Ensure downloaded installer files are removed after validation. Add
cleanupInstaller to remove the installer file (ignoring missing files
and logging failures). Propagate a downloaded installer path from
DownloadMaintainedApp (signature now returns the TempFileReader, the
saved file path, and error), write the installer into cfg.tmpDir and set
INSTALLER_PATH in cfg.env. Call cleanupInstaller on error paths and
after successful validation to avoid leftover temp files.
This pull request updates the application validation logic to better
handle Google Chrome's auto-update behavior on Windows. Specifically, it
ensures that the validation does not fail if Chrome's installed version
is newer than the installer version, which is a common case due to its
auto-updating nature.
Application validation improvements:
* Modified the `appExists` function in `windows.go` to skip strict
version checks for Google Chrome and log an informational message when a
version mismatch is detected, treating the app as installed if found.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40054
# Checklist for submitter
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- present in a previous PR
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Updated logging infrastructure throughout the application to use Go's
standard library logging system. This replaces the previous logging
implementation with an improved, standardized approach. Logging output
format may appear slightly different, but all diagnostic and operational
logging capabilities remain fully intact and functional.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38889
Plan was to convert `osquery_utils` package to slog. Picked up some
additional code that was related.
# Checklist for submitter
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- Already have changes
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
# Release Notes
## Refactor
* Updated internal logging infrastructure to use improved system-level
logging utilities
## Tests
* Updated test suite to align with internal logging changes
---
**Note:** This release contains internal infrastructure improvements
with no user-facing changes or new features.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Introduces WhatsAppInstallerURL to override the installer URL and set
SHA256 to 'no_check' for WhatsApp on Darwin. Updates the function map to
apply both WhatsAppVersionShortener and WhatsAppInstallerURL for
WhatsApp manifests.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38816
Updated the allowedCategories map to use 'Developer tools' instead of
'Developer Tools' to ensure category matching is consistent with how
this category is displayed in the UI.
Adds logic to handle cases where the expected app version is more
specific than the version reported by osquery (e.g., expected '6.4.0' vs
reported '6.4'). This ensures more robust version matching when
validating installed applications.
This pull request adds support for managing Adobe DNG Converter on
macOS. The main changes include introducing metadata and
installation/uninstallation scripts for this application, updating the
app registry, and improving version detection logic to handle Adobe’s
unique versioning format.
**Support for Adobe DNG Converter:**
* Added a new input definition for Adobe DNG Converter in
`homebrew/adobe-dng-converter.json`, specifying its identifiers,
installer format, and default category.
* Generated an output manifest in
`outputs/adobe-dng-converter/darwin.json` with version info, download
URL, SHA256, and detailed install/uninstall scripts for managing the app
lifecycle.
* Registered Adobe DNG Converter in the main `apps.json` registry,
including a description, unique identifier, and platform.
**Improvements to version detection:**
* Updated the `appExists` function in `darwin.go` to correctly detect
Adobe DNG Converter even when the installed version string includes a
build number in parentheses, improving reliability of version checks.
### Summary
This PR adds support for `.zip` files as Windows Fleet Managed Apps
(FMAs). Zip files on Windows are treated similarly to `.exe` files and
require custom install/uninstall scripts, typically used for AppX/MSIX
packages that are distributed as zip archives.
### Changes
**Backend:**
- Added `.zip` as a supported Windows package type in
`SoftwareInstallerPlatformFromExtension`
- Updated validation to require install/uninstall scripts for zip files
(similar to `.exe` files)
- Added `addZipPackageMetadata` function to handle zip file metadata
extraction
- Updated error messages to include `.zip` in the list of supported file
types
- Enhanced `appExists` validation to detect provisioned AppX packages
(packages that are provisioned for all users but don't show up in the
programs table until a user logs in)
- Added version normalization logic to handle version string differences
(e.g., "11.2.1495.0" vs "11.2.1495")
- Updated winget ingester to recognize zip files and default to user
scope for MSIX/zip installers
**Frontend:**
- Added `.zip` to `windowsPackageTypes` in `package_type.ts`
- Updated `PackageAdvancedOptions` component to require
install/uninstall scripts for zip files
- Added validation rules for zip files in `PackageForm/helpers.tsx`
- Updated help text and tooltips to indicate script requirements for zip
packages
- Updated `software_install_scripts.ts` to include zip in default script
handling
**Maintained Apps:**
- Added Microsoft Company Portal as a maintained app example using zip
files
- Created install/uninstall PowerShell scripts that:
- Extract zip files containing AppX packages
- Provision packages for all future users (works in headless
environments)
- Install packages for the current user
- Handle both provisioned and installed package detection
**Tests:**
- Updated integration tests to include `.zip` in supported file type
error messages
- Updated unit tests for `SoftwareInstallerPlatformFromExtension` and
`SofwareInstallerSourceFromExtensionAndName`
### Use Case
This enables distribution of Windows AppX/MSIX packages that are
packaged as zip files (common for Microsoft Store apps like Company
Portal). The implementation handles both provisioned packages (for all
users) and user-installed packages, ensuring detection works in both
headless and interactive environments.
### Testing
- Updated existing tests to include zip file support
- Added Microsoft Company Portal as a maintained app example with full
install/uninstall scripts
---
**Note:** This PR follows the same pattern as `.exe` file support,
requiring custom install/uninstall scripts since zip files can contain
various content types that need custom handling.
This pull request adds support for several new macOS applications to the
maintained apps system. It introduces new input definitions, output
metadata, and installation/uninstallation scripts for each app, enabling
automated management and categorization. The changes primarily focus on
expanding the catalog with productivity, developer, and communication
tools.
**New App Integrations:**
* Added input definitions and output metadata for the following apps:
- Inkscape (vector graphics editor)
[[1]](diffhunk://#diff-7ce5d431eb69c5546afaa12ada343d8584e835e855ecebf4adc13801ab3eab78R1-R8)
[[2]](diffhunk://#diff-4c1446cfc02c6bb0bda874481e333c65b84e184fcea52f656b49a6489f73c9c2R697-R703)
[[3]](diffhunk://#diff-00054bf967e9164fbd87bfc1518f6332cbee50e85936c7e9617a0bfefe405fa4R1-R21)
- Jabra Direct (headset management)
[[1]](diffhunk://#diff-78c52106d0314ec88decc1b6e6490ea8519a45170df466789414c8eac90825f9R1-R8)
[[2]](diffhunk://#diff-4c1446cfc02c6bb0bda874481e333c65b84e184fcea52f656b49a6489f73c9c2R739-R745)
[[3]](diffhunk://#diff-cd97d46bd199c6376c16fe81366404c1a3010d3f75b8b8b9a611d354a9edc2cbR1-R21)
- Keeper Password Manager (password manager)
[[1]](diffhunk://#diff-a973ebde05953000c62f2492b17c079a9e552fd3bbab3b678ee2aa0757dafeadR1-R8)
[[2]](diffhunk://#diff-4c1446cfc02c6bb0bda874481e333c65b84e184fcea52f656b49a6489f73c9c2R767-R787)
[[3]](diffhunk://#diff-5b88b8712d6bf670a34dd05a496fa7a036b9f53dda262bea1f57deb9a10f6f6eR1-R21)
- Keka (file archiver)
[[1]](diffhunk://#diff-2c462b137233fc73d72dd6f42b4bc07e58d6396e6b178741d496536822f4e732R1-R8)
[[2]](diffhunk://#diff-4c1446cfc02c6bb0bda874481e333c65b84e184fcea52f656b49a6489f73c9c2R767-R787)
- Lens (Kubernetes IDE)
[[1]](diffhunk://#diff-51e6db269aa8b8fc295f8573eb1582adbb28bcf1f1fd040fe92f8e0e95c816b2R1-R8)
[[2]](diffhunk://#diff-4c1446cfc02c6bb0bda874481e333c65b84e184fcea52f656b49a6489f73c9c2R767-R787)
- Maccy (clipboard manager)
[[1]](diffhunk://#diff-a497d9aa8763fd1b331ce6d454994c1fc955e9fec54d996dae5134c2c64d5e2cR1-R8)
[[2]](diffhunk://#diff-4c1446cfc02c6bb0bda874481e333c65b84e184fcea52f656b49a6489f73c9c2R830-R843)
- Mattermost (open-source chat)
[[1]](diffhunk://#diff-7286f40f757bf5322974f664bb55fd6ef89ca486aacba5e524e3e4a7055f24bcR1-R8)
[[2]](diffhunk://#diff-4c1446cfc02c6bb0bda874481e333c65b84e184fcea52f656b49a6489f73c9c2R830-R843)
- MongoDB Compass (database GUI)
[[1]](diffhunk://#diff-c03bf76b1aa1a8a9a857a235e2eaa46a35c5d0a8b8331d5990251eadf1855568R1-R8)
[[2]](diffhunk://#diff-4c1446cfc02c6bb0bda874481e333c65b84e184fcea52f656b49a6489f73c9c2R921-R927)
**Installer and Uninstaller Scripts:**
* Added custom install and uninstall shell scripts for Inkscape, Jabra
Direct, and Keeper Password Manager to handle application lifecycle
tasks, including quitting running apps and cleaning up user data.
[[1]](diffhunk://#diff-00054bf967e9164fbd87bfc1518f6332cbee50e85936c7e9617a0bfefe405fa4R1-R21)
[[2]](diffhunk://#diff-cd97d46bd199c6376c16fe81366404c1a3010d3f75b8b8b9a611d354a9edc2cbR1-R21)
[[3]](diffhunk://#diff-5b88b8712d6bf670a34dd05a496fa7a036b9f53dda262bea1f57deb9a10f6f6eR1-R21)
**App Categorization:**
* Assigned appropriate default categories (e.g., Productivity, Developer
tools, Communication) to each new app for better organization and
filtering in the catalog.
[[1]](diffhunk://#diff-7ce5d431eb69c5546afaa12ada343d8584e835e855ecebf4adc13801ab3eab78R1-R8)
[[2]](diffhunk://#diff-78c52106d0314ec88decc1b6e6490ea8519a45170df466789414c8eac90825f9R1-R8)
[[3]](diffhunk://#diff-a973ebde05953000c62f2492b17c079a9e552fd3bbab3b678ee2aa0757dafeadR1-R8)
[[4]](diffhunk://#diff-2c462b137233fc73d72dd6f42b4bc07e58d6396e6b178741d496536822f4e732R1-R8)
[[5]](diffhunk://#diff-51e6db269aa8b8fc295f8573eb1582adbb28bcf1f1fd040fe92f8e0e95c816b2R1-R8)
[[6]](diffhunk://#diff-a497d9aa8763fd1b331ce6d454994c1fc955e9fec54d996dae5134c2c64d5e2cR1-R8)
[[7]](diffhunk://#diff-7286f40f757bf5322974f664bb55fd6ef89ca486aacba5e524e3e4a7055f24bcR1-R8)
[[8]](diffhunk://#diff-c03bf76b1aa1a8a9a857a235e2eaa46a35c5d0a8b8331d5990251eadf1855568R1-R8)
**Metadata and Version Tracking:**
* Introduced detailed metadata and version tracking for each app,
including installer URLs, bundle identifiers, SHA256 checksums, and SQL
queries for existence checks.
[[1]](diffhunk://#diff-00054bf967e9164fbd87bfc1518f6332cbee50e85936c7e9617a0bfefe405fa4R1-R21)
[[2]](diffhunk://#diff-cd97d46bd199c6376c16fe81366404c1a3010d3f75b8b8b9a611d354a9edc2cbR1-R21)
[[3]](diffhunk://#diff-5b88b8712d6bf670a34dd05a496fa7a036b9f53dda262bea1f57deb9a10f6f6eR1-R21)
**Catalog Expansion:**
* Updated the main `apps.json` output to include all new apps with
descriptions and platform information, ensuring visibility in the
maintained apps catalog.
[[1]](diffhunk://#diff-4c1446cfc02c6bb0bda874481e333c65b84e184fcea52f656b49a6489f73c9c2R697-R703)
[[2]](diffhunk://#diff-4c1446cfc02c6bb0bda874481e333c65b84e184fcea52f656b49a6489f73c9c2R739-R745)
[[3]](diffhunk://#diff-4c1446cfc02c6bb0bda874481e333c65b84e184fcea52f656b49a6489f73c9c2R767-R787)
[[4]](diffhunk://#diff-4c1446cfc02c6bb0bda874481e333c65b84e184fcea52f656b49a6489f73c9c2R830-R843)
[[5]](diffhunk://#diff-4c1446cfc02c6bb0bda874481e333c65b84e184fcea52f656b49a6489f73c9c2R921-R927)
Add reverse prefix check in validation logic to accept cases where the
expected version (from Homebrew) is longer than what osquery reports.
This allows removing version shorteners for Twingate and Citrix
Workspace that were only shortening dot-separated version strings. This
also allows for our FMA library on fleetdm.com to represent more
accurate version strings.
- Add HasPrefix check for expected version starting with found version
- Remove TwingateVersionShortener
- Remove CitrixWorkspaceVersionShortener
- Remove citrix_workspace_version_shortener_test.go
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
---------
Co-authored-by: Allen Houchins <allenhouchins@mac.com>
- Replace json.MarshalIndent with json.Encoder using
SetEscapeHTML(false)
- Fixes both processOutput() and updateAppsListFile() functions
- Add test to verify HTML characters are preserved
- Regenerate yubico-yubikey-manager manifest to demonstrate fix
Previously, HTML tags and special characters (<, >, &) were being
escaped as Unicode sequences (\u003c, \u003e, \u0026) in JSON output.
This affected both app descriptions with HTML links and shell scripts
with redirect operators.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#33896
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
## Test plan
- [ ] Run FMA validation GHA that should pass, it should still pass
- [ ] Run FMA validation GHA with the bad manifest for intune company
portal, it should fail
For #29183
# Checklist for submitter
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Introduced automated validation workflows for maintained applications
on both macOS and Windows, ensuring apps can be installed, verified, and
uninstalled as expected.
* Added new command-line tool to validate maintained apps, providing
detailed reporting on validation results.
* Enhanced detection and handling of pre-installed applications during
validation.
* Improved post-installation steps for macOS, including quarantine
removal and system refresh.
* **Chores**
* Added new continuous integration workflows to automate application
validation on pull requests for relevant files.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Resolves#29218. No changes file as this is internal/FMA-related.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Manual QA for all new/changed functionality
> For issues found during QA
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] A detailed QA plan exists on the associated ticket (if it isn't
there, work with the product group's QA engineer to add it)
- [x] Manual QA for all new/changed functionality
> For #26662
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] A detailed QA plan exists on the associated ticket (if it isn't
there, work with the product group's QA engineer to add it)
- [x] Manual QA for all new/changed functionality
> For #26655
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [ ] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
---------
Co-authored-by: Ian Littman <iansltx@gmail.com>
> For #26083
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
---------
Co-authored-by: Ian Littman <iansltx@gmail.com>
