[windows] implement checksum validation for Miniconda (#8506)

ilia-shipitsin · web-flow · commit 47a634e28bd7 · 2023-10-11T11:01:06.000+02:00
diff --git a/images/win/scripts/Installers/Install-Miniconda.ps1 b/images/win/scripts/Installers/Install-Miniconda.ps1
@@ -1,6 +1,7 @@
 ################################################################################
 ##  File:  Install-Miniconda.ps1
 ##  Desc:  Install the latest version of Miniconda and set $env:CONDA
+##  Supply chain security: checksum validation
 ################################################################################
 
 $CondaDestination = "C:\Miniconda"
@@ -13,4 +14,19 @@ $ArgumentList = ("/S", "/AddToPath=0", "/RegisterPython=0", "/D=$CondaDestinatio
 Install-Binary -Url $InstallerUrl -Name $InstallerName -ArgumentList $ArgumentList
 Set-SystemVariable -SystemVariable "CONDA" -Value $CondaDestination
 
-Invoke-PesterTests -TestFile "Miniconda"
+#region Supply chain security
+$localFileHash = (Get-FileHash -Path (Join-Path ${env:TEMP} $installerName) -Algorithm SHA256).Hash
+$distributorFileHash = $null
+
+$checksums = (Invoke-RestMethod -Uri 'https://repo.anaconda.com/miniconda/' | ConvertFrom-HTML).SelectNodes('//html/body/table/tr')
+
+ForEach($node in $checksums) {
+    if ($node.ChildNodes[1].InnerText -eq $InstallerName) {
+        $distributorFileHash = $node.ChildNodes[7].InnerText
+    }
+}
+
+Use-ChecksumComparison -LocalFileHash $localFileHash -DistributorFileHash $distributorFileHash
+#endregion
+
+Invoke-PesterTests -TestFile "Miniconda"
