Security hardening: PATH hijack fix, SHA256 checksums, connectivity endpoint

- Start-NoIDPrivacy.bat: Use absolute System32 path for powershell.exe - Core/Validator.ps1: Replace 8.8.8.8 with www.msftconnecttest.com - Tools/Generate-ReleaseChecksums.ps1: New script for release checksums - SECURITY.md: Updated verification instructions
2026-02-06 19:51:54 +01:00 · 2025-12-22 23:17:22 +01:00 · 2025-12-22 23:17:22 +01:00 · 4c1af02ad9
commit 4c1af02ad9
parent 79eb810096
5 changed files with 83 additions and 10 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -63,11 +63,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - All 7 registry policies confirmed correct per MS Policy CSP docs
 - Version numbers aligned across all 50+ files

-### 🔐 Verify Download
-```
-SHA256: fdb364d48e67a6889b44a519ba061cd570411158b8bdeb9b91ec845b7e270d96
-```
-
 ---

 ## [2.2.0] - 2025-12-08
--- a/Core/Validator.ps1
+++ b/Core/Validator.ps1
@ -174,8 +174,8 @@ function Test-InternetConnectivity {
    param()
    
    try {
-        # Using Google DNS (8.8.8.8) - intentional for internet connectivity check
-        $response = Test-Connection -ComputerName "8.8.8.8" -Count 1 -Quiet -ErrorAction Stop
+        # Using Microsoft NCSI endpoint - same as Windows uses for connectivity detection
+        $response = Test-Connection -ComputerName "www.msftconnecttest.com" -Count 1 -Quiet -ErrorAction Stop
        return $response
    }
    catch {
--- a/SECURITY.md
+++ b/SECURITY.md
@ -92,9 +92,15 @@ NoID Privacy implements multiple security layers:
 ### Before Running
 1. ✅ **Verify Script Integrity**
   ```powershell
-   # Check file hash (coming soon - SHA256 checksums in releases)
+   # Compare against CHECKSUMS.sha256 from GitHub Release
   Get-FileHash .\NoIDPrivacy.ps1 -Algorithm SHA256
+   
+   # Or verify the entire release folder:
+   Get-ChildItem *.ps1, *.psm1 | ForEach-Object { 
+       "$((Get-FileHash $_.FullName -Algorithm SHA256).Hash.ToLower())  $($_.Name)" 
+   }
   ```
+   Each GitHub release includes a `CHECKSUMS.sha256` file with SHA256 hashes of all release files.

 2. ✅ **Review Code**
   - This is open-source - read the code!
--- a/Start-NoIDPrivacy.bat
+++ b/Start-NoIDPrivacy.bat
@ -23,7 +23,7 @@ if %errorLevel% == 0 (
    REM Already admin, run PowerShell script directly
    echo Running NoID Privacy Interactive Menu with Administrator privileges...
    echo.
-    powershell.exe -ExecutionPolicy Bypass -NoProfile -File "%SCRIPT_DIR%NoIDPrivacy-Interactive.ps1" %*
+    "%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "%SCRIPT_DIR%NoIDPrivacy-Interactive.ps1" %*
    pause
    exit /b
 )
@ -33,7 +33,7 @@ echo Requesting Administrator privileges...
 echo.

 REM Use PowerShell to elevate and run the script
-powershell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"%SCRIPT_DIR%NoIDPrivacy-Interactive.ps1\" %*' -Verb RunAs"
+"%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Process '%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"%SCRIPT_DIR%NoIDPrivacy-Interactive.ps1\" %*' -Verb RunAs"

 REM Exit this non-elevated instance
 exit /b
--- a/Tools/Generate-ReleaseChecksums.ps1
+++ b/Tools/Generate-ReleaseChecksums.ps1
@ -0,0 +1,72 @@
+<#
+.SYNOPSIS
+    Generates SHA256 checksums for release files.
+
+.DESCRIPTION
+    Creates a CHECKSUMS.sha256 file containing SHA256 hashes of all release files.
+    Used for verifying download integrity.
+
+.PARAMETER ReleasePath
+    Path to the release folder or ZIP file(s).
+
+.PARAMETER OutputFile
+    Output file for checksums. Default: CHECKSUMS.sha256 in the same directory.
+
+.EXAMPLE
+    .\Generate-ReleaseChecksums.ps1 -ReleasePath "C:\Release\NoIDPrivacy-v2.2.2"
+    
+.EXAMPLE
+    .\Generate-ReleaseChecksums.ps1 -ReleasePath ".\NoIDPrivacy-v2.2.2.zip"
+#>
+
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory = $true)]
+    [string]$ReleasePath,
+    
+    [Parameter(Mandatory = $false)]
+    [string]$OutputFile
+)
+
+$ErrorActionPreference = 'Stop'
+
+Write-Host "`n=== NoID Privacy Release Checksum Generator ===" -ForegroundColor Cyan
+
+# Determine if path is file or directory
+if (Test-Path $ReleasePath -PathType Container) {
+    $files = Get-ChildItem -Path $ReleasePath -File -Recurse | Where-Object { $_.Extension -in '.zip', '.exe', '.ps1', '.psm1' }
+    $basePath = $ReleasePath
+} elseif (Test-Path $ReleasePath -PathType Leaf) {
+    $files = Get-Item $ReleasePath
+    $basePath = Split-Path $ReleasePath -Parent
+} else {
+    Write-Error "Path not found: $ReleasePath"
+    exit 1
+}
+
+if (-not $OutputFile) {
+    $OutputFile = Join-Path $basePath "CHECKSUMS.sha256"
+}
+
+Write-Host "Generating checksums for $($files.Count) file(s)..." -ForegroundColor Yellow
+
+$checksums = @()
+$checksums += "# NoID Privacy Release Checksums"
+$checksums += "# Generated: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss UTC' -AsUTC)"
+$checksums += "# Verify with: Get-FileHash -Algorithm SHA256 <file>"
+$checksums += ""
+
+foreach ($file in $files) {
+    Write-Host "  Hashing: $($file.Name)" -ForegroundColor Gray
+    $hash = (Get-FileHash -Path $file.FullName -Algorithm SHA256).Hash.ToLower()
+    $relativePath = $file.Name
+    $checksums += "$hash  $relativePath"
+}
+
+$checksums | Out-File -FilePath $OutputFile -Encoding utf8
+
+Write-Host "`nChecksums written to: $OutputFile" -ForegroundColor Green
+Write-Host "`nContents:" -ForegroundColor Cyan
+Get-Content $OutputFile | ForEach-Object { Write-Host "  $_" }
+
+Write-Host "`n=== Done ===" -ForegroundColor Cyan