[Windows] Add checksum verification for Firefox browser (#8411)

erik-bershel · web-flow · commit be42f3501529 · 2023-10-11T11:06:47.000+02:00
diff --git a/images/win/scripts/Installers/Install-Firefox.ps1 b/images/win/scripts/Installers/Install-Firefox.ps1
@@ -1,16 +1,23 @@
 ################################################################################
 ##  File:  Install-Firefox.ps1
 ##  Desc:  Install Mozilla Firefox
+##  Supply chain security: Firefox browser - checksum validation
 ################################################################################
 
 # Install and configure Firefox browser
 Write-Host "Install latest Firefox browser..."
 $VersionsManifest = Invoke-RestMethod "https://product-details.mozilla.org/1.0/firefox_versions.json"
-$InstallerName = "firefox-browser.exe"
 $InstallerUrl = "https://download.mozilla.org/?product=firefox-$($VersionsManifest.LATEST_FIREFOX_VERSION)&os=win64&lang=en-US"
-$ArgumentList = ("/silent", "/install")
+$packagePath = Start-DownloadWithRetry -Url $InstallerUrl -Name "FirefoxSetup.exe"
 
-Install-Binary -Url $InstallerUrl -Name $InstallerName -ArgumentList $ArgumentList
+#region Supply chain security - Stack
+$fileHash = (Get-FileHash -Path $packagePath -Algorithm SHA256).Hash
+$hashUrl = "https://archive.mozilla.org/pub/firefox/releases/$($VersionsManifest.LATEST_FIREFOX_VERSION)/SHA256SUMS"
+$externalHash = (Invoke-RestMethod -Uri $hashURL).ToString().Split("`n").Where({ $_ -ilike "*win64/en-US/Firefox Setup*exe*" }).Split(' ')[0]
+Use-ChecksumComparison $fileHash $externalHash
+#endregion
+
+Install-Binary -FilePath $packagePath -ArgumentList "/silent", "/install"
 
 Write-Host "Disable autoupdate..."
 $FirefoxDirectoryPath = Join-Path $env:ProgramFiles "Mozilla Firefox"
