Skip to content

Commit 117712f

Browse files
ilia-shipitsinilia-shipitsin
authored
[windows] implement checksum validation for OpenSSL (#8257)
1 parent f5bbdcb commit 117712f

File tree

1 file changed

+31
-18
lines changed

1 file changed

+31
-18
lines changed

images/win/scripts/Installers/Install-OpenSSL.ps1

Lines changed: 31 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -1,38 +1,51 @@
11
################################################################################
22
## File: Install-OpenSSL.ps1
33
## Desc: Install win64-openssl.
4+
## Supply chain security: checksum validation
45
################################################################################
56

6-
$arch = "INTEL"
7-
$bits = "64"
8-
$light = $false
7+
$arch = 'INTEL'
8+
$bits = '64'
9+
$light = 'false'
910
$installer = "exe"
1011
$version = (Get-ToolsetContent).openssl.version
1112
$installDir = "$Env:ProgramFiles\OpenSSL"
1213

1314
# Fetch available installers list
1415
$jsonUrl = 'https://raw.githubusercontent.com/slproweb/opensslhashes/master/win32_openssl_hashes.json'
15-
$installersAvailable = @()
16-
(Invoke-RestMethod $jsonUrl).files.PSObject.Properties |
17-
Where-Object MemberType -Eq NoteProperty |
18-
ForEach-Object { $installersAvailable += $_.Value }
19-
20-
# Select appropriate installers
21-
$installersMatching = $installersAvailable | Where-Object {
22-
($_.basever -Eq $version -Or $_.basever -Like "$version.*") -And $_.arch -Eq $arch -And $_.bits -Eq $bits -And $_.light -Eq $light -And $_.installer -Eq $installer
23-
}
2416

25-
# Get installer of the latest version
26-
$latestInstaller = $installersMatching |
27-
Sort-Object { [version]$_.basever }, subver |
28-
Select-Object -Last 1
17+
$installersAvailable = (Invoke-RestMethod $jsonUrl).files
18+
19+
$distributor_file_hash = $null
20+
$installerUrl = $null
21+
$installerName = $null
22+
23+
$installersAvailable | Get-Member -MemberType NoteProperty | ForEach-Object {
24+
$key = $_.Name
25+
if(($installersAvailable.$key.light -eq $light) -and ($installersAvailable.$key.arch -eq $arch) -and ($installersAvailable.$key.bits -eq $bits) -and ($installersAvailable.$key.installer -eq $installer) -and ($installersAvailable.$key.basever -eq $version)) {
26+
$installerUrl = $installersAvailable.$key.url
27+
$installerName = $key
28+
$distributor_file_hash = $installersAvailable.$key.sha512
29+
Break;
30+
}
31+
}
2932

3033
# Invoke installation
31-
$installerUrl = $latestInstaller.url
32-
$installerName = "openssl-$($latestInstaller.basever)$($latestInstaller.subver)-setup.$($latestInstaller.installer)"
34+
3335
$installerArgs = '/silent', '/sp-', '/suppressmsgboxes', "/DIR=`"$installDir`""
3436
Install-Binary -Url "$installerUrl" -Name "$installerName" -ArgumentList $installerArgs
3537

38+
#region Supply chain security
39+
Write-Verbose "Performing checksum verification"
40+
$local_file_hash = (Get-FileHash -Path (Join-Path ${env:TEMP} $installerName) -Algorithm SHA512).Hash
41+
42+
if ($local_file_hash -ne $distributor_file_hash) {
43+
Write-Host "hash must be equal to: ${distributor_file_hash}"
44+
Write-Host "actual hash is: ${local_file_hash}"
45+
throw 'Checksum verification failed, please rerun install'
46+
}
47+
#endregion
48+
3649
# Update PATH
3750
Add-MachinePathItem "$installDir\bin"
3851
$env:Path = Get-MachinePath

0 commit comments

Comments
 (0)