Recompiling Chocolatey packages

Chocolatey is a very popular tool among system administrators as it helps automate package management for Windows. Since Chocolatey can be used completely with a CLI, you can programmatically create, install and uninstall packages locally and remotely. One of the main issues I normally hear from Chocolatey users is that they do not trust to install packages directly from the main Chocolatey public repository. This is for good reason since in order to trust the repository you must trust whoever is maintaining that package and there is only so much vetting Chocolatey can do to ensure a package is safe. Not to mention if you use the public repository exclusively as your source of packages you are constantly downloaded packages from the internet which leads to additional security concerns. This is where recompiling packages comes in handy.

One feature of Chocolatey Business I enjoy is the capability to recompile packages hosted on its public repository and internalize them so they can be deployed from on your own NuGet server. During this process Chocolatey downloads the NuGet package and changes its code so that all resources needed are now on your NuGet server.

Now this may not be a feature you want to use for all packages hosted on Chocolatey, but for simple packages that pull their installers directly from a known good URL such as Google Chrome, it will save you hours of time. Note that you should always inspect packages from the Chocolatey public repository to ensure you understand how it is installing packages.

In this article I will show you how you can automate this process using a list of packages you want to recompile using PowerShell.

For this example I will recompile Google Chrome, Evernote and LastPass from Chocolatey.

First I will put these packages in an array by package name.

Now this is where the fun begins. I can simply pipe this array in PowerShell to the choco download command which will automatically download the package from the Chocolatey repository and internalize the package.

Within 30 seconds I have all three packages recompiled to my local machine along with their resources. What Chocolatey does during this process is extracts each package into the C:Recompiledownloads folder, downloads any resources it needs (such as the public installer URL) changes the installation code to automatically point to local installer files and then creates a NuGet package.

2 Responses to “Recompiling Chocolatey packages