Skip to content

Commit f5bbdcb

Browse files
ilia-shipitsinilia-shipitsin
authored
[windows] implement checksum validation for docker-wincred (#8256)
1 parent 9a4861b commit f5bbdcb

File tree

1 file changed

+26
-0
lines changed

1 file changed

+26
-0
lines changed

images/win/scripts/Installers/Install-Docker.ps1

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,23 @@
33
## Desc: Install Docker.
44
## Must be an independent step because it requires a restart before we
55
## can continue.
6+
## Supply chain security: (docker-wincred) checksum validation
67
################################################################################
78

9+
#region functions
10+
Function Get-DockerWincredHash
11+
{
12+
Param (
13+
[Parameter(Mandatory = $True)]
14+
[string] $Release
15+
)
16+
17+
$hashURL = "https://github.com/docker/docker-credential-helpers/releases/download/${Release}/checksums.txt "
18+
(Invoke-RestMethod -Uri $hashURL).ToString().Split("`n").Where({ $_ -ilike "*docker-credential-wincred-${Release}.windows-amd64.exe*" }).Split(' ')[0]
19+
20+
}
21+
#endregion
22+
823
Write-Host "Get latest release of Docker CE"
924
$mobyLatestReleaseVersion = (Invoke-RestMethod -Uri "https://api.github.com/repos/moby/moby/releases/latest").tag_name.Trim("v")
1025
$dockerceUrl = "https://download.docker.com/win/static/stable/x86_64/"
@@ -49,6 +64,17 @@ $dockerCredLatestRelease = Invoke-RestMethod -Uri "https://api.github.com/repos/
4964
$dockerCredDownloadUrl = $dockerCredLatestRelease.assets.browser_download_url -match "docker-credential-wincred-.+\.exe" | Select-Object -First 1
5065
Start-DownloadWithRetry -Url $dockerCredDownloadUrl -DownloadPath "C:\Windows\System32" -Name "docker-credential-wincred.exe"
5166

67+
#region Supply chain security
68+
$distributor_file_hash = Get-DockerWincredHash -Release $dockerCredLatestRelease.name
69+
$local_file_hash = (Get-FileHash -Path 'C:\Windows\System32\docker-credential-wincred.exe' -Algorithm SHA256).Hash
70+
71+
if ($local_file_hash -ne $distributor_file_hash) {
72+
Write-Host "hash must be equal to: ${distributor_file_hash}"
73+
Write-Host "actual hash is: ${local_file_hash}"
74+
throw 'Checksum verification failed, please rerun install'
75+
}
76+
#endregion
77+
5278
Write-Host "Download docker images"
5379
$dockerImages = (Get-ToolsetContent).docker.images
5480
foreach ($dockerImage in $dockerImages) {

0 commit comments

Comments
 (0)