[{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1403913638","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1403913638","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1403913638,"node_id":"IC_kwDOC8It-s5TrgWm","user":{"login":"denelon","id":61799811,"node_id":"MDQ6VXNlcjYxNzk5ODEx","avatar_url":"https://avatars.githubusercontent.com/u/61799811?v=4","gravatar_id":"","url":"https://api.github.com/users/denelon","html_url":"https://github.com/denelon","followers_url":"https://api.github.com/users/denelon/followers","following_url":"https://api.github.com/users/denelon/following{/other_user}","gists_url":"https://api.github.com/users/denelon/gists{/gist_id}","starred_url":"https://api.github.com/users/denelon/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/denelon/subscriptions","organizations_url":"https://api.github.com/users/denelon/orgs","repos_url":"https://api.github.com/users/denelon/repos","events_url":"https://api.github.com/users/denelon/events{/privacy}","received_events_url":"https://api.github.com/users/denelon/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-01-25T16:46:48Z","updated_at":"2023-01-25T16:46:48Z","body":"@sgrienen thanks for reporting this.\r\n\r\nIf you call one of the defined endpoints you will get a more useful/meaningful response.\r\nhttps://storeedgefd.dsx.mp.microsoft.com/v9.0/information\r\n\r\nHere is the applicable code for the REST API (latest Swagger document)\r\n\r\nhttps://github.com/microsoft/winget-cli-restsource/blob/da3300c19eff2f5d7378bb8bfc47800d056af23d/documentation/WinGet-1.4.0.yaml#L548-L565\r\n\r\nIf you use https://editor.swagger.io/ and upload the contents of the [API Document](https://github.com/microsoft/winget-cli-restsource/blob/main/documentation/WinGet-1.4.0.yaml) you will see a more user-friendly view of the API.","author_association":"COLLABORATOR","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1403913638/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1405431275","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1405431275","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1405431275,"node_id":"IC_kwDOC8It-s5TxS3r","user":{"login":"jadodd-CCG","id":123666226,"node_id":"U_kgDOB17_Mg","avatar_url":"https://avatars.githubusercontent.com/u/123666226?v=4","gravatar_id":"","url":"https://api.github.com/users/jadodd-CCG","html_url":"https://github.com/jadodd-CCG","followers_url":"https://api.github.com/users/jadodd-CCG/followers","following_url":"https://api.github.com/users/jadodd-CCG/following{/other_user}","gists_url":"https://api.github.com/users/jadodd-CCG/gists{/gist_id}","starred_url":"https://api.github.com/users/jadodd-CCG/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/jadodd-CCG/subscriptions","organizations_url":"https://api.github.com/users/jadodd-CCG/orgs","repos_url":"https://api.github.com/users/jadodd-CCG/repos","events_url":"https://api.github.com/users/jadodd-CCG/events{/privacy}","received_events_url":"https://api.github.com/users/jadodd-CCG/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-01-26T18:33:41Z","updated_at":"2023-01-26T18:33:41Z","body":"I encountered this same error this morning.  In my case, my traffic to both the winget and msstore sources was being decrypted/reencrypted by our Palo Alto firewall as part of its SSL inspection feature.  Our PKI is properly configured, so certificates issued by the firewall are valid and trusted on my machine itself, but it seems winget is sensitive to any tampering (legitimate or not) with the certificate from the msstore endpoint.  Adding a SSL inspection bypass for the msstore endpoint URL resolved this issue in my environment.\r\n\r\nI'm not sure when this certificate sensitivity was introduced into winget as I have not encountered this error in the past.  Also of note, SSL inspection is currently running on the winget source's URL, and everything is working correctly, so this seems limited to just the msstore source.  \r\n\r\nPlease let me know if any additional information would be useful.  I don't have a ton of experience contributing to projects like this, but I did want to leave a comment when I realized the same problem I was having was sitting in a day old issue.","author_association":"NONE","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1405431275/reactions","total_count":8,"+1":8,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1405435266","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1405435266","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1405435266,"node_id":"IC_kwDOC8It-s5TxT2C","user":{"login":"denelon","id":61799811,"node_id":"MDQ6VXNlcjYxNzk5ODEx","avatar_url":"https://avatars.githubusercontent.com/u/61799811?v=4","gravatar_id":"","url":"https://api.github.com/users/denelon","html_url":"https://github.com/denelon","followers_url":"https://api.github.com/users/denelon/followers","following_url":"https://api.github.com/users/denelon/following{/other_user}","gists_url":"https://api.github.com/users/denelon/gists{/gist_id}","starred_url":"https://api.github.com/users/denelon/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/denelon/subscriptions","organizations_url":"https://api.github.com/users/denelon/orgs","repos_url":"https://api.github.com/users/denelon/repos","events_url":"https://api.github.com/users/denelon/events{/privacy}","received_events_url":"https://api.github.com/users/denelon/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-01-26T18:37:11Z","updated_at":"2023-01-26T18:37:39Z","body":"@jadodd-CCG,\r\n\r\nThanks for the information! Yes, we recently introduced certificate pinning for the Microsoft Store source in the latest release. It was also present in some earlier preview releases, but this is the first report I've seen.","author_association":"COLLABORATOR","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1405435266/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1408647578","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1408647578","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1408647578,"node_id":"IC_kwDOC8It-s5T9kGa","user":{"login":"obesser","id":73784789,"node_id":"MDQ6VXNlcjczNzg0Nzg5","avatar_url":"https://avatars.githubusercontent.com/u/73784789?v=4","gravatar_id":"","url":"https://api.github.com/users/obesser","html_url":"https://github.com/obesser","followers_url":"https://api.github.com/users/obesser/followers","following_url":"https://api.github.com/users/obesser/following{/other_user}","gists_url":"https://api.github.com/users/obesser/gists{/gist_id}","starred_url":"https://api.github.com/users/obesser/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/obesser/subscriptions","organizations_url":"https://api.github.com/users/obesser/orgs","repos_url":"https://api.github.com/users/obesser/repos","events_url":"https://api.github.com/users/obesser/events{/privacy}","received_events_url":"https://api.github.com/users/obesser/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-01-30T13:38:30Z","updated_at":"2023-01-30T13:38:30Z","body":"So, what would be a solution for networks with SSL inspection that replaces the certificate? Maybe an ignore-certificate flag?","author_association":"NONE","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1408647578/reactions","total_count":1,"+1":0,"-1":0,"laugh":1,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1408729722","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1408729722","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1408729722,"node_id":"IC_kwDOC8It-s5T94J6","user":{"login":"jadodd-CCG","id":123666226,"node_id":"U_kgDOB17_Mg","avatar_url":"https://avatars.githubusercontent.com/u/123666226?v=4","gravatar_id":"","url":"https://api.github.com/users/jadodd-CCG","html_url":"https://github.com/jadodd-CCG","followers_url":"https://api.github.com/users/jadodd-CCG/followers","following_url":"https://api.github.com/users/jadodd-CCG/following{/other_user}","gists_url":"https://api.github.com/users/jadodd-CCG/gists{/gist_id}","starred_url":"https://api.github.com/users/jadodd-CCG/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/jadodd-CCG/subscriptions","organizations_url":"https://api.github.com/users/jadodd-CCG/orgs","repos_url":"https://api.github.com/users/jadodd-CCG/repos","events_url":"https://api.github.com/users/jadodd-CCG/events{/privacy}","received_events_url":"https://api.github.com/users/jadodd-CCG/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-01-30T14:33:58Z","updated_at":"2023-01-30T14:33:58Z","body":"Based on the pull request that added certificate pinning here: https://github.com/microsoft/winget-cli/pull/2347\r\n\r\n>  An admin setting is added to disable pinning, both as an emergency measure in the event that there is a bug or rolled certificate that was not communicated, but also because there are test scenarios where the user actively wants to disable it (HTTPS redirection via something like Fiddler).\r\n> \r\n> The configuration can be loaded from JSON for future dynamic configuration, but it is currently only as a test hook to enable configuration via Group Policy.\r\n\r\nBy poking around the commits from that PR, it looks like the overall goal is to have this configurable via group policy and JSON locally, but only the GPO option appears to be written.  I'm not sure exactly _how_  the group policy configuration is intended to work, but perhaps someone with some more insight into winget's workings and related group policies could shed some light.\r\n\r\nOn the more philosophical front, I believe the most user-friendly way to bypass pinning while maintaining at least some of the protection cert pinning is meant to achieve would be to add a flag such as `--use-system-cas` or `--trusted-CA-file` that would instruct winget to trust certificate chains from the system certificate store (how normal certificate validation is done) or to provide a specific CA certificate to trust.  ","author_association":"NONE","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1408729722/reactions","total_count":1,"+1":1,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1408755961","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1408755961","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1408755961,"node_id":"IC_kwDOC8It-s5T9-j5","user":{"login":"jadodd-CCG","id":123666226,"node_id":"U_kgDOB17_Mg","avatar_url":"https://avatars.githubusercontent.com/u/123666226?v=4","gravatar_id":"","url":"https://api.github.com/users/jadodd-CCG","html_url":"https://github.com/jadodd-CCG","followers_url":"https://api.github.com/users/jadodd-CCG/followers","following_url":"https://api.github.com/users/jadodd-CCG/following{/other_user}","gists_url":"https://api.github.com/users/jadodd-CCG/gists{/gist_id}","starred_url":"https://api.github.com/users/jadodd-CCG/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/jadodd-CCG/subscriptions","organizations_url":"https://api.github.com/users/jadodd-CCG/orgs","repos_url":"https://api.github.com/users/jadodd-CCG/repos","events_url":"https://api.github.com/users/jadodd-CCG/events{/privacy}","received_events_url":"https://api.github.com/users/jadodd-CCG/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-01-30T14:49:05Z","updated_at":"2023-01-30T14:49:05Z","body":"I love it when I manage to answer my on question about a minute after typing a reply.  Changes to the ADMX to support disabling certificate pinning for the Microsoft Store were committed in https://github.com/microsoft/winget-cli/pull/2637  That commit was included in the 1.4.10173 release, I just missed seeing it in the release notes.  \r\n\r\nFor the lazy and anyone who may end up here via Google:\r\n\r\n1.  You really should use the ADMX template and apply this setting via group policy if you need this to be done on more than one machine.  Group policy can be your friend if you let it.\r\n2. If you just need this to work on your machine and would rather just sledgehammer it with regedit, then create a DWORD named `EnableBypassCertificatePinningForMicrosoftStore` with a value of `1` at the path `HKLM\\Software\\Policies\\Microsoft\\Windows\\AppInstaller`  Note that this information is only current as of the PR linked above and may change at any time.  Always consult current documentation if possible.\r\n","author_association":"NONE","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1408755961/reactions","total_count":20,"+1":11,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":9,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1409225326","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1409225326","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1409225326,"node_id":"IC_kwDOC8It-s5T_xJu","user":{"login":"denelon","id":61799811,"node_id":"MDQ6VXNlcjYxNzk5ODEx","avatar_url":"https://avatars.githubusercontent.com/u/61799811?v=4","gravatar_id":"","url":"https://api.github.com/users/denelon","html_url":"https://github.com/denelon","followers_url":"https://api.github.com/users/denelon/followers","following_url":"https://api.github.com/users/denelon/following{/other_user}","gists_url":"https://api.github.com/users/denelon/gists{/gist_id}","starred_url":"https://api.github.com/users/denelon/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/denelon/subscriptions","organizations_url":"https://api.github.com/users/denelon/orgs","repos_url":"https://api.github.com/users/denelon/repos","events_url":"https://api.github.com/users/denelon/events{/privacy}","received_events_url":"https://api.github.com/users/denelon/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-01-30T19:37:00Z","updated_at":"2023-01-30T19:37:00Z","body":"Some additional information:\r\n\r\nThe certificate pinning for the \"msstore\" source was put in place as an additional security measure to ensure your machine is actually talking to the \"msstore\" source. Disabling this check increases the potential risk of a [MITM](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) attack.","author_association":"COLLABORATOR","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1409225326/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1411004784","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1411004784","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1411004784,"node_id":"IC_kwDOC8It-s5UGjlw","user":{"login":"faustool","id":2947769,"node_id":"MDQ6VXNlcjI5NDc3Njk=","avatar_url":"https://avatars.githubusercontent.com/u/2947769?v=4","gravatar_id":"","url":"https://api.github.com/users/faustool","html_url":"https://github.com/faustool","followers_url":"https://api.github.com/users/faustool/followers","following_url":"https://api.github.com/users/faustool/following{/other_user}","gists_url":"https://api.github.com/users/faustool/gists{/gist_id}","starred_url":"https://api.github.com/users/faustool/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/faustool/subscriptions","organizations_url":"https://api.github.com/users/faustool/orgs","repos_url":"https://api.github.com/users/faustool/repos","events_url":"https://api.github.com/users/faustool/events{/privacy}","received_events_url":"https://api.github.com/users/faustool/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-01-31T20:16:41Z","updated_at":"2023-01-31T20:46:09Z","body":"I would expect an urgent fix to allow a list of trusted CAs for Winget, or maybe just pull from the Windows Trusted CAs store.\r\n\r\nOn a side note, this SSL inspection feature is a pain. There's no standard configuration across applications and tools to configure trusted CAs. In my computer I have REQUESTS_CA_BUNDLE for Azure CLI, GIT_SSL_CAINFO for git, NODE_EXTRA_CA_CERTS for node and the multiple Java trust stores (one per JVM) for Java applications and tools like Maven and Gradle.\r\n\r\nNow I need one for Winget. What will it be this time? Winget is a Windows-only tool, right? Please get it from Windows Trust Store.","author_association":"NONE","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1411004784/reactions","total_count":4,"+1":4,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1411114420","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1411114420","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1411114420,"node_id":"IC_kwDOC8It-s5UG-W0","user":{"login":"denelon","id":61799811,"node_id":"MDQ6VXNlcjYxNzk5ODEx","avatar_url":"https://avatars.githubusercontent.com/u/61799811?v=4","gravatar_id":"","url":"https://api.github.com/users/denelon","html_url":"https://github.com/denelon","followers_url":"https://api.github.com/users/denelon/followers","following_url":"https://api.github.com/users/denelon/following{/other_user}","gists_url":"https://api.github.com/users/denelon/gists{/gist_id}","starred_url":"https://api.github.com/users/denelon/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/denelon/subscriptions","organizations_url":"https://api.github.com/users/denelon/orgs","repos_url":"https://api.github.com/users/denelon/repos","events_url":"https://api.github.com/users/denelon/events{/privacy}","received_events_url":"https://api.github.com/users/denelon/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-01-31T21:48:59Z","updated_at":"2023-01-31T21:48:59Z","body":"I'm working on updating the documentation at Microsoft Learn to clearly explain the certificate pinning enhancement for the Microsoft Store \"msstore\" source.\r\n\r\nThe enhancement is designed to help reduce the risk of a site impersonating the Microsoft Store REST endpoint. WinGet was enlightened with the thumbprint for the certificate used by the Microsoft Store REST endpoint so WinGet will know it is communicating with the correct \"source\".\r\n\r\nIn the event described above, where networking infrastructure is modifying the connection, WinGet will return the error. The two options are to bypass these checks for the Microsoft Store REST endpoint in the networking infrastructure, or to disable this check in WinGet. This can be done by Group Policy, or by the administrative setting:\r\n`winget settings --enable BypassCertificatePinningForMicrosoftStore`","author_association":"COLLABORATOR","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1411114420/reactions","total_count":34,"+1":28,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":6,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1411171924","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1411171924","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1411171924,"node_id":"IC_kwDOC8It-s5UHMZU","user":{"login":"denelon","id":61799811,"node_id":"MDQ6VXNlcjYxNzk5ODEx","avatar_url":"https://avatars.githubusercontent.com/u/61799811?v=4","gravatar_id":"","url":"https://api.github.com/users/denelon","html_url":"https://github.com/denelon","followers_url":"https://api.github.com/users/denelon/followers","following_url":"https://api.github.com/users/denelon/following{/other_user}","gists_url":"https://api.github.com/users/denelon/gists{/gist_id}","starred_url":"https://api.github.com/users/denelon/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/denelon/subscriptions","organizations_url":"https://api.github.com/users/denelon/orgs","repos_url":"https://api.github.com/users/denelon/repos","events_url":"https://api.github.com/users/denelon/events{/privacy}","received_events_url":"https://api.github.com/users/denelon/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-01-31T22:42:24Z","updated_at":"2023-01-31T22:42:24Z","body":"`winget settings export` will export the administrator settings. This work was done as a part of building DSC Resources to manage WinGet.","author_association":"COLLABORATOR","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1411171924/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1412066767","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1412066767","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1412066767,"node_id":"IC_kwDOC8It-s5UKm3P","user":{"login":"faustool","id":2947769,"node_id":"MDQ6VXNlcjI5NDc3Njk=","avatar_url":"https://avatars.githubusercontent.com/u/2947769?v=4","gravatar_id":"","url":"https://api.github.com/users/faustool","html_url":"https://github.com/faustool","followers_url":"https://api.github.com/users/faustool/followers","following_url":"https://api.github.com/users/faustool/following{/other_user}","gists_url":"https://api.github.com/users/faustool/gists{/gist_id}","starred_url":"https://api.github.com/users/faustool/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/faustool/subscriptions","organizations_url":"https://api.github.com/users/faustool/orgs","repos_url":"https://api.github.com/users/faustool/repos","events_url":"https://api.github.com/users/faustool/events{/privacy}","received_events_url":"https://api.github.com/users/faustool/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-02-01T13:33:54Z","updated_at":"2023-02-01T13:33:54Z","body":"> I'm working on updating the documentation at Microsoft Learn to clearly explain the certificate pinning enhancement for the Microsoft Store \"msstore\" source.\r\n> \r\n> The enhancement is designed to help reduce the risk of a site impersonating the Microsoft Store REST endpoint. WinGet was enlightened with the thumbprint for the certificate used by the Microsoft Store REST endpoint so WinGet will know it is communicating with the correct \"source\".\r\n> \r\n> In the event described above, where networking infrastructure is modifying the connection, WinGet will return the error. The two options are to bypass these checks for the Microsoft Store REST endpoint in the networking infrastructure, or to disable this check in WinGet. This can be done by Group Policy, or by the administrative setting: `winget settings --enable BypassCertificatePinningForMicrosoftStore`\r\n\r\n> \r\n\r\nSo the implementation is not actually validating the certificate chain like apt, git, npm, node, openssl, Java and others do. That's why it can't simply \"trust\" the proxy re-encryption certificate. The only alternative is to disable the feature and fallback to the same level of security we had before.","author_association":"NONE","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1412066767/reactions","total_count":1,"+1":1,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1412583800","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1412583800","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1412583800,"node_id":"IC_kwDOC8It-s5UMlF4","user":{"login":"JohnMcPMS","id":11687500,"node_id":"MDQ6VXNlcjExNjg3NTAw","avatar_url":"https://avatars.githubusercontent.com/u/11687500?v=4","gravatar_id":"","url":"https://api.github.com/users/JohnMcPMS","html_url":"https://github.com/JohnMcPMS","followers_url":"https://api.github.com/users/JohnMcPMS/followers","following_url":"https://api.github.com/users/JohnMcPMS/following{/other_user}","gists_url":"https://api.github.com/users/JohnMcPMS/gists{/gist_id}","starred_url":"https://api.github.com/users/JohnMcPMS/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/JohnMcPMS/subscriptions","organizations_url":"https://api.github.com/users/JohnMcPMS/orgs","repos_url":"https://api.github.com/users/JohnMcPMS/repos","events_url":"https://api.github.com/users/JohnMcPMS/events{/privacy}","received_events_url":"https://api.github.com/users/JohnMcPMS/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-02-01T19:15:08Z","updated_at":"2023-02-01T19:15:08Z","body":"The certificate chain was previously, and continues to be, validated as trusted on the system; regardless of any configuration of settings applied.  That is not something we would change.\r\n\r\nThe pinning feature adds an additional check to ensure that the chain is not just any trusted chain, but is a fairly specific one.  Disabling the feature as described previously simply turns that check off and goes back to allowing any trusted chain.\r\n\r\nThe goal is to prevent supply chain attacks, securing the channel all the way up to the application level.  It is properly detecting tampering on the channel via this SSL inspection (aka man-in-the-middle).  If an exception for the Store DNS name is not acceptable for your organization, then disabling the feature is the correct action to take.","author_association":"MEMBER","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1412583800/reactions","total_count":1,"+1":1,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1412587091","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1412587091","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1412587091,"node_id":"IC_kwDOC8It-s5UMl5T","user":{"login":"faustool","id":2947769,"node_id":"MDQ6VXNlcjI5NDc3Njk=","avatar_url":"https://avatars.githubusercontent.com/u/2947769?v=4","gravatar_id":"","url":"https://api.github.com/users/faustool","html_url":"https://github.com/faustool","followers_url":"https://api.github.com/users/faustool/followers","following_url":"https://api.github.com/users/faustool/following{/other_user}","gists_url":"https://api.github.com/users/faustool/gists{/gist_id}","starred_url":"https://api.github.com/users/faustool/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/faustool/subscriptions","organizations_url":"https://api.github.com/users/faustool/orgs","repos_url":"https://api.github.com/users/faustool/repos","events_url":"https://api.github.com/users/faustool/events{/privacy}","received_events_url":"https://api.github.com/users/faustool/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-02-01T19:17:44Z","updated_at":"2023-02-01T19:17:44Z","body":"That settles it for me then, thank you very much for the clarification.","author_association":"NONE","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1412587091/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1433784971","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1433784971","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1433784971,"node_id":"IC_kwDOC8It-s5VddKL","user":{"login":"jcrben","id":5614134,"node_id":"MDQ6VXNlcjU2MTQxMzQ=","avatar_url":"https://avatars.githubusercontent.com/u/5614134?v=4","gravatar_id":"","url":"https://api.github.com/users/jcrben","html_url":"https://github.com/jcrben","followers_url":"https://api.github.com/users/jcrben/followers","following_url":"https://api.github.com/users/jcrben/following{/other_user}","gists_url":"https://api.github.com/users/jcrben/gists{/gist_id}","starred_url":"https://api.github.com/users/jcrben/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/jcrben/subscriptions","organizations_url":"https://api.github.com/users/jcrben/orgs","repos_url":"https://api.github.com/users/jcrben/repos","events_url":"https://api.github.com/users/jcrben/events{/privacy}","received_events_url":"https://api.github.com/users/jcrben/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-02-16T22:11:21Z","updated_at":"2023-02-16T22:11:21Z","body":"> The two options are to bypass these checks for the Microsoft Store REST endpoint in the networking infrastructure, or to disable this check in WinGet. This can be done by Group Policy, or by the administrative setting:\r\nwinget settings --enable BypassCertificatePinningForMicrosoftStore.\r\n\r\nYou say there's two options the proposed solution here sounds like it's just disabling the check in winget? How about the bypassing of these checks? And is there a way to do this without involving an administrator?","author_association":"NONE","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1433784971/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1434060752","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1434060752","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1434060752,"node_id":"IC_kwDOC8It-s5VegfQ","user":{"login":"JohnMcPMS","id":11687500,"node_id":"MDQ6VXNlcjExNjg3NTAw","avatar_url":"https://avatars.githubusercontent.com/u/11687500?v=4","gravatar_id":"","url":"https://api.github.com/users/JohnMcPMS","html_url":"https://github.com/JohnMcPMS","followers_url":"https://api.github.com/users/JohnMcPMS/followers","following_url":"https://api.github.com/users/JohnMcPMS/following{/other_user}","gists_url":"https://api.github.com/users/JohnMcPMS/gists{/gist_id}","starred_url":"https://api.github.com/users/JohnMcPMS/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/JohnMcPMS/subscriptions","organizations_url":"https://api.github.com/users/JohnMcPMS/orgs","repos_url":"https://api.github.com/users/JohnMcPMS/repos","events_url":"https://api.github.com/users/JohnMcPMS/events{/privacy}","received_events_url":"https://api.github.com/users/JohnMcPMS/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-02-17T03:56:20Z","updated_at":"2023-02-17T03:56:20Z","body":"I was saying the two options are:\r\n1. Changes to the network device policies that prevent it from inspecting the traffic to the Microsoft Store REST service.\r\n2. Disabling the certificate pinning in winget\r\n\r\nWhile I don't know what access would be required to enact option 1, I suspect it is under the control of a very few IT admins for any given operation.\r\n\r\nAnd option 2 requires one to be an administrator on the machine (or to be put in place by group policy).  There is no way around this requirement as it is in place to prevent an EoP chain attack on the user.","author_association":"MEMBER","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1434060752/reactions","total_count":1,"+1":1,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1435493388","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1435493388","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1435493388,"node_id":"IC_kwDOC8It-s5Vj-QM","user":{"login":"jcrben","id":5614134,"node_id":"MDQ6VXNlcjU2MTQxMzQ=","avatar_url":"https://avatars.githubusercontent.com/u/5614134?v=4","gravatar_id":"","url":"https://api.github.com/users/jcrben","html_url":"https://github.com/jcrben","followers_url":"https://api.github.com/users/jcrben/followers","following_url":"https://api.github.com/users/jcrben/following{/other_user}","gists_url":"https://api.github.com/users/jcrben/gists{/gist_id}","starred_url":"https://api.github.com/users/jcrben/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/jcrben/subscriptions","organizations_url":"https://api.github.com/users/jcrben/orgs","repos_url":"https://api.github.com/users/jcrben/repos","events_url":"https://api.github.com/users/jcrben/events{/privacy}","received_events_url":"https://api.github.com/users/jcrben/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-02-18T05:56:06Z","updated_at":"2023-02-19T07:31:43Z","body":"@JohnMcPMS in effect strongly discouraging the usage of the winget cli in secure corporate environments. Good to know. Hard to see how either of those options is acceptable in secure corporate environments.\r\n\r\nThe first seems like the right approach but as you note likely under the control of a few IT people who are tricky to access and convince.","author_association":"NONE","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1435493388/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1437303435","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1437303435","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1437303435,"node_id":"IC_kwDOC8It-s5Vq4KL","user":{"login":"aydeisen","id":14042645,"node_id":"MDQ6VXNlcjE0MDQyNjQ1","avatar_url":"https://avatars.githubusercontent.com/u/14042645?v=4","gravatar_id":"","url":"https://api.github.com/users/aydeisen","html_url":"https://github.com/aydeisen","followers_url":"https://api.github.com/users/aydeisen/followers","following_url":"https://api.github.com/users/aydeisen/following{/other_user}","gists_url":"https://api.github.com/users/aydeisen/gists{/gist_id}","starred_url":"https://api.github.com/users/aydeisen/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/aydeisen/subscriptions","organizations_url":"https://api.github.com/users/aydeisen/orgs","repos_url":"https://api.github.com/users/aydeisen/repos","events_url":"https://api.github.com/users/aydeisen/events{/privacy}","received_events_url":"https://api.github.com/users/aydeisen/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-02-20T16:47:48Z","updated_at":"2023-02-20T16:47:48Z","body":"\r\n> @JohnMcPMS in effect strongly discouraging the usage of the winget cli in secure corporate environments. Good to know. Hard to see how either of those options is acceptable in secure corporate environments.\r\n> \r\n> The first seems like the right approach but as you note likely under the control of a few IT people who are tricky to access and convince.\r\n@jcrben\r\n\r\nThe IT people have probably already run into this because certificate pinning is heavily used by mobile apps.  They most likely work around it by issuing corporate mobile devices that are tightly controlled by an MDM solution.\r\n\r\nIt's also important to point out that certificate pinning is only coming up with the msstore as a source, and not with winget itself as a source.  The winget cache is not preventing HTTPS Inspection due to HTTPS inspection.\r\n\r\n@denelon\r\n\r\nI'm personally seeing two things related to this issue that are frustrating:\r\n\r\n1. If I try to run `winget upgrade` against an app that the winget data shows was sourced from winget, and not msstore, I should not have to explicitly define the source switch to run the upgrade, especially when running `winget upgrade --all`\r\n2. Something seems off with how certificate pinning is working with winget.  I have `*.mp.microsoft.com` excluded from DPI-SSL on my firewall.  The Microsoft Store app, which I assume is using the same endpoints, is working fine.  winget is continuing to throw the error regarding the server certificate.  What's different about winget that it's not working when the Microsoft Store app is?","author_association":"NONE","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1437303435/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1437311523","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1437311523","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1437311523,"node_id":"IC_kwDOC8It-s5Vq6Ij","user":{"login":"denelon","id":61799811,"node_id":"MDQ6VXNlcjYxNzk5ODEx","avatar_url":"https://avatars.githubusercontent.com/u/61799811?v=4","gravatar_id":"","url":"https://api.github.com/users/denelon","html_url":"https://github.com/denelon","followers_url":"https://api.github.com/users/denelon/followers","following_url":"https://api.github.com/users/denelon/following{/other_user}","gists_url":"https://api.github.com/users/denelon/gists{/gist_id}","starred_url":"https://api.github.com/users/denelon/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/denelon/subscriptions","organizations_url":"https://api.github.com/users/denelon/orgs","repos_url":"https://api.github.com/users/denelon/repos","events_url":"https://api.github.com/users/denelon/events{/privacy}","received_events_url":"https://api.github.com/users/denelon/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-02-20T16:55:13Z","updated_at":"2023-02-20T16:55:13Z","body":"> @JohnMcPMS John McPherson FTE in effect strongly discouraging the usage of the winget cli in secure corporate environments. Good to know. Hard to see how either of those options is acceptable in secure corporate environments.\r\n> \r\n> The first seems like the right approach but as you note likely under the control of a few IT people who are tricky to access and convince.\r\n\r\n@jcrben it's just another layer of security. It's actually intended to improve security. If an enterprise has such a firewall, it would likely be an IT function to either disable the SSL inspection for the Microsoft Store source in their firewall, or to disable the check for the certificate pinning by the client.","author_association":"COLLABORATOR","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1437311523/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1437313340","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1437313340","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1437313340,"node_id":"IC_kwDOC8It-s5Vq6k8","user":{"login":"denelon","id":61799811,"node_id":"MDQ6VXNlcjYxNzk5ODEx","avatar_url":"https://avatars.githubusercontent.com/u/61799811?v=4","gravatar_id":"","url":"https://api.github.com/users/denelon","html_url":"https://github.com/denelon","followers_url":"https://api.github.com/users/denelon/followers","following_url":"https://api.github.com/users/denelon/following{/other_user}","gists_url":"https://api.github.com/users/denelon/gists{/gist_id}","starred_url":"https://api.github.com/users/denelon/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/denelon/subscriptions","organizations_url":"https://api.github.com/users/denelon/orgs","repos_url":"https://api.github.com/users/denelon/repos","events_url":"https://api.github.com/users/denelon/events{/privacy}","received_events_url":"https://api.github.com/users/denelon/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-02-20T16:56:57Z","updated_at":"2023-02-20T16:56:57Z","body":"@aydeisen if you run `winget source export` you can see the URL for the \"msstore\" REST source:\r\n\r\n```text\r\nwinget source export\r\n{\"Arg\":\"https://storeedgefd.dsx.mp.microsoft.com/v9.0\",\"Data\":\"\",\"Identifier\":\"StoreEdgeFD\",\"Name\":\"msstore\",\"Type\":\"Microsoft.Rest\"}\r\n{\"Arg\":\"https://cdn.winget.microsoft.com/cache\",\"Data\":\"Microsoft.Winget.Source_8wekyb3d8bbwe\",\"Identifier\":\"Microsoft.Winget.Source_8wekyb3d8bbwe\",\"Name\":\"winget\",\"Type\":\"Microsoft.PreIndexed.Package\"}\r\n```\r\nThe URL we're pinning the certificate for is:\r\nhttps://storeedgefd.dsx.mp.microsoft.com/v9.0","author_association":"COLLABORATOR","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1437313340/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1437342634","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1437342634","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1437342634,"node_id":"IC_kwDOC8It-s5VrBuq","user":{"login":"aydeisen","id":14042645,"node_id":"MDQ6VXNlcjE0MDQyNjQ1","avatar_url":"https://avatars.githubusercontent.com/u/14042645?v=4","gravatar_id":"","url":"https://api.github.com/users/aydeisen","html_url":"https://github.com/aydeisen","followers_url":"https://api.github.com/users/aydeisen/followers","following_url":"https://api.github.com/users/aydeisen/following{/other_user}","gists_url":"https://api.github.com/users/aydeisen/gists{/gist_id}","starred_url":"https://api.github.com/users/aydeisen/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/aydeisen/subscriptions","organizations_url":"https://api.github.com/users/aydeisen/orgs","repos_url":"https://api.github.com/users/aydeisen/repos","events_url":"https://api.github.com/users/aydeisen/events{/privacy}","received_events_url":"https://api.github.com/users/aydeisen/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-02-20T17:19:34Z","updated_at":"2023-02-20T17:19:34Z","body":"> @aydeisen if you run `winget source export` you can see the URL for the \"msstore\" REST source:\r\n> \r\n> ```\r\n> winget source export\r\n> {\"Arg\":\"https://storeedgefd.dsx.mp.microsoft.com/v9.0\",\"Data\":\"\",\"Identifier\":\"StoreEdgeFD\",\"Name\":\"msstore\",\"Type\":\"Microsoft.Rest\"}\r\n> {\"Arg\":\"https://cdn.winget.microsoft.com/cache\",\"Data\":\"Microsoft.Winget.Source_8wekyb3d8bbwe\",\"Identifier\":\"Microsoft.Winget.Source_8wekyb3d8bbwe\",\"Name\":\"winget\",\"Type\":\"Microsoft.PreIndexed.Package\"}\r\n> ```\r\n> \r\n> The URL we're pinning the certificate for is: https://storeedgefd.dsx.mp.microsoft.com/v9.0\r\n\r\n@denelon \r\n\r\nI am fully aware of this.  Based on the URL, my exclusion for `*.mp.microsoft.com` from DPI-SSL inspection would encompass that URL.  I know that my exclusion works because I'm not receiving errors from the Microsoft Store app.\r\n\r\nIf both the Microsoft Store App (22212.1401.8.0) and winget (v1.4.10173) are executing from the same machine with the same firewall restrictions and looking in the msstore endpoint, I would assume consistent results between the two.  Instead, the Microsoft Store app is working whereas winget continues to state the server certificate doesn't match.\r\n\r\nI can't find documentation that tells me how to identify the difference between the two or whether the issue is truly related to the app or DPI-SSL inspection","author_association":"NONE","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1437342634/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1437352910","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1437352910","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1437352910,"node_id":"IC_kwDOC8It-s5VrEPO","user":{"login":"denelon","id":61799811,"node_id":"MDQ6VXNlcjYxNzk5ODEx","avatar_url":"https://avatars.githubusercontent.com/u/61799811?v=4","gravatar_id":"","url":"https://api.github.com/users/denelon","html_url":"https://github.com/denelon","followers_url":"https://api.github.com/users/denelon/followers","following_url":"https://api.github.com/users/denelon/following{/other_user}","gists_url":"https://api.github.com/users/denelon/gists{/gist_id}","starred_url":"https://api.github.com/users/denelon/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/denelon/subscriptions","organizations_url":"https://api.github.com/users/denelon/orgs","repos_url":"https://api.github.com/users/denelon/repos","events_url":"https://api.github.com/users/denelon/events{/privacy}","received_events_url":"https://api.github.com/users/denelon/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-02-20T17:30:36Z","updated_at":"2023-02-20T17:30:36Z","body":"@adydeisen \r\nIf you enable the policy for \"Bypass Certificate Pinning For Microsoft Store\" on the machine, do you still get the error when you try to install packages?\r\n\r\nDo you see different behavior if you specify the source in the command?","author_association":"COLLABORATOR","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1437352910/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1437401094","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1437401094","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1437401094,"node_id":"IC_kwDOC8It-s5VrQAG","user":{"login":"aydeisen","id":14042645,"node_id":"MDQ6VXNlcjE0MDQyNjQ1","avatar_url":"https://avatars.githubusercontent.com/u/14042645?v=4","gravatar_id":"","url":"https://api.github.com/users/aydeisen","html_url":"https://github.com/aydeisen","followers_url":"https://api.github.com/users/aydeisen/followers","following_url":"https://api.github.com/users/aydeisen/following{/other_user}","gists_url":"https://api.github.com/users/aydeisen/gists{/gist_id}","starred_url":"https://api.github.com/users/aydeisen/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/aydeisen/subscriptions","organizations_url":"https://api.github.com/users/aydeisen/orgs","repos_url":"https://api.github.com/users/aydeisen/repos","events_url":"https://api.github.com/users/aydeisen/events{/privacy}","received_events_url":"https://api.github.com/users/aydeisen/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-02-20T18:17:58Z","updated_at":"2023-02-20T18:17:58Z","body":"@denelon\r\n\r\n>Do you see different behavior if you specify the source in the command?\r\n\r\nYes, if I explicitly specify `--source winget`, I do not receive an error.  I object to being required to provide the parameter when winget already knows I installed a package from the winget source instead of the msstore source, but it does work.\r\n\r\nThe error does persist if I say `--source msstore`, so the issue is with the msstore source\r\n\r\n>If you enable the policy for \"Bypass Certificate Pinning For Microsoft Store\" on the machine, do you still get the error when you try to install packages?\r\n\r\nno, enabling the setting prevents the error.  Given the choice, I would prefer not to bypass certificate pinning and allow winget to confirm its certificate chain is what is expected","author_association":"NONE","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1437401094/reactions","total_count":2,"+1":2,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1437406456","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1437406456","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1437406456,"node_id":"IC_kwDOC8It-s5VrRT4","user":{"login":"denelon","id":61799811,"node_id":"MDQ6VXNlcjYxNzk5ODEx","avatar_url":"https://avatars.githubusercontent.com/u/61799811?v=4","gravatar_id":"","url":"https://api.github.com/users/denelon","html_url":"https://github.com/denelon","followers_url":"https://api.github.com/users/denelon/followers","following_url":"https://api.github.com/users/denelon/following{/other_user}","gists_url":"https://api.github.com/users/denelon/gists{/gist_id}","starred_url":"https://api.github.com/users/denelon/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/denelon/subscriptions","organizations_url":"https://api.github.com/users/denelon/orgs","repos_url":"https://api.github.com/users/denelon/repos","events_url":"https://api.github.com/users/denelon/events{/privacy}","received_events_url":"https://api.github.com/users/denelon/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-02-20T18:24:01Z","updated_at":"2023-02-20T18:24:01Z","body":"When multiple sources are configured, there may be matches returned from any of those sources.\r\n\r\nWinGet doesn't \"know\" if the current version of the package was installed from a specific source or by the user manually, or if the package upgraded itself. The source column is used to indicate a match with a manifest in one or more configured sources.\r\n\r\nI don't intend for users to \"have\" to specify a source. I was asking as a troubleshooting mechanism.\r\n\r\nWinGet still does check the root of trust for the \"msstore\" source as @JohnMcPMS stated above. The certificate pinning is simply another layer of validation intended to ensure the connection is with the expected endpoint.","author_association":"COLLABORATOR","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1437406456/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1437464027","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1437464027","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1437464027,"node_id":"IC_kwDOC8It-s5VrfXb","user":{"login":"aydeisen","id":14042645,"node_id":"MDQ6VXNlcjE0MDQyNjQ1","avatar_url":"https://avatars.githubusercontent.com/u/14042645?v=4","gravatar_id":"","url":"https://api.github.com/users/aydeisen","html_url":"https://github.com/aydeisen","followers_url":"https://api.github.com/users/aydeisen/followers","following_url":"https://api.github.com/users/aydeisen/following{/other_user}","gists_url":"https://api.github.com/users/aydeisen/gists{/gist_id}","starred_url":"https://api.github.com/users/aydeisen/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/aydeisen/subscriptions","organizations_url":"https://api.github.com/users/aydeisen/orgs","repos_url":"https://api.github.com/users/aydeisen/repos","events_url":"https://api.github.com/users/aydeisen/events{/privacy}","received_events_url":"https://api.github.com/users/aydeisen/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-02-20T19:32:31Z","updated_at":"2023-02-20T19:33:19Z","body":">WinGet doesn't \"know\" if the current version of the package was installed from a specific source or by the user manually, or if the package upgraded itself. The source column is used to indicate a match with a manifest in one or more configured sources.\r\n\r\nI must be misunderstanding something then:\r\n\r\nIf I run `winget list` to view installed packages, I still get a source column that's populated for packages I installed from winget, and blank for packages I did not.\r\n\r\nWhen referring to packages I already have installed, am I to understand that the source column is not telling that it's a winget installed package when the source column is populated?","author_association":"NONE","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1437464027/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1437478379","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1437478379","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1437478379,"node_id":"IC_kwDOC8It-s5Vri3r","user":{"login":"Masamune3210","id":1053504,"node_id":"MDQ6VXNlcjEwNTM1MDQ=","avatar_url":"https://avatars.githubusercontent.com/u/1053504?v=4","gravatar_id":"","url":"https://api.github.com/users/Masamune3210","html_url":"https://github.com/Masamune3210","followers_url":"https://api.github.com/users/Masamune3210/followers","following_url":"https://api.github.com/users/Masamune3210/following{/other_user}","gists_url":"https://api.github.com/users/Masamune3210/gists{/gist_id}","starred_url":"https://api.github.com/users/Masamune3210/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/Masamune3210/subscriptions","organizations_url":"https://api.github.com/users/Masamune3210/orgs","repos_url":"https://api.github.com/users/Masamune3210/repos","events_url":"https://api.github.com/users/Masamune3210/events{/privacy}","received_events_url":"https://api.github.com/users/Masamune3210/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-02-20T19:41:10Z","updated_at":"2023-02-20T19:41:10Z","body":"List currently doesnt show msstore matches iirc due to some matching weirdness that is still being worked out","author_association":"NONE","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1437478379/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1438896219","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1438896219","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1438896219,"node_id":"IC_kwDOC8It-s5Vw9Bb","user":{"login":"denelon","id":61799811,"node_id":"MDQ6VXNlcjYxNzk5ODEx","avatar_url":"https://avatars.githubusercontent.com/u/61799811?v=4","gravatar_id":"","url":"https://api.github.com/users/denelon","html_url":"https://github.com/denelon","followers_url":"https://api.github.com/users/denelon/followers","following_url":"https://api.github.com/users/denelon/following{/other_user}","gists_url":"https://api.github.com/users/denelon/gists{/gist_id}","starred_url":"https://api.github.com/users/denelon/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/denelon/subscriptions","organizations_url":"https://api.github.com/users/denelon/orgs","repos_url":"https://api.github.com/users/denelon/repos","events_url":"https://api.github.com/users/denelon/events{/privacy}","received_events_url":"https://api.github.com/users/denelon/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-02-21T18:04:18Z","updated_at":"2023-02-21T18:04:18Z","body":"> > WinGet doesn't \"know\" if the current version of the package was installed from a specific source or by the user manually, or if the package upgraded itself. The source column is used to indicate a match with a manifest in one or more configured sources.\r\n> \r\n> I must be misunderstanding something then:\r\n> \r\n> If I run `winget list` to view installed packages, I still get a source column that's populated for packages I installed from winget, and blank for packages I did not.\r\n\r\nThere is a subtle distinction here. The source column is populated with \"winget\" when an installed package appears to match a manifest in the \"winget\" source. It doesn't matter how they were actually intsalled.\r\n\r\n> \r\n> When referring to packages I already have installed, am I to understand that the source column is not telling that it's a winget installed package when the source column is populated?\r\n\r\n","author_association":"COLLABORATOR","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1438896219/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1438930012","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1438930012","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1438930012,"node_id":"IC_kwDOC8It-s5VxFRc","user":{"login":"aydeisen","id":14042645,"node_id":"MDQ6VXNlcjE0MDQyNjQ1","avatar_url":"https://avatars.githubusercontent.com/u/14042645?v=4","gravatar_id":"","url":"https://api.github.com/users/aydeisen","html_url":"https://github.com/aydeisen","followers_url":"https://api.github.com/users/aydeisen/followers","following_url":"https://api.github.com/users/aydeisen/following{/other_user}","gists_url":"https://api.github.com/users/aydeisen/gists{/gist_id}","starred_url":"https://api.github.com/users/aydeisen/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/aydeisen/subscriptions","organizations_url":"https://api.github.com/users/aydeisen/orgs","repos_url":"https://api.github.com/users/aydeisen/repos","events_url":"https://api.github.com/users/aydeisen/events{/privacy}","received_events_url":"https://api.github.com/users/aydeisen/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-02-21T18:34:51Z","updated_at":"2023-02-21T18:34:51Z","body":">There is a subtle distinction here. The source column is populated with \"winget\" when an installed package appears to match a manifest in the \"winget\" source. It doesn't matter how they were actually intsalled.\r\n\r\nGot it; that was a failure on my part on how I understood what that column meant, and why my first question was nonsensical.\r\n\r\nThanks for the clarification","author_association":"NONE","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1438930012/reactions","total_count":1,"+1":1,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1624234049","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1624234049","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1624234049,"node_id":"IC_kwDOC8It-s5gz9hB","user":{"login":"denelon","id":61799811,"node_id":"MDQ6VXNlcjYxNzk5ODEx","avatar_url":"https://avatars.githubusercontent.com/u/61799811?v=4","gravatar_id":"","url":"https://api.github.com/users/denelon","html_url":"https://github.com/denelon","followers_url":"https://api.github.com/users/denelon/followers","following_url":"https://api.github.com/users/denelon/following{/other_user}","gists_url":"https://api.github.com/users/denelon/gists{/gist_id}","starred_url":"https://api.github.com/users/denelon/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/denelon/subscriptions","organizations_url":"https://api.github.com/users/denelon/orgs","repos_url":"https://api.github.com/users/denelon/repos","events_url":"https://api.github.com/users/denelon/events{/privacy}","received_events_url":"https://api.github.com/users/denelon/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-07-06T19:56:00Z","updated_at":"2023-07-06T19:56:00Z","body":"WinGet 1.4 originally had a certificate root for the \"msstore\" source that was deprecated.\r\nWe did have a 1.4 servicing release with the new certificate.\r\nhttps://github.com/microsoft/winget-cli/releases/tag/v1.4.11071\r\n\r\nWinGet 1.5 is now out and also has the correct certificate.\r\nhttps://github.com/microsoft/winget-cli/releases/tag/v1.5.1572\r\nWe've updated the https://aka.ms/getwinget link to point to the latest stable release.","author_association":"COLLABORATOR","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1624234049/reactions","total_count":2,"+1":0,"-1":0,"laugh":0,"hooray":2,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1625489710","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1625489710","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1625489710,"node_id":"IC_kwDOC8It-s5g4wEu","user":{"login":"Maxime-ADAGP","id":91597628,"node_id":"U_kgDOBXWrPA","avatar_url":"https://avatars.githubusercontent.com/u/91597628?v=4","gravatar_id":"","url":"https://api.github.com/users/Maxime-ADAGP","html_url":"https://github.com/Maxime-ADAGP","followers_url":"https://api.github.com/users/Maxime-ADAGP/followers","following_url":"https://api.github.com/users/Maxime-ADAGP/following{/other_user}","gists_url":"https://api.github.com/users/Maxime-ADAGP/gists{/gist_id}","starred_url":"https://api.github.com/users/Maxime-ADAGP/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/Maxime-ADAGP/subscriptions","organizations_url":"https://api.github.com/users/Maxime-ADAGP/orgs","repos_url":"https://api.github.com/users/Maxime-ADAGP/repos","events_url":"https://api.github.com/users/Maxime-ADAGP/events{/privacy}","received_events_url":"https://api.github.com/users/Maxime-ADAGP/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-07-07T14:21:49Z","updated_at":"2023-07-07T14:25:16Z","body":"> WinGet 1.5 is now out and also has the correct certificate.\r\n\r\nThis seemed to be the problem in my case and the new version solved it. I hope everyone else will have the same experience!\r\n\r\nEDIT: I was previously running winget v1.4.10173","author_association":"NONE","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1625489710/reactions","total_count":0,"+1":0,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null},{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1627322711","html_url":"https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1627322711","issue_url":"https://api.github.com/repos/microsoft/winget-cli/issues/2879","id":1627322711,"node_id":"IC_kwDOC8It-s5g_vlX","user":{"login":"mimoguz","id":7283047,"node_id":"MDQ6VXNlcjcyODMwNDc=","avatar_url":"https://avatars.githubusercontent.com/u/7283047?v=4","gravatar_id":"","url":"https://api.github.com/users/mimoguz","html_url":"https://github.com/mimoguz","followers_url":"https://api.github.com/users/mimoguz/followers","following_url":"https://api.github.com/users/mimoguz/following{/other_user}","gists_url":"https://api.github.com/users/mimoguz/gists{/gist_id}","starred_url":"https://api.github.com/users/mimoguz/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/mimoguz/subscriptions","organizations_url":"https://api.github.com/users/mimoguz/orgs","repos_url":"https://api.github.com/users/mimoguz/repos","events_url":"https://api.github.com/users/mimoguz/events{/privacy}","received_events_url":"https://api.github.com/users/mimoguz/received_events","type":"User","user_view_type":"public","site_admin":false},"created_at":"2023-07-08T14:09:57Z","updated_at":"2023-07-08T14:09:57Z","body":"I still have this problem on my home desktop:\r\n\r\n```\r\n➜ winget --version\r\nv1.5.1572\r\n\r\n➜ winget upgrade --source msstore\r\nFailed when opening source(s); try the 'source reset' command if the problem persists.\r\nAn unexpected error occurred while executing the command:\r\n0x8a15005e : The server certificate did not match any of the expected values.\r\n```\r\n\r\nEnabling ```BypassCertificatePinningForMicrosoftStore``` just changes the error from ```0x8a15005e : The server certificate did not match any of the expected values.``` to ```WinHttpReceiveResponse: 12152: The server returned an invalid or unrecognized response```. \r\n","author_association":"NONE","pin":null,"reactions":{"url":"https://api.github.com/repos/microsoft/winget-cli/issues/comments/1627322711/reactions","total_count":3,"+1":3,"-1":0,"laugh":0,"hooray":0,"confused":0,"heart":0,"rocket":0,"eyes":0},"performed_via_github_app":null}]