actions/runner-images-sangeeth
1
0
Fork 0
mirror of https://github.com/actions/runner-images-sangeeth.git synced 2025-12-20 06:29:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

[windows] implement checksum validation for docker-wincred (#8256)

Browse Source
This commit is contained in:
ilia-shipitsin
2023-09-12 10:05:26 +02:00
committed by GitHub
parent 9a4861b4ee
commit f5bbdcbe4f
1 changed files with 26 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
images/win/scripts/Installers/Install-Docker.ps1
View File

@@ -3,8 +3,23 @@
## Desc: Install Docker. ## Desc: Install Docker.
## Must be an independent step because it requires a restart before we ## Must be an independent step because it requires a restart before we
## can continue. ## can continue.
## Supply chain security: (docker-wincred) checksum validation
################################################################################ ################################################################################
#region functions
Function Get-DockerWincredHash
{
Param (
[Parameter(Mandatory = $True)]
[string] $Release
)
$hashURL = "https://github.com/docker/docker-credential-helpers/releases/download/${Release}/checksums.txt "
(Invoke-RestMethod -Uri $hashURL).ToString().Split("`n").Where({ $_ -ilike "*docker-credential-wincred-${Release}.windows-amd64.exe*" }).Split(' ')[0]
}
#endregion
Write-Host "Get latest release of Docker CE" Write-Host "Get latest release of Docker CE"
$mobyLatestReleaseVersion = (Invoke-RestMethod -Uri "https://api.github.com/repos/moby/moby/releases/latest").tag_name.Trim("v") $mobyLatestReleaseVersion = (Invoke-RestMethod -Uri "https://api.github.com/repos/moby/moby/releases/latest").tag_name.Trim("v")
$dockerceUrl = "https://download.docker.com/win/static/stable/x86_64/" $dockerceUrl = "https://download.docker.com/win/static/stable/x86_64/"
@@ -49,6 +64,17 @@ $dockerCredLatestRelease = Invoke-RestMethod -Uri "https://api.github.com/repos/
$dockerCredDownloadUrl = $dockerCredLatestRelease.assets.browser_download_url -match "docker-credential-wincred-.+\.exe" | Select-Object -First 1 $dockerCredDownloadUrl = $dockerCredLatestRelease.assets.browser_download_url -match "docker-credential-wincred-.+\.exe" | Select-Object -First 1
Start-DownloadWithRetry -Url $dockerCredDownloadUrl -DownloadPath "C:\Windows\System32" -Name "docker-credential-wincred.exe" Start-DownloadWithRetry -Url $dockerCredDownloadUrl -DownloadPath "C:\Windows\System32" -Name "docker-credential-wincred.exe"
#region Supply chain security
$distributor_file_hash = Get-DockerWincredHash -Release $dockerCredLatestRelease.name
$local_file_hash = (Get-FileHash -Path 'C:\Windows\System32\docker-credential-wincred.exe' -Algorithm SHA256).Hash
if ($local_file_hash -ne $distributor_file_hash) {
Write-Host "hash must be equal to: ${distributor_file_hash}"
Write-Host "actual hash is: ${local_file_hash}"
throw 'Checksum verification failed, please rerun install'
}
#endregion
Write-Host "Download docker images" Write-Host "Download docker images"
$dockerImages = (Get-ToolsetContent).docker.images $dockerImages = (Get-ToolsetContent).docker.images
foreach ($dockerImage in $dockerImages) { foreach ($dockerImage in $dockerImages) {