From 47a634e28bd7010e83a3a0be4d8837bae9c0a566 Mon Sep 17 00:00:00 2001
From: ilia-shipitsin <125650415+ilia-shipitsin@users.noreply.github.com>
Date: Wed, 11 Oct 2023 11:01:06 +0200
Subject: [PATCH] [windows] implement checksum validation for Miniconda (#8506)

---
 .../scripts/Installers/Install-Miniconda.ps1   | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/images/win/scripts/Installers/Install-Miniconda.ps1 b/images/win/scripts/Installers/Install-Miniconda.ps1
index 26131081..746723e5 100644
--- a/images/win/scripts/Installers/Install-Miniconda.ps1
+++ b/images/win/scripts/Installers/Install-Miniconda.ps1
@@ -1,6 +1,7 @@
 ################################################################################
 ##  File:  Install-Miniconda.ps1
 ##  Desc:  Install the latest version of Miniconda and set $env:CONDA
+##  Supply chain security: checksum validation
 ################################################################################
 
 $CondaDestination = "C:\Miniconda"
@@ -13,4 +14,19 @@ $ArgumentList = ("/S", "/AddToPath=0", "/RegisterPython=0", "/D=$CondaDestinatio
 Install-Binary -Url $InstallerUrl -Name $InstallerName -ArgumentList $ArgumentList
 Set-SystemVariable -SystemVariable "CONDA" -Value $CondaDestination
 
-Invoke-PesterTests -TestFile "Miniconda"
\ No newline at end of file
+#region Supply chain security
+$localFileHash = (Get-FileHash -Path (Join-Path ${env:TEMP} $installerName) -Algorithm SHA256).Hash
+$distributorFileHash = $null
+
+$checksums = (Invoke-RestMethod -Uri 'https://repo.anaconda.com/miniconda/' | ConvertFrom-HTML).SelectNodes('//html/body/table/tr')
+
+ForEach($node in $checksums) {
+    if ($node.ChildNodes[1].InnerText -eq $InstallerName) {
+        $distributorFileHash = $node.ChildNodes[7].InnerText
+    }
+}
+
+Use-ChecksumComparison -LocalFileHash $localFileHash -DistributorFileHash $distributorFileHash
+#endregion
+
+Invoke-PesterTests -TestFile "Miniconda"