From 50ae10289a1d019551858f6a174f78d2e212bed4 Mon Sep 17 00:00:00 2001
From: sergei-pyshnoi <121864472+sergei-pyshnoi@users.noreply.github.com>
Date: Fri, 17 Nov 2023 16:31:49 +0100
Subject: [PATCH] [Ubuntu] Pin sha256 for docker-compose and Alibaba Cloud CLI
 (#8790)

* pin sha256 for docker-compose and Alibaba Cloud CLI

* fix syntax in condition
---
 images/ubuntu/scripts/build/aliyun-cli.sh     | 8 ++++++--
 images/ubuntu/scripts/build/docker-compose.sh | 2 +-
 images/ubuntu/toolsets/toolset-2004.json      | 3 ++-
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/images/ubuntu/scripts/build/aliyun-cli.sh b/images/ubuntu/scripts/build/aliyun-cli.sh
index d5495085d..33a8bf084 100644
--- a/images/ubuntu/scripts/build/aliyun-cli.sh
+++ b/images/ubuntu/scripts/build/aliyun-cli.sh
@@ -14,7 +14,6 @@ source $HELPER_SCRIPTS/install.sh
 if isUbuntu20; then
     toolset_version=$(get_toolset_value '.aliyunCli.version')
     download_url="https://github.com/aliyun/aliyun-cli/releases/download/v$toolset_version/aliyun-cli-linux-$toolset_version-amd64.tgz"
-    hash_url="https://github.com/aliyun/aliyun-cli/releases/download/v$toolset_version/SHASUMS256.txt"
 else
     download_url=$(get_github_package_download_url "aliyun/aliyun-cli" "contains(\"aliyun-cli-linux\") and endswith(\"amd64.tgz\")")
     hash_url="https://github.com/aliyun/aliyun-cli/releases/latest/download/SHASUMS256.txt"
@@ -24,7 +23,12 @@ package_name="aliyun-cli-linux-amd64.tgz"
 download_with_retries "$download_url" "/tmp" "$package_name"
 
 # Supply chain security - Alibaba Cloud CLI
-external_hash=$(get_hash_from_remote_file "$hash_url" "aliyun-cli-linux" "amd64.tgz")
+if isUbuntu20; then
+    external_hash=$(get_toolset_value '.aliyunCli.sha256')
+else
+    external_hash=$(get_hash_from_remote_file "$hash_url" "aliyun-cli-linux" "amd64.tgz")
+fi
+
 use_checksum_comparison "/tmp/$package_name" "$external_hash"
 
 tar xzf "/tmp/$package_name"
diff --git a/images/ubuntu/scripts/build/docker-compose.sh b/images/ubuntu/scripts/build/docker-compose.sh
index a7383baa9..8720c3f28 100644
--- a/images/ubuntu/scripts/build/docker-compose.sh
+++ b/images/ubuntu/scripts/build/docker-compose.sh
@@ -13,7 +13,7 @@ URL="https://github.com/docker/compose/releases/download/1.29.2/docker-compose-L
 curl -fsSL "${URL}" -o /tmp/docker-compose-v1
 
 # Supply chain security - Docker Compose v1
-external_hash=$(get_hash_from_remote_file "${URL}.sha256" "compose-Linux-x86_64")
+external_hash="f3f10cf3dbb8107e9ba2ea5f23c1d2159ff7321d16f0a23051d68d8e2547b323"
 use_checksum_comparison "/tmp/docker-compose-v1" "${external_hash}"
 install /tmp/docker-compose-v1 /usr/local/bin/docker-compose
 
diff --git a/images/ubuntu/toolsets/toolset-2004.json b/images/ubuntu/toolsets/toolset-2004.json
index b326f5168..316441426 100644
--- a/images/ubuntu/toolsets/toolset-2004.json
+++ b/images/ubuntu/toolsets/toolset-2004.json
@@ -369,6 +369,7 @@
         "version": "7.2"
     },
     "aliyunCli": {
-        "version": "3.0.174"
+        "version": "3.0.174",
+        "sha256": "0c51028a7a32fc02c8de855f73e273556f957115eb5624565738f9b9f83a50ba"
     }
 }