[Windows] Add checksum validation for Stack (#8403)

erik-bershel · web-flow · commit ae487529f383 · 2023-10-04T14:58:45.000+02:00
diff --git a/images/win/scripts/Installers/Install-Stack.ps1 b/images/win/scripts/Installers/Install-Stack.ps1
@@ -1,6 +1,7 @@
 ################################################################################
 ##  File:  Install-Stack.ps1
 ##  Desc:  Install Stack for Windows
+##  Supply chain security: Stack - checksum validation
 ################################################################################
 
 Write-Host "Get the latest Stack version..."
@@ -14,6 +15,13 @@ $StackToolcachePath = Join-Path $Env:AGENT_TOOLSDIRECTORY "stack\$Version"
 $DestinationPath = Join-Path $StackToolcachePath "x64"
 $StackArchivePath = Start-DownloadWithRetry -Url $DownloadUrl
 
+#region Supply chain security - Stack
+$fileHash = (Get-FileHash -Path $StackArchivePath -Algorithm SHA256).Hash
+$hashUrl = $StackReleasesJson.assets | Where-Object { $_.name.EndsWith("$DownloadFilePattern.sha256") } | Select-Object -ExpandProperty "browser_download_url" -First 1
+$externalHash = (Invoke-RestMethod -Uri $hashURL).ToString().Split("`n").Where({ $_ -ilike "*$DownloadFilePattern*" }).Split(' ')[0]
+Use-ChecksumComparison $fileHash $externalHash
+#endregion
+
 Write-Host "Expand stack archive"
 Extract-7Zip -Path $StackArchivePath -DestinationPath $DestinationPath
 
