From e1bcc61827c083a463e1b9500d6121b03985b38e Mon Sep 17 00:00:00 2001
From: Erik Bershel <110455084+erik-bershel@users.noreply.github.com>
Date: Wed, 4 Oct 2023 14:59:44 +0200
Subject: [PATCH] [Windows] Add checksum validation for JDKs (#8404)

---
 images/win/scripts/Installers/Install-JavaTools.ps1 | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/images/win/scripts/Installers/Install-JavaTools.ps1 b/images/win/scripts/Installers/Install-JavaTools.ps1
index c02a1aff..a5f7e31a 100644
--- a/images/win/scripts/Installers/Install-JavaTools.ps1
+++ b/images/win/scripts/Installers/Install-JavaTools.ps1
@@ -1,6 +1,7 @@
 ################################################################################
 ##  File:  Install-JavaTools.ps1
 ##  Desc:  Install various JDKs and java tools
+##  Supply chain security: JDK - checksum validation
 ################################################################################
 
 function Set-JavaPath {
@@ -64,6 +65,12 @@ function Install-JavaJDK {
     $downloadUrl = $asset.binary.package.link
     $archivePath = Start-DownloadWithRetry -Url $downloadUrl -Name $([IO.Path]::GetFileName($downloadUrl))
 
+    #region Supply chain security - JDK
+    $fileHash = (Get-FileHash -Path $archivePath -Algorithm SHA256).Hash
+    $externalHash = $asset.binary.package.checksum
+    Use-ChecksumComparison $fileHash $externalHash
+    #endregion
+
     # We have to replace '+' sign in the version to '-' due to the issue with incorrect path in Android builds https://github.com/actions/runner-images/issues/3014
     $fullJavaVersion = $asset.version.semver -replace '\+', '-'
     # Create directories in toolcache path