Skip to content

Commit 1921245

Browse files
ilia-shipitsinilia-shipitsin
authored
[windows] pin checksum where avaiable (#9005)
Related: https://github.com/actions/runner-images-internal/issues/5489
1 parent 3945d6e commit 1921245

File tree

7 files changed

+18
-12
lines changed

7 files changed

+18
-12
lines changed

images/windows/scripts/build/Install-MysqlCli.ps1

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,14 @@
11
################################################################################
22
## File: Install-MysqlCli.ps1
33
## Desc: Install Mysql CLI
4+
## Supply chain security: checksum validation (visual c++ redistributable package)
45
################################################################################
56

67
# Installing visual c++ redistributable package.
78
Install-Binary `
89
-Url 'https://download.microsoft.com/download/0/5/6/056dcda9-d667-4e27-8001-8a0c6971d6b1/vcredist_x64.exe' `
910
-InstallArgs @("/install", "/quiet", "/norestart") `
10-
-ExpectedSignature '3BDA323E552DB1FDE5F4FBEE75D6D5B2B187EEDC'
11+
-ExpectedSHA256Sum '20E2645B7CD5873B1FA3462B99A665AC8D6E14AAE83DED9D875FEA35FFDD7D7E'
1112

1213
# Downloading mysql
1314
[version] $mysqlVersion = (Get-ToolsetContent).mysql.version

images/windows/scripts/build/Install-NET48-devpack.ps1

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,13 @@
11
################################################################################
22
## File: Install-NET48-devpack.ps1
33
## Desc: Install .NET 4.8 devpack
4+
## Supply chain security: checksum validation
45
################################################################################
56

67
# .NET 4.8 Dev pack
78
Install-Binary `
89
-Url 'https://download.visualstudio.microsoft.com/download/pr/014120d7-d689-4305-befd-3cb711108212/0307177e14752e359fde5423ab583e43/ndp48-devpack-enu.exe' `
910
-InstallArgs @("Setup", "/passive", "/norestart") `
10-
-ExpectedSignature 'C82273A065EC470FB1EBDE846A91E6FFB29E9C12'
11+
-ExpectedSHA256Sum '0A7AC4A9B44CED6BB7A0EBF3AD9BA29F60BD4D3BEB2047E19F4D8749DE61F5AC'
1112

1213
Invoke-PesterTests -TestFile "Tools" -TestName "NET48"

images/windows/scripts/build/Install-NET48.ps1

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,11 @@
11
################################################################################
22
## File: Install-NET48.ps1
33
## Desc: Install .NET 4.8
4+
## Supply chain security: checksum validation
45
################################################################################
56

67
# .NET 4.8 Dev pack
78
Install-Binary `
89
-Url 'https://download.visualstudio.microsoft.com/download/pr/2d6bb6b2-226a-4baa-bdec-798822606ff1/8494001c276a4b96804cde7829c04d7f/ndp48-x86-x64-allos-enu.exe' `
910
-InstallArgs @("Setup", "/passive", "/norestart") `
10-
-ExpectedSignature 'ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B'
11+
-ExpectedSHA256Sum '68C9986A8DCC0214D909AA1F31BEE9FB5461BB839EDCA996A75B08DDFFC1483F'

images/windows/scripts/build/Install-ServiceFabricSDK.ps1

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22
## File: Install-ServiceFabricSDK.ps1
33
## Desc: Install webpicmd and then the service fabric sdk
44
## must be install after Visual Studio
5+
## Supply chain security: checksum validation
56
################################################################################
67

78
# Creating 'Installer' cache folder if it doesn't exist
@@ -10,17 +11,19 @@ New-Item -Path 'C:\Windows\Installer' -ItemType Directory -Force
1011
# Get Service Fabric components versions
1112
$runtimeVersion = (Get-ToolsetContent).serviceFabric.runtime.version
1213
$sdkVersion = (Get-ToolsetContent).serviceFabric.sdk.version
14+
1315
$urlBase = "https://download.microsoft.com/download/b/8/a/b8a2fb98-0ec1-41e5-be98-9d8b5abf7856"
1416

1517
# Install Service Fabric Runtime for Windows
1618
Install-Binary `
1719
-Url "${urlBase}/MicrosoftServiceFabric.${runtimeVersion}.exe" `
1820
-InstallArgs @("/accepteula ", "/quiet", "/force") `
19-
-ExpectedSignature (Get-ToolsetContent).serviceFabric.runtime.signature
21+
-ExpectedSHA256Sum (Get-ToolsetContent).serviceFabric.runtime.checksum
22+
2023

2124
# Install Service Fabric SDK
2225
Install-Binary `
2326
-Url "${urlBase}/MicrosoftServiceFabricSDK.${sdkVersion}.msi" `
24-
-ExpectedSignature (Get-ToolsetContent).serviceFabric.sdk.signature
27+
-ExpectedSHA256Sum (Get-ToolsetContent).serviceFabric.sdk.checksum
2528

2629
Invoke-PesterTests -TestFile "Tools" -TestName "ServiceFabricSDK"

images/windows/scripts/build/Install-VCRedist.ps1

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,20 +1,20 @@
11
################################################################################
22
## File: Install-VCRedist.ps1
33
## Desc: Install Visual C++ Redistributable
4+
## Supply chain security: checksum validation
45
################################################################################
56

67
$baseUrl = "https://download.microsoft.com/download/1/6/5/165255E7-1014-4D0A-B094-B6A430A6BFFC"
78
$argumentList = ("/install", "/quiet", "/norestart")
8-
$signatureThumbrint = "ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B"
99

1010
Install-Binary `
1111
-Url "${baseUrl}/vcredist_x86.exe" `
1212
-InstallArgs $argumentList `
13-
-ExpectedSignature $signatureThumbrint
13+
-ExpectedSHA256Sum '99DCE3C841CC6028560830F7866C9CE2928C98CF3256892EF8E6CF755147B0D8'
1414

1515
Install-Binary `
1616
-Url "${baseUrl}/vcredist_x64.exe" `
1717
-InstallArgs $argumentList `
18-
-ExpectedSignature $signatureThumbrint
18+
-ExpectedSHA256Sum 'F3B7A76D84D23F91957AA18456A14B4E90609E4CE8194C5653384ED38DADA6F3'
1919

2020
Invoke-PesterTests -TestFile "Tools" -TestName "VCRedist"

images/windows/toolsets/toolset-2019.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -412,11 +412,11 @@
412412
"serviceFabric": {
413413
"runtime": {
414414
"version": "9.1.1436.9590",
415-
"signature": "AFBF0B8B6A18F7E23CCA1DDCD0AC1A55B4035173"
415+
"checksum": "089F9BE6A63AF66C337E507B52082575C8ED330DF765259C6F2F13F900DA96D5"
416416
},
417417
"sdk": {
418418
"version": "6.1.1436",
419-
"signature": "AFBF0B8B6A18F7E23CCA1DDCD0AC1A55B4035173"
419+
"checksum": "D2A6B58315D08B6E46C2D25E91DFA1163136F70A5FA8CEF9DB147F07EE001AD1"
420420
}
421421
},
422422
"dotnet": {

images/windows/toolsets/toolset-2022.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -353,11 +353,11 @@
353353
"serviceFabric": {
354354
"runtime": {
355355
"version": "9.1.1436.9590",
356-
"signature": "AFBF0B8B6A18F7E23CCA1DDCD0AC1A55B4035173"
356+
"checksum": "089F9BE6A63AF66C337E507B52082575C8ED330DF765259C6F2F13F900DA96D5"
357357
},
358358
"sdk": {
359359
"version": "6.1.1436",
360-
"signature": "AFBF0B8B6A18F7E23CCA1DDCD0AC1A55B4035173"
360+
"checksum": "D2A6B58315D08B6E46C2D25E91DFA1163136F70A5FA8CEF9DB147F07EE001AD1"
361361
}
362362
},
363363
"dotnet": {

0 commit comments

Comments
 (0)