From 77724a96722bcb628c88cbb8b9901ffb6aef261f Mon Sep 17 00:00:00 2001
From: Erik Bershel <110455084+erik-bershel@users.noreply.github.com>
Date: Wed, 27 Sep 2023 13:00:54 +0200
Subject: [PATCH] [Windows] Add checksum verification for AWS SAM CLI (#8316)

---
 images/win/scripts/Installers/Install-AWS.ps1 | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/images/win/scripts/Installers/Install-AWS.ps1 b/images/win/scripts/Installers/Install-AWS.ps1
index 9c1e8899..0a319a3e 100644
--- a/images/win/scripts/Installers/Install-AWS.ps1
+++ b/images/win/scripts/Installers/Install-AWS.ps1
@@ -1,6 +1,7 @@
 ################################################################################
 ##  File:  Install-AWS.ps1
 ##  Desc:  Install AWS tools(AWS CLI, Session Manager Plugin for the AWS CLI, AWS SAM CLI)
+##  Supply chain security: AWS CLI - managed by package manager, Session Manager Plugin for the AWS CLI - missing, AWS SAM CLI - checksum validation
 ################################################################################
 
 # Install AWS CLI
@@ -13,6 +14,16 @@ Install-Binary -Url $sessionManagerUrl -Name $sessionManagerName -ArgumentList (
 $env:Path = $env:Path + ";$env:ProgramFiles\Amazon\SessionManagerPlugin\bin"
 
 # Install AWS SAM CLI
-Install-Binary -Url "https://github.com/awslabs/aws-sam-cli/releases/latest/download/AWS_SAM_CLI_64_PY3.msi" -Name "AWS_SAM_CLI_64_PY3.msi"
+$packageName = "AWS_SAM_CLI_64_PY3.msi"
+$packageUrl = "https://github.com/awslabs/aws-sam-cli/releases/latest/download/$packageName"
+$packagePath = Start-DownloadWithRetry -Url $packageUrl -Name $packageName
 
-Invoke-PesterTests -TestFile "CLI.Tools" -TestName "AWS"
\ No newline at end of file
+#region Supply chain security - AWS SAM CLI
+$fileHash = (Get-FileHash -Path $packagePath -Algorithm SHA256).Hash
+$externalHash = Get-HashFromGitHubReleaseBody -RepoOwner "awslabs" -RepoName "aws-sam-cli" -FileName $packageName
+Use-ChecksumComparison $fileHash $externalHash
+#endregion
+
+Install-Binary -FilePath $packagePath
+
+Invoke-PesterTests -TestFile "CLI.Tools" -TestName "AWS"