From fe051ba2ba91a7d5ee27b8ffc240fafb8e92892f Mon Sep 17 00:00:00 2001
From: Erik Bershel <110455084+erik-bershel@users.noreply.github.com>
Date: Mon, 25 Sep 2023 11:58:47 +0200
Subject: [PATCH] [Windows] Add checksum verification for Git (#8317)

---
 images/win/scripts/Installers/Install-Git.ps1 | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/images/win/scripts/Installers/Install-Git.ps1 b/images/win/scripts/Installers/Install-Git.ps1
index eac13412..fdada883 100644
--- a/images/win/scripts/Installers/Install-Git.ps1
+++ b/images/win/scripts/Installers/Install-Git.ps1
@@ -1,16 +1,24 @@
 ################################################################################
 ##  File:  Install-Git.ps1
 ##  Desc:  Install Git for Windows
+##  Supply chain security: Git - checksum validation, Hub CLI - managed by package manager
 ################################################################################
 Import-Module "$env:ChocolateyInstall\helpers\chocolateyProfile.psm1"
 
 # Install the latest version of Git for Windows
-$gitReleases = Invoke-RestMethod "https://api.github.com/repos/git-for-windows/git/releases/latest"
+$repoURL = "https://api.github.com/repos/git-for-windows/git/releases/latest"
+$gitReleases = Invoke-RestMethod $repoURL
 [string]$downloadUrl = $gitReleases.assets.browser_download_url -match "Git-.+-64-bit.exe"
-
 $installerFile = Split-Path $downloadUrl -Leaf
-Install-Binary  -Url $downloadUrl `
-                -Name $installerFile `
+$packagePath = Start-DownloadWithRetry -Url $downloadUrl -Name $installerFile
+
+#region Supply chain security - Git
+$fileHash = (Get-FileHash -Path $packagePath -Algorithm SHA256).Hash
+$externalHash = Get-HashFromGitHubReleaseBody -Url $RepoURL -FileName $installerFile
+Use-ChecksumComparison $fileHash $externalHash
+#endregion
+
+Install-Binary  -FilePath $packagePath `
                 -ArgumentList (
                     "/VERYSILENT", `
                     "/NORESTART", `