0

I need to install Chocolatey, a Windows package manager. In their website, I found this powershell script which must be executed in order to install it. However, I don't understand this script.

What I need to know is whether this script is safe.

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

The statement which made me suspicious is Set-ExecutionPolicy Bypass -Scope Process -Force; and [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072;.

The remote powershell script that is to be executed is this.

It would be great if someone could please let me know whether these scripts are safe...

g19ckddj2
  • 3
  • 1

1 Answers1

1

Let's see what's going on, line by line.

Set-ExecutionPolicy Bypass -Scope Process -Force;

By default Powershell doesn't run script files. This is to prevent accidental script execution, and is a security measure. As the scope is for process, it affects only the current session, so not a system-wide change. See Set-ExecutionPolicy for more details.

[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072;

What's done here is a change to TLS settings. The -bor 3072 means a combination of flags, documented for SecurityProtocolType Enum and the particular flag enables TLS 1.2 support.

iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

The last one first uses WebClient to download a Powershell script file, and the iex executes it.

Is the code reasonable? Well, the part about enabling TLS 1.2 is, as older versions of TLS are deprecated, and old Powershell defaults to those. Modern web servers disallow such connections, so without changing the TLS version, download attempt fails. Same goes to the execution policy setting, if you are going to run a script, a more relaxed execution policy is required.

As for the install.ps1, who can tell? It's your call if you trust the publisher.

vonPryz
  • 22,996
  • 7
  • 54
  • 65