From ac365421b0d228bbbb731e349190151c23a731f8 Mon Sep 17 00:00:00 2001
From: ilia-shipitsin <125650415+ilia-shipitsin@users.noreply.github.com>
Date: Mon, 25 Sep 2023 11:51:41 +0200
Subject: [PATCH] [windows] implement checksum validation for rustup (#8314)

---
 images/win/scripts/Installers/Install-Rust.ps1 | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/images/win/scripts/Installers/Install-Rust.ps1 b/images/win/scripts/Installers/Install-Rust.ps1
index 1942b6b9..5778fd37 100644
--- a/images/win/scripts/Installers/Install-Rust.ps1
+++ b/images/win/scripts/Installers/Install-Rust.ps1
@@ -1,6 +1,7 @@
 ################################################################################
 ##  File:  Install-Rust.ps1
 ##  Desc:  Install Rust for Windows
+##  Supply chain security: checksum validation for bootstrap, managed by rustup for workloads
 ################################################################################
 
 # Rust Env
@@ -11,6 +12,13 @@ $env:CARGO_HOME = "C:\Users\Default\.cargo"
 # See https://rustup.rs/#
 $rustupPath = Start-DownloadWithRetry -Url "https://static.rust-lang.org/rustup/dist/x86_64-pc-windows-msvc/rustup-init.exe" -Name "rustup-init.exe"
 
+#region Supply chain security
+$localFileHash = (Get-FileHash -Path (Join-Path ${env:TEMP} 'rustup-init.exe') -Algorithm SHA256).Hash
+$distributorFileHash = (Invoke-RestMethod -Uri 'https://static.rust-lang.org/rustup/dist/x86_64-pc-windows-msvc/rustup-init.exe.sha256').Trim()
+
+Use-ChecksumComparison -LocalFileHash $localFileHash -DistributorFileHash $distributorFileHash
+#endregion
+
 # Install Rust by running rustup-init.exe (disabling the confirmation prompt with -y)
 & $rustupPath -y --default-toolchain=stable --profile=minimal