[windows] implement Android SDK cmdtools checksum (#8357)

ilia-shipitsin · web-flow · commit 2e47a88733e4 · 2023-10-05T09:31:22.000+02:00
diff --git a/images/win/scripts/Installers/Install-AndroidSDK.ps1 b/images/win/scripts/Installers/Install-AndroidSDK.ps1
@@ -1,14 +1,22 @@
 ################################################################################
 ##  File:  Install-AndroidSDK.ps1
 ##  Desc:  Install and update Android SDK and tools
+##  Supply chain security: checksum validation
 ################################################################################
 
 # get packages to install from the toolset
 $androidToolset = (Get-ToolsetContent).android
 # Newer version(s) require Java 11 by default
 # See https://github.com/actions/runner-images/issues/6960
-$cmdlineToolsUrl = "https://dl.google.com/android/repository/commandlinetools-win-9123335_latest.zip"
+$cmdlineToolsUrl = $androidToolset.commandline_tools_url
 $cmdlineToolsArchPath = Start-DownloadWithRetry -Url $cmdlineToolsUrl -Name "cmdline-tools.zip"
+
+#region Supply chain security
+$localFileHash = (Get-FileHash -Path $cmdlineToolsArchPath -Algorithm SHA256).Hash
+
+Use-ChecksumComparison -LocalFileHash $localFileHash -DistributorFileHash $androidToolset.hash
+#endregion
+
 $sdkInstallRoot = "C:\Program Files (x86)\Android\android-sdk"
 $sdkRoot = "C:\Android\android-sdk"
 Extract-7Zip -Path $cmdlineToolsArchPath -DestinationPath "${sdkInstallRoot}\cmdline-tools"
diff --git a/images/win/toolsets/toolset-2019.json b/images/win/toolsets/toolset-2019.json
@@ -148,6 +148,8 @@
         "versions": [ "8", "11", "17" ]
     },
     "android": {
+        "commandline_tools_url": "https://dl.google.com/android/repository/commandlinetools-win-9123335_latest.zip",
+        "hash": "8A90E6A3DEB2FA13229B2E335EFD07687DCC8A55A3C544DA9F40B41404993E7D",
         "platform_min_version": "19",
         "build_tools_min_version": "19.1.0",
         "extra_list": [
diff --git a/images/win/toolsets/toolset-2022.json b/images/win/toolsets/toolset-2022.json
@@ -132,6 +132,8 @@
         "versions": [ "8", "11", "17" ]
     },
     "android": {
+        "commandline_tools_url": "https://dl.google.com/android/repository/commandlinetools-win-9123335_latest.zip",
+        "hash": "8A90E6A3DEB2FA13229B2E335EFD07687DCC8A55A3C544DA9F40B41404993E7D",
         "platform_min_version": "27",
         "build_tools_min_version": "27.0.0",
         "extra_list": [
