[Windows] Refactor helpers that verify hashsum and signature (#8886)

2025-12-29 12:58:00 +08:00 · 2023-11-30 09:22:14 +01:00
parent abb81511d4
commit 92e22bd8c6
17 changed files with 151 additions and 109 deletions
--- a/images/windows/scripts/build/Install-AliyunCli.ps1
+++ b/images/windows/scripts/build/Install-AliyunCli.ps1
@@ -12,10 +12,9 @@ $downloadUrl = ($assets.browser_download_url -ilike "*aliyun-cli-windows-*-amd64
 $packagePath = Invoke-DownloadWithRetry $downloadUrl

 #region Supply chain security - Alibaba Cloud CLI
-$fileHash = (Get-FileHash -Path $packagePath -Algorithm SHA256).Hash
 $hashUrl = ($assets.browser_download_url -ilike "*SHASUMS256.txt*") | Select-Object -First 1
 $externalHash = (Invoke-RestMethod -Uri $hashURL).ToString().Split("`n").Where({ $_ -ilike "*$installerFileName*" }).Split(' ')[0]
-Use-ChecksumComparison $fileHash $externalHash
+Test-FileChecksum $packagePath -ExpectedSHA256Sum $externalHash
 #endregion

 Write-Host "Expand aliyun-cli archive"
--- a/images/windows/scripts/build/Install-AndroidSDK.ps1
+++ b/images/windows/scripts/build/Install-AndroidSDK.ps1
@@ -35,7 +35,7 @@ function Install-AndroidSDKPackages {
        [Parameter(Mandatory = $true)]
        [AllowEmptyCollection()]
        [AllowNull()]
-        [string[]]$Packages
+        [string[]] $Packages
    )
    
    # The sdkmanager.bat script is used to install Android SDK packages.
@@ -63,11 +63,7 @@ $androidToolset = (Get-ToolsetContent).android
 $cmdlineToolsUrl = $androidToolset.commandline_tools_url
 $cmdlineToolsArchPath = Invoke-DownloadWithRetry $cmdlineToolsUrl

-#region Supply chain security
-$localFileHash = (Get-FileHash -Path $cmdlineToolsArchPath -Algorithm SHA256).Hash
-
-Use-ChecksumComparison -LocalFileHash $localFileHash -DistributorFileHash $androidToolset.hash
-#endregion
+Test-FileChecksum $cmdlineToolsArchPath -ExpectedSHA256Sum $androidToolset.hash

 Expand-7ZipArchive -Path $cmdlineToolsArchPath -DestinationPath "${SDKInstallRoot}\cmdline-tools"

--- a/images/windows/scripts/build/Install-Chocolatey.ps1
+++ b/images/windows/scripts/build/Install-Chocolatey.ps1
@@ -25,7 +25,7 @@ if ($userPath) {
 # Verify and run choco installer
 $signatureThumbprint = "83AC7D88C66CB8680BCE802E0F0F5C179722764B"
 $InstallScriptPath = Invoke-DownloadWithRetry 'https://chocolatey.org/install.ps1'
-Test-FileSignature -FilePath $InstallScriptPath -ExpectedThumbprint $signatureThumbprint
+Test-FileSignature -Path $InstallScriptPath -ExpectedThumbprint $signatureThumbprint
 Invoke-Expression $InstallScriptPath

 # Turn off confirmation
--- a/images/windows/scripts/build/Install-CloudFoundryCli.ps1
+++ b/images/windows/scripts/build/Install-CloudFoundryCli.ps1
@@ -21,6 +21,6 @@ Add-MachinePathItem $CloudFoundryCliPath

 # Validate cf signature
 $CloudFoundrySignatureThumbprint = "4C69EDD13930ED01B83DD1D17B09C434DC1F2177"
-Test-FileSignature -FilePath "$CloudFoundryCliPath\cf.exe" -ExpectedThumbprint $CloudFoundrySignatureThumbprint
+Test-FileSignature -Path "$CloudFoundryCliPath\cf.exe" -ExpectedThumbprint $CloudFoundrySignatureThumbprint

 Invoke-PesterTests -TestFile "CLI.Tools" -TestName "CloudFoundry CLI"
--- a/images/windows/scripts/build/Install-DotnetSDK.ps1
+++ b/images/windows/scripts/build/Install-DotnetSDK.ps1
@@ -22,7 +22,7 @@ function Get-SDKVersionsToInstall (
    $currentReleases = $currentReleases.'releases' | Where-Object { !$_.'release-version'.Contains('-') }

    $sdks = @()
-    ForEach ($release in $currentReleases) {
+    foreach ($release in $currentReleases) {
        $sdks += $release.'sdk'
        $sdks += $release.'sdks'
    }
@@ -30,7 +30,7 @@ function Get-SDKVersionsToInstall (
    return $sdks.version `
        | Sort-Object { [Version] $_ } -Unique `
        | Group-Object { $_.Substring(0, $_.LastIndexOf('.') + 2) } `
-        | Foreach-Object { $_.Group[-1] }
+        | ForEach-Object { $_.Group[-1] }
 }

 function Invoke-Warmup (
@@ -62,9 +62,7 @@ function InstallSDKVersion (

        #region Supply chain security
        $distributorFileHash = (Invoke-RestMethod -Uri "https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/$dotnetVersion/releases.json").releases.sdks.Where({ $_.version -eq $SdkVersion }).files.Where({ $_.name -eq 'dotnet-sdk-win-x64.zip' }).hash
-        $localFileHash = (Get-FileHash -Path $ZipPath -Algorithm 'SHA512').Hash
-
-        Use-ChecksumComparison -LocalFileHash $localFileHash -DistributorFileHash $distributorFileHash
+        Test-FileChecksum $ZipPath -ExpectedSHA512Sum $distributorFileHash
        #endregion
    } else {
        Write-Host "Sdk version $sdkVersion already installed"
@@ -87,29 +85,23 @@ function InstallAllValidSdks() {
    $installationUrl = "https://dot.net/v1/${installationName}"
    Invoke-DownloadWithRetry -Url $installationUrl -Path ".\$installationName"

-    ForEach ($dotnetVersion in $dotnetVersions)
-    {
+    foreach ($dotnetVersion in $dotnetVersions) {
        $sdkVersionsToInstall = Get-SDKVersionsToInstall -DotnetVersion $dotnetVersion
-        
-        ForEach ($sdkVersion in $sdkVersionsToInstall)
-        {
+        foreach ($sdkVersion in $sdkVersionsToInstall) {
            InstallSDKVersion -SdkVersion $sdkVersion -DotnetVersion $dotnetVersion -Warmup $warmup
        }
    }
 }

-function InstallTools()
-{
+function InstallTools() {
    $dotnetTools = (Get-ToolsetContent).dotnet.tools

-    ForEach ($dotnetTool in $dotnetTools)
-    {
+    foreach ($dotnetTool in $dotnetTools) {
        dotnet tool install $($dotnetTool.name) --tool-path "C:\Users\Default\.dotnet\tools" --add-source https://api.nuget.org/v3/index.json | Out-Null
    }
 }

-function RunPostInstallationSteps()
-{
+function RunPostInstallationSteps() {
    # Add dotnet to PATH
    Add-MachinePathItem "C:\Program Files\dotnet"

--- a/images/windows/scripts/build/Install-EdgeDriver.ps1
+++ b/images/windows/scripts/build/Install-EdgeDriver.ps1
@@ -28,7 +28,7 @@ Expand-7ZipArchive -Path $archivePath -DestinationPath $edgeDriverPath

 #Validate the EdgeDriver signature
 $signatureThumbprint = "CB9C4FBEA1D87D2D468AC5A9CAAB0163F6AD8401"
-Test-FileSignature -FilePath "$edgeDriverPath\msedgedriver.exe" -ExpectedThumbprint $signatureThumbprint
+Test-FileSignature -Path "$edgeDriverPath\msedgedriver.exe" -ExpectedThumbprint $signatureThumbprint

 Write-Host "Setting the environment variables..."
 [Environment]::SetEnvironmentVariable("EdgeWebDriver", $EdgeDriverPath, "Machine")
--- a/images/windows/scripts/build/Install-Firefox.ps1
+++ b/images/windows/scripts/build/Install-Firefox.ps1
@@ -50,7 +50,7 @@ Expand-7ZipArchive -Path $GeckoDriverArchPath -DestinationPath $GeckoDriverPath

 # Validate Gecko WebDriver signature
 $GeckoDriverSignatureThumbprint = "1326B39C3D5D2CA012F66FB439026F7B59CB1974"
-Test-FileSignature -FilePath "$GeckoDriverPath/geckodriver.exe" -ExpectedThumbprint $GeckoDriverSignatureThumbprint
+Test-FileSignature -Path "$GeckoDriverPath/geckodriver.exe" -ExpectedThumbprint $GeckoDriverSignatureThumbprint

 Write-Host "Setting the environment variables..."
 Add-MachinePathItem -PathItem $GeckoDriverPath
--- a/images/windows/scripts/build/Install-JavaTools.ps1
+++ b/images/windows/scripts/build/Install-JavaTools.ps1
@@ -64,12 +64,7 @@ function Install-JavaJDK {
    # Download and extract java binaries to temporary folder
    $downloadUrl = $asset.binary.package.link
    $archivePath = Invoke-DownloadWithRetry $downloadUrl
-
-    #region Supply chain security - JDK
-    $fileHash = (Get-FileHash -Path $archivePath -Algorithm SHA256).Hash
-    $externalHash = $asset.binary.package.checksum
-    Use-ChecksumComparison $fileHash $externalHash
-    #endregion
+    Test-FileChecksum $archivePath -ExpectedSHA256Sum $asset.binary.package.checksum

    # We have to replace '+' sign in the version to '-' due to the issue with incorrect path in Android builds https://github.com/actions/runner-images/issues/3014
    $fullJavaVersion = $asset.version.semver -replace '\+', '-'
@@ -123,7 +118,7 @@ Install-ChocoPackage maven -ArgumentList "--version=$versionToInstall"
 Install-ChocoPackage gradle

 # Add maven env variables to Machine
-[string]$m2 = ([Environment]::GetEnvironmentVariable("PATH", "Machine")).Split(";") -match "maven"
+[string] $m2 = ([Environment]::GetEnvironmentVariable("PATH", "Machine")).Split(";") -match "maven"

 $m2_repo = 'C:\ProgramData\m2'
 New-Item -Path $m2_repo -ItemType Directory -Force | Out-Null
@@ -138,8 +133,7 @@ $sha256sum = '79479DDE416B082F38ECD1F2F7C6DEBD4D0C2249AF80FD046D1CE05D628F2EC6'
 $coberturaPath = "C:\cobertura-2.1.1"

 $archivePath = Invoke-DownloadWithRetry $uri
-$fileHash = (Get-FileHash -Path $archivePath -Algorithm SHA256).Hash
-Use-ChecksumComparison $fileHash $sha256sum
+Test-FileChecksum $archivePath -ExpectedSHA256Sum $sha256sum
 Expand-7ZipArchive -Path $archivePath -DestinationPath "C:\"

 [Environment]::SetEnvironmentVariable("COBERTURA_HOME", $coberturaPath, "Machine")
--- a/images/windows/scripts/build/Install-Kotlin.ps1
+++ b/images/windows/scripts/build/Install-Kotlin.ps1
@@ -14,9 +14,8 @@ $kotlinDownloadUrl = Resolve-GithubReleaseAssetUrl `
 $kotlinArchivePath = Invoke-DownloadWithRetry $kotlinDownloadUrl

 #region Supply chain security
-$fileHash = (Get-FileHash -Path $kotlinArchivePath -Algorithm SHA256).Hash
 $externalHash = Get-HashFromGitHubReleaseBody -RepoOwner "JetBrains" -RepoName "kotlin" -FileName "$kotlinBinaryName-*.zip" -Version $kotlinVersion -WordNumber 2
-Use-ChecksumComparison $fileHash $externalHash
+Test-FileChecksum $kotlinArchivePath -ExpectedSHA256Sum $externalHash
 #endregion

 Write-Host "Expand Kotlin archive"
--- a/images/windows/scripts/build/Install-KubernetesTools.ps1
+++ b/images/windows/scripts/build/Install-KubernetesTools.ps1
@@ -14,10 +14,9 @@ $null = New-Item -Path $destFilePath -ItemType Directory -Force
 $packagePath = Invoke-DownloadWithRetry -Url $kindDownloadLink -Path "$destFilePath\kind.exe"

 #region Supply chain security - Kind
-$fileHash = (Get-FileHash -Path $packagePath -Algorithm SHA256).Hash
 $hashUrl = ($assets.browser_download_url -match "kind-windows-amd64.sha256sum") | Select-Object -First 1
 $externalHash = (Invoke-RestMethod -Uri $hashURL).ToString().Split("`n").Where({ $_ -ilike "*kind-windows-amd64*" }).Split(' ')[0]
-Use-ChecksumComparison $fileHash $externalHash
+Test-FileChecksum $packagePath -ExpectedSHA256Sum $externalHash
 #endregion

 Add-MachinePathItem $destFilePath
--- a/images/windows/scripts/build/Install-Msys2.ps1
+++ b/images/windows/scripts/build/Install-Msys2.ps1
@@ -21,10 +21,9 @@ function Install-Msys2 {
  Write-Host "Finished download"

  #region Supply chain security - Kind
-  $fileHash = (Get-FileHash -Path $msys2File -Algorithm SHA256).Hash
  $hashUrl = ($assets.browser_download_url -match "msys2-checksums.txt") | Select-Object -First 1
  $externalHash = (Invoke-RestMethod -Uri $hashURL).ToString().Split("`n").Where({ $_ -ilike "*msys2-x86_64*" }).Split(' ')[0]
-  Use-ChecksumComparison $fileHash $externalHash
+  Test-FileChecksum $msys2File -ExpectedSHA256Sum $externalHash
  #endregion

  # extract tar.xz to C:\
--- a/images/windows/scripts/build/Install-PyPy.ps1
+++ b/images/windows/scripts/build/Install-PyPy.ps1
@@ -7,8 +7,8 @@
 function Install-PyPy
 {
    param(
-        [String]$PackagePath,
-        [String]$Architecture
+        [String] $PackagePath,
+        [String] $Architecture
    )

    # Create PyPy toolcache folder
@@ -102,16 +102,13 @@ foreach($toolsetVersion in $toolsetVersions.versions)
        $tempPyPyPackagePath = Invoke-DownloadWithRetry $latestMajorPyPyVersion.download_url

        #region Supply chain security
-        $localFileHash = (Get-FileHash -Path $tempPyPyPackagePath -Algorithm SHA256).Hash
        $distributorFileHash = $null
-
-        ForEach($node in $checksums) {
-            if($node.InnerText -ilike "*${filename}*") {
+        foreach ($node in $checksums) {
+            if ($node.InnerText -ilike "*${filename}*") {
                $distributorFileHash = $node.InnerText.ToString().Split("`n").Where({ $_ -ilike "*${filename}*" }).Split(' ')[0]
            }
        }
-        
-        Use-ChecksumComparison -LocalFileHash $localFileHash -DistributorFileHash $distributorFileHash
+        Test-FileChecksum $tempPyPyPackagePath -ExpectedSHA256Sum $distributorFileHash
        #endregion

        Install-PyPy -PackagePath $tempPyPyPackagePath -Architecture $toolsetVersions.arch
--- a/images/windows/scripts/build/Install-Rust.ps1
+++ b/images/windows/scripts/build/Install-Rust.ps1
@@ -13,10 +13,8 @@ $env:CARGO_HOME = "C:\Users\Default\.cargo"
 $rustupPath = Invoke-DownloadWithRetry "https://static.rust-lang.org/rustup/dist/x86_64-pc-windows-msvc/rustup-init.exe"

 #region Supply chain security
-$localFileHash = (Get-FileHash -Path (Join-Path ${env:TEMP} 'rustup-init.exe') -Algorithm SHA256).Hash
 $distributorFileHash = (Invoke-RestMethod -Uri 'https://static.rust-lang.org/rustup/dist/x86_64-pc-windows-msvc/rustup-init.exe.sha256').Trim()
-
-Use-ChecksumComparison -LocalFileHash $localFileHash -DistributorFileHash $distributorFileHash
+Test-FileChecksum (Join-Path ${env:TEMP} 'rustup-init.exe') -ExpectedSHA256Sum $distributorFileHash
 #endregion

 # Install Rust by running rustup-init.exe (disabling the confirmation prompt with -y)
--- a/images/windows/scripts/build/Install-Stack.ps1
+++ b/images/windows/scripts/build/Install-Stack.ps1
@@ -16,10 +16,9 @@ $DestinationPath = Join-Path $StackToolcachePath "x64"
 $StackArchivePath = Invoke-DownloadWithRetry $DownloadUrl

 #region Supply chain security - Stack
-$fileHash = (Get-FileHash -Path $StackArchivePath -Algorithm SHA256).Hash
 $hashUrl = $StackReleasesJson.assets | Where-Object { $_.name.EndsWith("$DownloadFilePattern.sha256") } | Select-Object -ExpandProperty "browser_download_url" -First 1
 $externalHash = (Invoke-RestMethod -Uri $hashURL).ToString().Split("`n").Where({ $_ -ilike "*$DownloadFilePattern*" }).Split(' ')[0]
-Use-ChecksumComparison $fileHash $externalHash
+Test-FileChecksum $StackArchivePath -ExpectedSHA256Sum $externalHash
 #endregion

 Write-Host "Expand stack archive"