CPMR0006 - VERIFICATION.txt file missing when binaries included (package)
CPMR0006 - VERIFICATION.txt file missing when binaries included (package)
WARNING
This rule has been marked as a Requirement.
Requirements represent the minimum quality of a package that is acceptable. When a package version has failed requirements, the package version requires fixing and/or response by the maintainer. Provided a Requirement has flagged correctly, it must be fixed before the package version can be approved. The exact same version should be uploaded during moderation review.
Issue
In the package, you have included binaries but have not given moderators and the community a way to verify the files are legitimate.
Recommended Solution
Please add a file named VERIFICATION.txt. You can see the format for that file if you call choco new test
(upgrade to the latest version of Chocolatey first) and look at the generated file in test\tools\VERIFICATION.txt
This check also looks for VERIFICATION
and VERIFICATION.md
. Casing doesn’t matter for validation.
Reasoning
If you include binaries in the package, even if you are the software vendor, you need to include a VERIFICATION.txt file. This allows moderators and the community build trust in using the package. A verification file tells folks how to verify the files are legitimate with specific instructions on verifying with the official location.