diff --git a/images/win/scripts/Installers/Install-Docker.ps1 b/images/win/scripts/Installers/Install-Docker.ps1
index ce10c891..cf93e547 100644
--- a/images/win/scripts/Installers/Install-Docker.ps1
+++ b/images/win/scripts/Installers/Install-Docker.ps1
@@ -3,8 +3,23 @@
 ##  Desc:  Install Docker.
 ##         Must be an independent step because it requires a restart before we
 ##         can continue.
+##  Supply chain security: (docker-wincred) checksum validation
 ################################################################################
 
+#region functions
+Function Get-DockerWincredHash
+{
+ Param (
+    [Parameter(Mandatory = $True)]
+    [string] $Release
+)
+
+ $hashURL = "https://github.com/docker/docker-credential-helpers/releases/download/${Release}/checksums.txt "
+ (Invoke-RestMethod -Uri $hashURL).ToString().Split("`n").Where({ $_ -ilike "*docker-credential-wincred-${Release}.windows-amd64.exe*" }).Split(' ')[0]
+
+}
+#endregion
+
 Write-Host "Get latest release of Docker CE"
 $mobyLatestReleaseVersion = (Invoke-RestMethod -Uri "https://api.github.com/repos/moby/moby/releases/latest").tag_name.Trim("v")
 $dockerceUrl = "https://download.docker.com/win/static/stable/x86_64/"
@@ -49,6 +64,17 @@ $dockerCredLatestRelease = Invoke-RestMethod -Uri "https://api.github.com/repos/
 $dockerCredDownloadUrl = $dockerCredLatestRelease.assets.browser_download_url -match "docker-credential-wincred-.+\.exe" | Select-Object -First 1
 Start-DownloadWithRetry -Url $dockerCredDownloadUrl -DownloadPath "C:\Windows\System32" -Name "docker-credential-wincred.exe"
 
+#region Supply chain security
+$distributor_file_hash = Get-DockerWincredHash -Release $dockerCredLatestRelease.name
+$local_file_hash = (Get-FileHash -Path 'C:\Windows\System32\docker-credential-wincred.exe' -Algorithm SHA256).Hash
+
+if ($local_file_hash -ne $distributor_file_hash) {
+        Write-Host "hash must be equal to: ${distributor_file_hash}"
+        Write-Host "actual hash is: ${local_file_hash}"
+        throw 'Checksum verification failed, please rerun install'
+}
+#endregion
+
 Write-Host "Download docker images"
 $dockerImages = (Get-ToolsetContent).docker.images
 foreach ($dockerImage in $dockerImages) {