From 164eb6cdc2e440c41c6debbf0ba044fa97e3e4b7 Mon Sep 17 00:00:00 2001
From: Erik Bershel <110455084+erik-bershel@users.noreply.github.com>
Date: Fri, 17 Nov 2023 11:36:37 +0100
Subject: [PATCH] [Ubuntu] Pin SHA256 for PhantomJS and libssl1.1 (#8799)

---
 images/ubuntu/scripts/build/phantomjs.sh  | 10 ++++++----
 images/ubuntu/scripts/build/sqlpackage.sh |  2 ++
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/images/ubuntu/scripts/build/phantomjs.sh b/images/ubuntu/scripts/build/phantomjs.sh
index 0708810f2..1be03c836 100644
--- a/images/ubuntu/scripts/build/phantomjs.sh
+++ b/images/ubuntu/scripts/build/phantomjs.sh
@@ -9,9 +9,11 @@ source $HELPER_SCRIPTS/install.sh
 
 # Install PhantomJS
 apt-get install -y chrpath libssl-dev libxft-dev libfreetype6 libfreetype6-dev libfontconfig1 libfontconfig1-dev
-PHANTOM_JS=phantomjs-2.1.1-linux-x86_64
-download_with_retries https://bitbucket.org/ariya/phantomjs/downloads/$PHANTOM_JS.tar.bz2 "/tmp"
-tar xjf /tmp/$PHANTOM_JS.tar.bz2 -C /usr/local/share
-ln -sf /usr/local/share/$PHANTOM_JS/bin/phantomjs /usr/local/bin
+phantom_js=phantomjs-2.1.1-linux-x86_64
+download_with_retries https://bitbucket.org/ariya/phantomjs/downloads/$phantom_js.tar.bz2 "/tmp"
+phantom_js_hash="86dd9a4bf4aee45f1a84c9f61cf1947c1d6dce9b9e8d2a907105da7852460d2f"
+use_checksum_comparison "/tmp/${phantom_js}.tar.bz2" "${phantom_js_hash}"
+tar xjf /tmp/$phantom_js.tar.bz2 -C /usr/local/share
+ln -sf /usr/local/share/$phantom_js/bin/phantomjs /usr/local/bin
 
 invoke_tests "Tools" "Phantomjs"
diff --git a/images/ubuntu/scripts/build/sqlpackage.sh b/images/ubuntu/scripts/build/sqlpackage.sh
index c78f2169b..d0f9c27b2 100644
--- a/images/ubuntu/scripts/build/sqlpackage.sh
+++ b/images/ubuntu/scripts/build/sqlpackage.sh
@@ -11,6 +11,8 @@ source $HELPER_SCRIPTS/os.sh
 # Install libssl1.1 dependency
 if isUbuntu22; then
     download_with_retries "http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2.20_amd64.deb" "/tmp"
+    libssl_hash="0b3251aee55db6e20d02f4b9a2b703c9874a85ab6a20b12f4870f52f91633d37"
+    use_checksum_comparison "/tmp/libssl1.1_1.1.1f-1ubuntu2.20_amd64.deb" "${libssl_hash}"
     dpkg -i /tmp/libssl1.1_1.1.1f-1ubuntu2.20_amd64.deb
 fi