Skip to content

Commit d366cd5

Browse files
ilia-shipitsinilia-shipitsin
committed
[windows] implement checksum validation for PyPy
1 parent 1a5e1b2 commit d366cd5

File tree

1 file changed

+24
-3
lines changed

1 file changed

+24
-3
lines changed

images/win/scripts/Installers/Install-PyPy.ps1

Lines changed: 24 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22
## File: Install-PyPy.ps1
33
## Team: CI-Build
44
## Desc: Install PyPy
5+
## Supply chain security: checksum validation
56
################################################################################
67
function Install-PyPy
78
{
@@ -82,6 +83,11 @@ $toolsetVersions = Get-ToolsetContent | Select-Object -ExpandProperty toolcache
8283
# Get PyPy releases
8384
$pypyVersions = Invoke-RestMethod https://downloads.python.org/pypy/versions.json
8485

86+
# required for html parsing
87+
Install-Module PowerHTML -Scope CurrentUser
88+
Import-Module PowerHTML
89+
$checksums = (Invoke-RestMethod -Uri 'https://www.pypy.org/checksums.html' | ConvertFrom-HTML).SelectNodes('//*[@id="content"]/article/div/pre')
90+
8591
Write-Host "Starting installation PyPy..."
8692
foreach($toolsetVersion in $toolsetVersions.versions)
8793
{
@@ -93,13 +99,28 @@ foreach($toolsetVersion in $toolsetVersions.versions)
9399

94100
if ($latestMajorPyPyVersion)
95101
{
96-
Write-Host "Found PyPy '$($latestMajorPyPyVersion.filename)' package"
97-
$tempPyPyPackagePath = Start-DownloadWithRetry -Url $latestMajorPyPyVersion.download_url -Name $latestMajorPyPyVersion.filename
102+
$filename = $latestMajorPyPyVersion.filename
103+
Write-Host "Found PyPy '$filename' package"
104+
$tempPyPyPackagePath = Start-DownloadWithRetry -Url $latestMajorPyPyVersion.download_url -Name $filename
105+
106+
#region Supply chain security
107+
$localFileHash = (Get-FileHash -Path $tempPyPyPackagePath -Algorithm SHA256).Hash
108+
$distributorFileHash = $null
109+
110+
ForEach($node in $checksums) {
111+
if($node.InnerText -ilike "*${filename}*") {
112+
$distributor_file_hash = $node.InnerText.ToString().Split("`n").Where({ $_ -ilike "*${filename}*" }).Split(' ')[0]
113+
}
114+
}
115+
116+
Use-ChecksumComparison -LocalFileHash $localFileHash -DistributorFileHash $distributorFileHash
117+
#endregion
118+
98119
Install-PyPy -PackagePath $tempPyPyPackagePath -Architecture $toolsetVersions.arch
99120
}
100121
else
101122
{
102123
Write-Host "Failed to query PyPy version '$toolsetVersion'"
103124
exit 1
104125
}
105-
}
126+
}

0 commit comments

Comments
 (0)