I’m trying to generate a Windows MSI package using fleetctl. However I get this error if try it on Linux, and I get the following error if I try it on Windows inside VM:

>fleetctl package --type msi --fleet-url=<url>:8412 --insecure --enroll-secret=<secret

{"level":"debug","path":"C:\\Users\\<user>\\AppData\\Local\\Temp\\2\\orbit-package743500111","time":"2021-10-13T10:47:05-07:00","message":"created temp dir"}

initialize updates: failed to update metadata: update metadata: open file store: File C:\Users\<user>\AppData\Local\Temp\2\orbit-package743500111\root\tuf-metadata.json already exists with mode 666 instead of the expected 600

Need help to figure out what is wrong

hi there, the permissions check is a security check that is not working properly in windows yet, we are going to be looking into this issue and the other in linux

I know @Tomas Touceda was able to reproduce this on his M1 mac. I'm not able to reproduce it on my Intel mac --

fleetctl package --type msi --fleet-url=<https://something:8412> --insecure --enroll-secret=secret --debug

completes successfully. @Jaideep Natu are you running locally on some hardware or are you using VMs in the cloud? Can you provide any more info about the hardware you are using?

CentOS VM running on ESXi for the heat.exe error

3.10.0-1160.42.2.el7.x86_64

Current issue was on Windows 10 running on both ESXi and Parallels.

I wonder if this has to do with the different levels of virtualization, m1 might be running some of these things with rosetta

Yeah I am suspecting something to do with nested virtualization

@Tomas Touceda @zwass is there a way execute the fleetctl package command without the dependency on docker? I assume thats what is causing the virtualization issues

not currently, but Zach has a PR that fixes these issues: https://github.com/fleetdm/fleet/pull/2548

@Jaideep Natu if I send you a fleetctl binary can you test it on your systems?

sure I can do that

Attached are Windows and Linux binaries. Please let us know if this works out for you! Note there's no code-signing, so Windows might not want to execute it.

The Windows binary worked! Got the same “tuf-metadata.json already exists with mode 666 instead of the expected 600” error on Linux

you'll have to fix the permissions on Linux with chmod by hand, that error is not going away for security reasons

Glad to hear it worked on Windows! Let's see if we can improve the UX on Linux.

we can at least try chmod ourselves? not sure if there'll be a race somewhere there

I meant the Linux fleetctl binary worked for this. Running the fleetctl package command on Windows gave me the mode 666 error again. The folder doesn’t exist on Win if I try to change permissions manually

oh, interesting, that's a different story

It did work on Windows (successfully generated MSI). It did not work on Linux (with the permission error you mentioned). ^ Do I have that right?

“fleetctl package” worked on Linux, didn’t work on Windows with files provided by Zach

I see, thank you. We'll keep working on making this packaging experience easier and more reliable.