CPMR0006 - VERIFICATION.txt file missing when binaries included (package)

CPMR0006 - VERIFICATION.txt file missing when binaries included (package)

⚠️ This rule has been marked as a Requirement

Requirements represent the minimum quality of a package that is acceptable. When a package version has failed requirements, the package version requires fixing and/or response by the maintainer. Provided a Requirement has flagged correctly, it must be fixed before the package version can be approved. The exact same version should be uploaded during moderation review.

Issue

In the package, you have included binaries but have not given moderators and the community a way to verify the files are legitimate.

Please add a file named VERIFICATION.txt. You can see the format for that file if you call choco new test (upgrade to the latest version of Chocolatey first) and look at the generated file in test\tools\VERIFICATION.txt

This check also looks for VERIFICATION and VERIFICATION.md. Casing doesn't matter for validation.

NOTE: Providing checksums in verification is helpful, but OPTIONAL. The package already captures the checksums for binaries and displays that on the package page, so a user can use VERIFICATION to download the actual and verify it against the items listed in the files section of the package page.

Software Author / Vendor Specific

If you are the software vendor (author), your verification file can be much simpler. Take a look at how NUnit provides verification - https://community.chocolatey.org/packages/nunit-console-runner#files:

VERIFICATION Verification is intended to assist the Chocolatey moderators and community in verifying that this package's contents are trustworthy.

This package is published by the NUnit Project itself. The binaries are identical to other package types published by the project, in particular the NUnit.ConsoleRunner nuget package.

Doing something similar is enough for Verification - since you own the binaries and your are the package maintainer, folks are choosing to trust in you already to use the software. The additional checks with the VirusTotal scans on the community repository may help folks feel even better about using your packages.

Reasoning

If you include binaries in the package, even if you are the software vendor, you need to include a VERIFICATION.txt file. This allows moderators and the community build trust in using the package. A verification file tells folks how to verify the files are legitimate, whether specific instructions on verification with the official location, or with a notice that you are the software vendor.