’re automating the process so users don’t have to touch any folders or files manually, we want to overwrite whatever is currently there. The limit output property isn’t required to build a new package, but we use it for our scripts to make parsing the return output easier.

$name = 'SuperCoolApp';
$template = 'embedded';
$packageversion = '1.0.0';
$maintainername = 'Doug Funnie';
$url = 'app.exe';
$installertype  = 'exe';
$silentargs = '/verysilent /turbo'

choco.exe new $name `
    --template $template `
    --version=$packageversion `
    --maintainer=$maintainername `
    url=$url `
    installertype=$installertype `
    silentargs=$silentargs `
    --acceptlicense --limitoutput --force

Running this script produces the following output (if you run it without the –limitoutput property, your output will include every file generated which can be useful for troubleshooting).

Looking at the chocolateyinstall.ps1 file in the SuperCoolApp\tools folder shows that the template properties have been replaced with the values that were passed into choco new.

$ErrorActionPreference = 'Stop'; # stop on all errors

$packageName  = 'SuperCoolApp'
$toolsDir     = "$(Split-Path -parent $MyInvocation.MyCommand.Definition)"
$fileLocation = Join-Path $toolsDir 'app.exe'

$packageArgs = @{
  packageName   = $packageName
  file          = $fileLocation
  fileType      = 'exe' #only one of these: exe, msi, msu
  silentArgs    = '/verysilent /norestart /turbo'
  validExitCodes= @(0, 3010, 1641)

}

Install-ChocolateyInstallPackage @packageArgs

Unfortunately, this won’t create a fully working Chocolatey package yet. There’s no template property for the embedded installer file name in $fileLocation. In versions prior to Chocolatey 0.9.10, you can’t pass in arbitrary key value pairs. We just have to get a little creative until then, so in our embedded template we used [[url]] to pull double duty. Since we’re not pulling the install files remotely, the url property is free for us to use.

You may have noticed that we don’t ask for the file type in our script, and we provide default silent arguments. After Chocolatey 0.9.10 is released, the possibilities for template creation will be greatly increased by the ability to pass in custom values. We want the package creation process to be as simple for the end user as possible, so we use the information provided in the file path to fill in the $fileType and the default silent arguments we use. If a user provides a file path that doesn’t use a supported file type, we write an error instructing them on what file types are approved for use.

Using the file path, we pull the file extension to use in $fileType. We then use that extension to make sure that the no restart and silent install values are always included in the arguments. We can’t put these in our template since they change depending on the file extension, and creating separate templates formsi-embedded and exe-embedded would be kludgy. By adding the installer type and default silent arguments, we’re able to increase the usefulness of the script. All that’s left is to copy the file to the folder and then run cpack on the nuspec file.

$name = 'SuperCoolApp';
$template = 'embedded';
$packageversion = '1.0.0';
$maintainername = 'Doug Funnie';
$filePath = 'app.exe';

# Generate the installertype and silent arguments
$installertype = $installfile.Split('.')[-1]
switch ($installertype)
{
    'exe' {$silentargs = '/verysilent /norestart '}
    'msi' {$silentargs = '/qn /norestart '}
    'msu' {$silentargs = '/qn /norestart '}
    Default { Write-Error "Unknown file extension: $installertype . Please use an exe, msi, or msu"; exit}
}

$silentargs += "/turbo"

# Generate package
choco.exe new $name `
    --template $template `
    --version=$packageversion `
    --maintainer=$maintainername `
    url=$url `
    installertype=$installertype `
    silentargs=$silentargs `
    --acceptlicense --limitoutput --force

# copy the file over
# then run cpack on the nuspec file
cpack.exe .\$name\$name.nuspec

While we’ve done all this in PowerShell, you don’t have to. The real beauty of command line tools like Chocolatey is that your favorite automation tool or language of choice can be used. Using local scripts to just create the packages isn’t all you can do, either. From here, the options are endless: create a web front end, hook into Jenkins to build packages automatically after a build, etc.

Your manager may chuckle when you say you’re going to use Chocolatey, but after a little scripting the only sound you’ll hear are dropped jaws as applications are automagically deployed.

Derek Robinson is a Windows server administrator at Walmart.

Chocolatey is Participating in Hacktoberfest!

Rob Reynolds — Wed, 12 Oct 2016 00:00:00 GMT

Recently we tweeted about participating in Hacktoberfest.

What is Hacktoberfest?

Hacktoberfest is a celebration of open source by contributing code. Folks interested in contributing must submit 4 pull requests in the month of October to any participating issues. You must first sign up (register with GitHub) to participate. You can do that at https://hacktoberfest.digitalocean.com/sign_up/register.

Best of all, when you submit those 4 pull requests, you qualify for a free T-Shirt from Digital Ocean.

Chocolatey is participating

Yes, Chocolatey is participating in #Hacktoberfest. All available issues for contributing towards a free t-shirt are labeled with Hacktoberfest. In the issues list you will find the following technologies:

C#
PowerShell
Documentation

So while you may not be familiar with C#, you may be familiar with PowerShell. If you are not familiar with either but you know Chocolatey inside and out, we always have a need for better documentation. Suggest some more things that you want to work on. We might even label them with Hacktoberfest!

How do I win a Chocolatey T-Shirt?

Here are the rules:

You must submit at least one pull request to the choco GitHub repository based on one of the available hacktoberfest issues during the month of October.
You must submit a total of 4 pull requests to qualify for #hacktoberfest participation.
There must be a total of at least 5 pull requests submitted to the choco repository from 5 different folks during the month of October that are based on issues with the hacktoberfest label.
Pull requests to choco should show they have met the CONTRIBUTING guidelines to be eligible for the shirt.
Every eligible pull request counts as an entry. An individual submitting 3 pull requests to choco during the month of October will have three entries in the drawing.
For each 10 unique individuals issuing pull requests to the Chocolatey GitHub repository, an additional shirt will be given away.
Drawing will be done at random in November.

Some fine print:

Not available to employees of RealDimensions Software, LLC or their immediate family.
We reserve the right to limit the total number of giveaways.
We reserve the right to determine eligibility for the Chocolatey T-Shirt.
Winners agree to using an image and their name in a future blog post.

Let's see what you can do! Let's get Chocolatey!

Celebrating 50 Million Installs!

Rob Reynolds — Sat, 17 Sep 2016 00:00:00 GMT

Recently Chocolatey's community repository (this site in the packages section) surpassed 50 million package installs! 50 million! That is a milestone worth a mention.

Chocolatey.org has been up for five years this month, we never imagined when we started this that we would have the tremendous response we have seen here.

More Statistics

Here's another interesting statistic - did you know there is at least one install of Chocolatey (Chocolatey itself) every second somewhere in the world? The statistic works out to something like 1.15 installs of Chocolatey per second. That is an insane uptake and really shows Chocolatey's success.

One last statistic and we'll let you get back to Chocolatey - Every day we have nearly 11 million requests per day and transfer around 2TB of data. That's a lot of traffic every 24 hours!

Final Thoughts

All of this is amazing, and it's awesome folks like you that have brought us to this point! Here's to the next 50 million installs, and the next 5 years of sweet packages!

Internalizing Packages (Creating Recompiled Packages)

Rob Reynolds — Wed, 27 Apr 2016 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

<Callout type="info"> Originally posted on Puppet's blog. Reposted with permission. </Callout> Sometimes creating packages from scratch can be an involved process. Not all software installers are created equal (and not all are easily automated either)! Thankfully there is already a tremendous resource you can use to make the process of getting your software all packaged up even smoother.

On chocolatey.org, you will find packages with all of the install logic you need to automatically install your software. However, many of these publicly available packages also rely on software that is available from official distribution points because they are subject to software licensing and copyright law. Unless you’re granted the right to distribute the software via the license, you can’t redistribute it publicly. These laws do not apply when you use internal packages, and that is a good thing!

Why? Downloading software from the internet creates a failure point because it may not be available, the software vendor site could go down, etc. With internal packages, you don’t have to worry about any of that. You can create internal packages and embed the software directly in the package and/or use internal file shares.

This is where recompiling packages comes in. Recompiling a package lets you take an existing package and internalize all of the resources to embedded/internal resources so you can reuse the install logic without the hassle of downloading stuff from the internet. This guarantees complete control, trust, reliability, and repeatability of a package for organizations that have a low tolerance for production issues.

Creating your own recompiled packages is easy. In fact, we already have documentation that walks you through the process step by step!

Recompiling a Chocolatey package at a high level involves:

Downloading and unpacking the existing package as a zip file.
Downloading the resources the package has and putting them in the package.
Editing the install script to point to the internal software.
Packaging it back up.
Pushing it to your internal server.

And that’s it!

Recompiling is a great way to quickly get your organization up to speed on managing software with Chocolatey packages . When you are ready, we have documentation that takes you through all of the necessary steps. We also have Package Internalizer which will do this for you automatically.

Chocolatey For Business / Chocolatey Professional Coming May 2

Rob Reynolds — Fri, 22 Apr 2016 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

<Callout type="info"> Originally posted at CodeBetter. Reposted with permission. </Callout>

This is a very exciting time for Chocolatey! Over the past 5 years, there have been some amazing points in Chocolatey’s history. Now we are less than 10 days from another historical moment for Chocolatey – when licensed editions become available for purchase! This is the moment when we are able to offer features that enable businesses to better manage software through Chocolatey and offer non-free features to our community! This also marks when the community (and organizations) take the next step to ensure the longevity of Chocolatey for the next 10-20 years. I started this process with a dream and a Kickstarter and now it’s finally coming to fruition!

Features

Here is a list of the licensed features that will be coming in May. I really think you are going to like what we’ve been cooking up:

Package Builder (Business Only) - Create packages from software files/installers – Do you keep all the applications you install for your business internally somewhere? Chocolatey can automatically create packages for all the software your organization uses in under 5 minutes! – See it in action
No more 404s – Alternate permanent download location for Professional customers. Read more…
Malware protection / Virus scanning – Automatic protection from software flagged by multiple virus scanners – Read more…
Integration with existing Antivirus – Great for businesses that don’t want to reach out to VirusTotal.
Install Directory Switch – You no longer need to worry about the underlying directives to send to native installers to install software into special locations. You can **simply pass one directory switch to Chocolatey **and it will handle this for you. Read more...
Support and prioritization of bugs and features for customers.

Sold! But How Do I Buy?

See compare for more information, trial, and pricing options.

Chocolatey Has a New Logo!

Rob Reynolds — Tue, 19 Apr 2016 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

<Callout type="info"> Originally posted at CodeBetter. Reposted with permission. </Callout>

A designer started a conversation with us in December 2014 and we’ve recently come to a decision point on Chocolatey – a new logo (and soon a new website)! A special thanks goes out to Julian Krispel-Samsel!

Celebrating 5 Years with Chocolatey!

Rob Reynolds — Mon, 28 Mar 2016 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

<Callout type="info" > Originally posted at CodeBetter. Reposted with permission. </Callout>

Chocolatey turned 5 years old recently! I committed the first lines of Chocolatey code on March 21, 2011. At that time I never imagined that Chocolatey would grow into a flourishing community and a tool that is widely used by individuals and organizations to help automate the wild world of Windows software. It’s come a long way since I first showed off early versions of Chocolatey to some friends for feedback. Over the last 2 years things have really taken off!

The number of downloads has really increased year over year!

<Callout type="info"> While not a completely accurate representation of usage and popularity, the number of downloads gives a pretty good context. Going up by 7 million in 2014 and then by almost 30 million downloads in one year really shows a trend! </Callout>

<Callout type="info"> The Chocolatey package has about 1,000 downloads per hour. I shut off the statistics for the install script back in October 2015 due to the extreme load on the site, so the number of Chocolatey package downloads is missing some of the statistics. </Callout>

History

Let’s take a little stroll through some of the interesting parts of Chocolatey’s history. The history of Chocolatey really starts when I joined the Nubular (Nu) team in summer 2010.

July 2010 – Nu (Package Management for .NET) is reintroduced and quickly takes off in popularity (I also wrote several posts about it).
October 6, 2010 – NuGet is introduced. The Nu team had joined up with Microsoft in late August to work on NuPack (as it was called then).
February 2011 – Joke with other folks on the NuGet team at MVP summit that if we ever introduced a machine package manager, we’d call it Chocolatey NuGet because it wouldn’t be vanilla NuGet packages.
March 21, 2011 – First lines of Chocolatey are committed. The PowerShell version of Chocolatey represents the first public known use of PowerShell as an application and not just scripts and modules.
March 23, 2011 – First release of Chocolatey is 0.6.0. I hope you were not using it that early. ;)
March 28, 2011 – I started talking about Chocolatey on the NuGet list.
March 29, 2011 – Svein Ackenhausen coins the term “cinst” that would be the main call for choco until 2013.
April 1, 2011 – Chris Ortman writes the first public blog post about Chocolatey.
April 26, 2011 – I put up a video showing Chocolatey installing 11 pieces of software. Pardon the music, it was swapped out from my original track.
September 2011 – Community Repository (https://chocolatey.org) introduced.
September 7, 2011 – Christiaan Baes writes a post about a side project that is known as Chocolatey GUI.
October 07, 2011 – A year after NuGet was introduced, I blog about Chocolatey for the first time.
December 22, 2011 – Anthony Mastrean introduces Pester (a PowerShell BDD testing framework) to Chocolatey.
March 2012 – Chocolatey is featured in the Pro Nuget Book.
April 1, 2012 – Matt Wrock commits the first lines of BoxStarter.
April 23, 2012 – After bouncing ideas off of Keith Dahlby and Aaron Lerch, I figure out how to do mocking for PowerShell testing (which Matt Wrock later puts into Pester proper). I also determine a proper way to structure a PowerShell application (function per file).
May 13, 2012 – Rich Siegel starts working on Puppet integration.
September 2012 – Chocolatey is featured on Lifehacker.
October 4, 2012 – Guilhem Lettron starts working on Chef integration.
October 19, 2012 – After putting proper mocking support into Pester, Matt Wrock retrofits Chocolatey to use that.
January 2013 – Automatic packaging is introduced.
February 13, 2013 – Gary Ewan Park gives Chocolatey GUI a new home and takes over project maintenance.
June 2013 – Community repo reaches 1,000 stable packages.
October 2013 – Community repo surpasses 1 million downloads.
December 13, 2013 – First lines of the C# Chocolatey rewrite are committed.
February 6, 2014 – Richard Simpson joins Gary on Chocolatey GUI and commits the initial changes for the modern version and look.
March 2014 – Microsoft validates the idea of Chocolatey.
July 2014 – The Chocolatey package itself surpasses 1 million downloads.
Sep 2014 – Introduced Chocolatey Newsletter.
September 23, 2014 – I show the first C# version of Chocolatey at a conference where my first demo uses choco from non-Windows. There are a lot of murmurs in the crowd.
Oct 2014 – Kickstarter for Chocolatey started.
Oct 2014 – Community Feed Moderation turned on. Thomas Walter handles a lion’s share of moderation over 2015 so others can concentrate on the framework.
November 2014 – Chocolatey version 0.9.8.27 is the first package version alone with more than 1 million downloads. A record that isn’t broken again until October 2015 when 0.9.9.8 has 5.6 million downloads!
February 2015 – Community repository hits 10 million downloads.
March 3, 2015 – First C# Chocolatey version is released.
March 23, 2015 – dtgm modernizes the automatic package process to achieve high quality automatic packages with checksums.
October 2015 – CloudFlare and caching are introduced to the community repository to reduce pressure.
November 2015 – Memcached is introduced to the community repository for a single cache across load balancers.
December 2015 – Indexing is reintroduced to the community repository.
Q4 2015 – Introduced the validator, the verifier, and the cleaner to the community feed to assist in moderation.
January 2016 – Moderation backlog is reduced to near zero and is now manageable thanks to the automation.
February 1, 2016 – First Professional Licenses of Chocolatey are shipped to Kickstarters.
March 21, 2016 – CloudFlare caching tweaks introduced on the community repository to handle the increased pressure that will come from tab completion for package names.
March 23, 2016 – Virus scan results shown on the community repository for packages.

This doesn’t represent everything that has happened. I tried to list out and attribute everything I could find and remember. There have been so many amazing package maintainers over the years, there are too many of you to possibly list. You know who you are. You have made the community what it is today and have been instrumental in shaping enhancements in Chocolatey.

Looking to the Future

The community has been amazing in helping Chocolatey grow and showing that there is a need that it fills. Package maintainers have put in countless and sometimes thankless hours to ensure community growth and consumers have really found the framework useful! Thank you so much! The next version of Chocolatey is coming and it is going to be amazing. Here’s to the next 5 years, may we change the world of Windows forever!

Create Your Own Chocolatey Packages

Rob Reynolds — Wed, 13 Jan 2016 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

<Callout type="info"> Originally posted on Puppet's blog. Reposted with permission. </Callout>

Chocolatey is a package manager. It works by managing packages that contain software or know how to manage the underlying software themselves. For folks unfamiliar with packaging concepts, a Chocolatey package is really just a fancy version of a zip file that knows about metadata, versioning and dependencies related to underlying software, plus optional automation scripts that are run during installation, upgrade and uninstallation of the package.

The packaging framework Chocolatey uses is known as NuGet (and also part of where Chocolatey gets itsname). Chocolatey extends NuGet to add more metadata to packaging (the nuspec file) and known automation scripts for execution during installation, upgrade, and uninstallation. These automation scripts are simply PowerShell scripts so it's easy to start getting familiar with the additional functions that Chocolatey provides for managing software!

This is useful because it helps define dependencies related to other software and encapsulates everything about installing a particular piece of software in a single place.

Creating your own Chocolatey packages is surprisingly simple for system administrators who have experience with other packaging frameworks. Chocolatey has extensive documentation for creating packages, however some of the information applies only to the community repository (https://chocolatey.org). When you host your own internal packages, different rules apply.

The most important thing to note about creating packages is that Chocolatey already has a built-in package template that does most of the work for you - choco new. If you use the Chocolatey CLI (choco.exe aka choco), make sure you are on the latest version of choco available to take advantage of fixes in the templates. You can also create your own templates!

Creating a Package for Notepad++

We can start by creating a package for Notepad++. Typing choco new notepadplusplus on the command line would yield output similar to the following:

Creating a new package specification at C:\temppackages\notepadplusplus
Generating template to a file
at 'C:\temppackages\notepadplusplus\notepadplusplus.nuspec'
Generating template to a file
at 'C:\temppackages\notepadplusplus\tools\chocolateyinstall.ps1'
Generating template to a file
at 'C:\temppackages\notepadplusplus\tools\chocolateyuninstall.ps1'
Generating template to a file
at 'C:\temppackages\notepadplusplus\tools\ReadMe.md'
Successfully generated notepadplusplus package specification files
at 'C:\temppackages\notepadplusplus

Notice that it created the package files plus a ReadMe with more information on what is available. Open notepadplusplus.nuspec, and edit it to look like this:

<?xml version="1.0" encoding="utf-8"?>
<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
  <metadata>
    <id>notepadplusplus</id>
    <title>Notepad++ (Install)</title>
    <version>6.8.8</version>
    <authors>Don Ho</authors>
    <owners>my company</owners> <!-- also known as package mantainers -->
    <description>Notepad++ is a free (as in "free speech" and also as in "free beer") source code editor and Notepad replacement that supports several languages.</description>
 </metadata>
<files>
  <file src="tools\**" target="tools" />
</files>
</package>

Unless you are sharing with the world, you don't need most of what is in the nuspec template file, so only required items are included above. When creating a package, be sure to match the version of the package in the nuspec file to the version of the underlying software as closely as possible. We are packaging Notepad++ 6.8.8 in this case, so the version of the package in the nuspec file should also be 6.8.8. More on versioning.

Open chocolateyInstall.ps1 and edit it to look like the following:

$ErrorActionPreference = 'Stop';

$packageName= 'notepadplusplus'
$toolsDir   = "$(Split-Path -parent $MyInvocation.MyCommand.Definition)"
$fileLocation = Join-Path $toolsDir 'npp.6.8.8.Installer.exe'

$packageArgs = @{
  packageName   = $packageName
  fileType      = 'exe'
  file         = $fileLocation

  silentArgs    = "/S"
  validExitCodes= @(0)
}

Install-ChocolateyInstallPackage @packageArgs

<Callout type="info"> The above is Install-ChocolateyINSTALLPackage, not to be confused with Install-ChocolateyPackage. The names are very close to each other, however the latter will also download/checksum software from a URI (URL, ftp, file) which is not necessary for this example. </Callout>

Delete the ReadMe.md and chocolateyUninstall.ps1 files. We delete the uninstall as it isn ot necessary due to the autoUninstaller feature of Chocolatey. Download the latest version of Notepad++ and move it to the tools folder of the package (update the version in both the nuspec and the chocolateyInstall.ps1 if necessary). Note: Normally if the underlying software makes the size of a package over 100MB, it is recommended you move the software installer/archive to a share drive and point to it instead. Because this is less than 5MB, we will just embed the Notepad++ installer right into the package.

Now pack it up by using choco pack from the command line. Ensure that notepadplusplus.nuspec is in the current directory of the shell. This should create a notepadplusplus.6.8.8.nupkg file.

Now that you’ve created your Notepad++ package, you can go ahead and install it across your systems.

Hosting Your Own Chocolatey Package Server

Rob Reynolds — Wed, 06 Jan 2016 00:00:00 GMT

import Callout from '@choco-astro/components/Callout.astro';

<Callout type="info"> Originally posted on Puppet's blog. Reposted with permission. </Callout>

When folks think of Chocolatey, they often conflate the Chocolatey framework with the default location for packages, Chocolatey.org. However, Chocolatey was designed as a decentralized framework to allow you to use multiple (including internal) locations to get packages. This is one of the most important differentiators of Chocolatey compared to other packaging frameworks for Windows, especially for organizational use.

Lots of folks use Chocolatey.org, which has a feed of packages provided and maintained by the community (it is also known as the community feed). Packages on the community feed usually download software from official distribution points. When software owners move download locations or other breakages occur because of the internet, the package is broken until the new location is specified in an updated version of the package.

For folks in the community that are not using Chocolatey for production purposes, it is fine to use the community feed. For organizations that have a low tolerance for breakages and require a higher level of security, control, and trust, a self-hosted Chocolatey server is the recommended option. This guarantees that your installs, upgrades, and uninstalls will always work every time. This gives you complete control over what software gets installed. Also because you are vetting newer versions, you control when those newer versions are available for upgrade.

How is this different than the process you are following now outside of Chocolatey? I believe you are thinking, we are doing something similar now as an organization, what benefits do I get by adding Chocolatey into the mix?

You have a single unified interface for installing/upgrading and uninstalling software on Windows.
You define dependencies between software so installation order is not a manual process.
Chocolatey has some really great smarts built-in to be able to handle things like uninstalling software automatically.
You can easily package your own internal software using technologies you are familiar with (PowerShell).
Chocolatey has great PowerShell helper functions for many software scenarios, so many times a one line function call is all you need to handle complex installation software.
You can define any additional functionality a native installer file may have missed setting up for you, such as putting some directory in the PATH variable.
You control how installs, upgrades and uninstalls are handled.
Package maintenance is quite simple.

Chocolatey has great documentation on what is available for hosting your own internal server, includingnon-Windows options.

There are three different ways to host your own server:

Local folder / UNC Share (CIFS)
Simple Server
Package Gallery

Using a local folder allows you to store your packages in a directory, which may be the easiest option for quickly ramping up on Chocolatey.

As your needs increase, you can easily move your local folder to a CIFS (UNC) share. Both local folder and CIFS are quick to set up. It’s as easy as putting packages in a location and pointing to that location as the source. Permissions are based on what is already there — if you can get to the packages, you can install from there, and if you can put packages in the location, you have push permission.

A Simple Server is ideal when you need more control over pushing packages or reaching a CIFS share is not easily possible. A simple server allows you to push and install from HTTP/HTTPS. The disadvantage here is that there is one shared key for pushing packages, so anyone that has push access can push any package. There is no fancy web site to view packages. All querying is done through choco.exe (or Chocolatey GUI). Most options for hosting packages are based on the simple server setup, including non-Windows options like Sonatype Nexus and JFrog’s Artifactory.

The final option for the most complex scenarios is the Package Gallery. A couple of examples areChocolatey.org and NuGet.org. You can have multiple types of package store, from file system to Azure blobs, and AWS S3. It has a database, indexing, and caching backing the package information, so it is super performant. And it has the idea of multiple users and rights assigned for each user to packages they maintain. Some disadvantages are that currently it only hosts on Windows and it requires more setup time.

With these options in mind your head may be spinning trying to decide which one is right for you. Going between a folder location and the simple server in many cases is simply adding an HTTP endpoint, so it’s really not hard to get started there! If you are using something like Puppet, there is already a simple way to set up a simple server for use with Chocolatey. The Puppet Chocolatey Server module will handle all aspects of setting up an internal host for you to use!

Chocolatey Blog

Announcing Release of Chocolatey Central Management v0.15.0, Chocolatey CLI v2.7.0, Chocolatey Licensed Extension v8.0.0, Chocolatey Agent v4.0.0, Chocolatey GUI v3.0.0, and Chocolatey GUI Extension v3.0.0

Collection and Display of Computer Facts

Improvements to How Central Management Handles Outdated Software

Release Notes

Learn More

Chocolatey users unaffected by Notepad++ incident

Details of the Upstream Vulnerability

Impact Assessment for Chocolatey Users

Important Note Regarding WinGUp

Recommended Actions

Conclusion

Announcing Release of Chocolatey CLI v2.6.0, Chocolatey Licensed Extension v7.0.0, Chocolatey Agent v3.0.0, and Chocolatey GUI Extension v2.0.1

Improvements to choco info

Improvements to choco download

Improvements to Virus Checking

Clearer Error Messages For Non-administrative Users

Attempting to Upgrade a Pinned Package will Display the Pin Reason

choco sync Improvements

Added Configurable Prohibited Options For Background Service

Improvements For choco convert

Changes to the chocolatey.licensed Source

Release Notes

Learn More

Chocolatey Sponsors KCDC 2025

Chocolatey Community Repository Optimizations

Four Billion Installs?

Highlights from the Chocolatey CLI v2.5.0 Release

Enhanced PowerShell Tab Completion

Flexible Search Result Ordering

New license Command for Installed License Information

Option to Exclude Pinned Packages in list

New Feature: Global HTTP Cache Control

Improvements for Package Maintainers

Access to Previous Package Version During Upgrades

Detection of --not-silent Option Usage

Additional Improvements

Behind the Curtain: Moderating Packages on the Chocolatey Community Repository

Why Involve Humans?

Tips for Package Maintainers: Passing Moderation Smoothly

Time, Effort, and Workload

Becoming a Volunteer Moderator

Wrap Up

Michael Governanti Joins Chocolatey as Infrastructure Operations Engineer

How to Get The Most Out of Chocolatey Products & Services

Reference Documentation

Release Announcements

Chocolatey Blog

Commercial Customer Support

Community Assistance

Social Media

Chocolatey Community Repository

Summary

Announcing Release of Chocolatey Central Management 0.14.0

Accessibility Improvements

Improved Keyboard Navigation and Introduction of Skip Links

Improved Semantic HTML Structure and ARIA Attributes for Better Screen Reader Support

Enhanced Color Contrast for Improved Readability

Larger Clickable Areas for Buttons and Links

Unique Titles and Descriptions for Each Page

Expanded Options in the Left Navigation Menu

Addition of Breadcrumbs

Ability to Pause Auto Refresh

Give Warning When Links Open in a New Window

Our Commitment to Accessibility

Release Notes

Learn More

We're Hiring an Infrastructure Operations Engineer, Come Work with Me!

Who is on the Operations Team?

What does a typical day look like for an Infrastructure Operations Engineer?

What are we looking for in an Infrastructure Operations Engineer?

Ready to Make an Impact?

Deep Dive into NuGet v2 & v3 Repository Behaviour

Terms and Definitions

Methodology

1. Environment Setup

Repository Manager Setup

2. Test Repository Configuration

3. Package Creation and Publication

4. Automated Testing

Improvements to `choco info`

Improvements to `choco download`

`choco sync` Improvements

Improvements For `choco convert`

Changes to the `chocolatey.licensed` Source

New `license` Command for Installed License Information

Option to Exclude Pinned Packages in `list`

Detection of `--not-silent` Option Usage