[Ubuntu] Add checksum validation for Aliyun CLI, CMake, Docker Compose v2 (#8612)

* Add checksums for Aliyun, CMake, Docker Compose v2 * After review changes * Download Aliyun CLI from github release
2025-12-20 06:29:50 +00:00 · 2023-10-22 15:47:36 +02:00
parent 62cd627ce7
commit 6a98903627
4 changed files with 68 additions and 10 deletions
--- a/images/linux/scripts/installers/aliyun-cli.sh
+++ b/images/linux/scripts/installers/aliyun-cli.sh
@@ -2,6 +2,7 @@
 ################################################################################
 ##  File:  aliyun-cli.sh
 ##  Desc:  Installs Alibaba Cloud CLI
+##  Supply chain security: Alibaba Cloud CLI - checksum validation
 ################################################################################

 # Source the helpers for use with the script
@@ -11,14 +12,22 @@ source $HELPER_SCRIPTS/install.sh
 # Install Alibaba Cloud CLI
 # Pin tool version on ubuntu20 due to issues with GLIBC_2.32 not available
 if isUbuntu20; then
-    toolsetVersion=$(get_toolset_value '.aliyunCli.version')
-    downloadUrl="https://github.com/aliyun/aliyun-cli/releases/download/v$toolsetVersion/aliyun-cli-linux-$toolsetVersion-amd64.tgz"
+    toolset_version=$(get_toolset_value '.aliyunCli.version')
+    download_url="https://github.com/aliyun/aliyun-cli/releases/download/v$toolset_version/aliyun-cli-linux-$toolset_version-amd64.tgz"
+    hash_url="https://github.com/aliyun/aliyun-cli/releases/download/v$toolset_version/SHASUMS256.txt"
 else
-    downloadUrl="https://aliyuncli.alicdn.com/aliyun-cli-linux-latest-amd64.tgz"
+    download_url=$(get_github_package_download_url "aliyun/aliyun-cli" "contains(\"aliyun-cli-linux\") and endswith(\"amd64.tgz\")")
+    hash_url="https://github.com/aliyun/aliyun-cli/releases/latest/download/SHASUMS256.txt"
 fi

-download_with_retries $downloadUrl "/tmp"
-tar xzf /tmp/aliyun-cli-linux-*-amd64.tgz
+package_name="aliyun-cli-linux-amd64.tgz"
+download_with_retries "$download_url" "/tmp" "$package_name"
+
+# Supply chain security - Alibaba Cloud CLI
+external_hash=$(get_hash_from_remote_file "$hash_url" "aliyun-cli-linux" "amd64.tgz")
+use_checksum_comparison "/tmp/$package_name" "$external_hash"
+
+tar xzf "/tmp/$package_name"
 mv aliyun /usr/local/bin

 invoke_tests "CLI.Tools" "Aliyun CLI"