Automation of trusted packages in chocolatey using puppet

Question

We have been given the task to deploy an infrastructure in openstack using puppet which installs only trusted packages from chocolatey. The problem we face is to implement a secure way to check if a package is trusted and apply this to our puppet code so that our packages gets updated automatically when there is a new trusted package.

The best way we found to check if a package is trusted is to run "choco info 'NAMEOFPACKAGE' " and write a script that checks if the string "Package approved as a trusted package on" appears in the output of choco info.

This dont feel like a secure way to check if a package is trusted and we would like to do this in a better way.

$name="default"
$lines = choco $name | Select-String "Package approved as a trusted package" | Measure-Object -Line

if ($lines =  1) {
"****This found only 1 line****"

else {"*Found 0 or more*"}

Answer 1

As per the documentation on chocolatey.org, from an Organizational standout, you can't really trust ANY packages that come from chocolatey.org

As an organization, you want 100% reliability (or at least that potential), and you may want full trust and control as well. This is something you can get with internally hosted packages, and you are unlikely to achieve from use of the Community Package Repository. If your use of Chocolatey is for an organization/business, you likely have a low tolerance for production breakages and/or low trust for the greater internet. You likely would not want to give control of your infrastructure over to community members and volunteers. Organizational use of the community repository is not recommended.

As such, the recommendation that I would suggest for you would be to follow through this guide on how to setup Chocolatey for internal organizational use. That way, you can definitely trust all the packages that are being consumed, since you have gone through a separate process to bring those packages internal.