[windows] implement checksum validation for rustup (#8314)

ilia-shipitsin · web-flow · commit ac365421b0d2 · 2023-09-25T11:51:41.000+02:00
diff --git a/images/win/scripts/Installers/Install-Rust.ps1 b/images/win/scripts/Installers/Install-Rust.ps1
@@ -1,6 +1,7 @@
 ################################################################################
 ##  File:  Install-Rust.ps1
 ##  Desc:  Install Rust for Windows
+##  Supply chain security: checksum validation for bootstrap, managed by rustup for workloads
 ################################################################################
 
 # Rust Env
@@ -11,6 +12,13 @@ $env:CARGO_HOME = "C:\Users\Default\.cargo"
 # See https://rustup.rs/#
 $rustupPath = Start-DownloadWithRetry -Url "https://static.rust-lang.org/rustup/dist/x86_64-pc-windows-msvc/rustup-init.exe" -Name "rustup-init.exe"
 
+#region Supply chain security
+$localFileHash = (Get-FileHash -Path (Join-Path ${env:TEMP} 'rustup-init.exe') -Algorithm SHA256).Hash
+$distributorFileHash = (Invoke-RestMethod -Uri 'https://static.rust-lang.org/rustup/dist/x86_64-pc-windows-msvc/rustup-init.exe.sha256').Trim()
+
+Use-ChecksumComparison -LocalFileHash $localFileHash -DistributorFileHash $distributorFileHash
+#endregion
+
 # Install Rust by running rustup-init.exe (disabling the confirmation prompt with -y)
 & $rustupPath -y --default-toolchain=stable --profile=minimal
 
