Change Hash field to SHA256 for package integrity#11252
Change Hash field to SHA256 for package integrity#11252t-johnson wants to merge 1 commit intoMicrosoftDocs:mainfrom
Conversation
Updated the Hash field to specify SHA256 instead of SHA1 for package file integrity verification.
|
Learn Build status updates of commit 5f26c67: ✅ Validation status: passed
For more details, please refer to the build report. |
|
@t-johnson : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change. |
There was a problem hiding this comment.
Pull request overview
Updates the Visual Studio bootstrapper schema documentation to reflect a stronger hash algorithm for PackageFile integrity verification.
Changes:
- Updated the
Hashattribute description from SHA-1 to SHA-256. - Added a version note about older behavior.
- Normalized indentation/formatting in the “See also” list.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| | `CopyOnBuild` | Optional. Specifies whether the bootstrapper should copy the package file onto the disk at build time. The default is true. | | ||
| | `PublicKey` | The encrypted public key of the package's certificate signer. Required if `HomeSite` is used; otherwise, optional. | | ||
| | `Hash` | Optional. An SHA1 hash of the package file. This is used to verify the integrity of the file at install time. If the identical hash cannot be computed from the package file, the package will not be installed. | | ||
| | `Hash` | Optional. An SHA256 hash of the package file. This is used to verify the integrity of the file at install time. If the identical hash cannot be computed from the package file, the package will not be installed. (Note this was a SHA1 Hash for .NET 3.5 and earlier) | |
There was a problem hiding this comment.
Wording/terminology is inconsistent with the rest of the deployment docs: use the standard hyphenated forms (e.g., “SHA-256” / “SHA-1”) and lowercase “hash”. Also “An SHA256” is grammatically incorrect; it should be “A SHA-256 …” (or rephrase to avoid the article).
| | `Hash` | Optional. An SHA256 hash of the package file. This is used to verify the integrity of the file at install time. If the identical hash cannot be computed from the package file, the package will not be installed. (Note this was a SHA1 Hash for .NET 3.5 and earlier) | | |
| | `Hash` | Optional. A SHA-256 hash of the package file. This is used to verify the integrity of the file at install time. If the identical hash cannot be computed from the package file, the package will not be installed. (Note this was a SHA-1 hash for .NET 3.5 and earlier) | |
| | `CopyOnBuild` | Optional. Specifies whether the bootstrapper should copy the package file onto the disk at build time. The default is true. | | ||
| | `PublicKey` | The encrypted public key of the package's certificate signer. Required if `HomeSite` is used; otherwise, optional. | | ||
| | `Hash` | Optional. An SHA1 hash of the package file. This is used to verify the integrity of the file at install time. If the identical hash cannot be computed from the package file, the package will not be installed. | | ||
| | `Hash` | Optional. An SHA256 hash of the package file. This is used to verify the integrity of the file at install time. If the identical hash cannot be computed from the package file, the package will not be installed. (Note this was a SHA1 Hash for .NET 3.5 and earlier) | |
There was a problem hiding this comment.
The parenthetical note “.NET 3.5 and earlier” is ambiguous in this bootstrapper schema context (it’s not clear whether this refers to Visual Studio versions, the bootstrapper engine version, or something else). Consider clarifying which tooling/runtime versions expect SHA-1 vs SHA-256 and (ideally) link to an authoritative reference so readers know when the behavior changed.
|
Can you review the proposed changes? IMPORTANT: When the changes are ready for publication, adding a #label:"aq-pr-triaged" |
prmerger-automator
bot
added
the
aq-pr-triaged
Updated the Hash field to specify SHA256 instead of SHA1 for package file integrity verification.