From 62536f12ed3388e010a85f64a9ee3ce4e8353b07 Mon Sep 17 00:00:00 2001
From: sergei-pyshnoi <121864472+sergei-pyshnoi@users.noreply.github.com>
Date: Fri, 15 Dec 2023 11:28:17 +0100
Subject: [PATCH] pin sha for macos packages (#9001)

---
 images/macos/scripts/build/install-mono.sh   |  5 +++++
 images/macos/scripts/build/install-python.sh |  2 ++
 images/macos/scripts/helpers/utils.sh        | 22 ++++++++++++++++++++
 images/macos/toolsets/toolset-13.json        |  6 ++++--
 images/macos/toolsets/toolset-14.json        |  6 ++++--
 5 files changed, 37 insertions(+), 4 deletions(-)

diff --git a/images/macos/scripts/build/install-mono.sh b/images/macos/scripts/build/install-mono.sh
index cc4795144..1fa6e29f4 100644
--- a/images/macos/scripts/build/install-mono.sh
+++ b/images/macos/scripts/build/install-mono.sh
@@ -9,22 +9,27 @@ source ~/utils/utils.sh
 
 # Install Mono Framework
 MONO_VERSION_FULL=$(get_toolset_value '.mono.framework.version')
+MONO_PKG_SHA256=$(get_toolset_value '.mono.framework.sha256')
 MONO_VERSION=$(echo "$MONO_VERSION_FULL" | cut -d. -f 1,2,3)
 MONO_VERSION_SHORT=$(echo $MONO_VERSION_FULL | cut -d. -f 1,2)
 MONO_PKG_URL="https://download.mono-project.com/archive/${MONO_VERSION}/macos-10-universal/MonoFramework-MDK-${MONO_VERSION_FULL}.macos10.xamarin.universal.pkg"
 MONO_VERSIONS_PATH='/Library/Frameworks/Mono.framework/Versions'
 
 MONO_PKG_PATH=$(download_with_retry "$MONO_PKG_URL")
+use_checksum_comparison "$MONO_PKG_PATH" "$MONO_PKG_SHA256"
+
 echo "Installing Mono Framework ${MONO_VERSION_FULL}..."
 sudo installer -pkg "$MONO_PKG_PATH" -target /
 
 # Download and install NUnit console
 NUNIT_VERSION=$(get_toolset_value '.mono.nunit.version')
 NUNIT_ARCHIVE_URL="https://github.com/nunit/nunit-console/releases/download/${NUNIT_VERSION}/NUnit.Console-${NUNIT_VERSION}.zip"
+NUNIT_ARCHIVE_SHA256=$(get_toolset_value '.mono.nunit.sha256')
 NUNIT_PATH="/Library/Developer/nunit"
 NUNIT_VERSION_PATH="$NUNIT_PATH/$NUNIT_VERSION"
 
 NUNIT_ARCHIVE_PATH=$(download_with_retry "$NUNIT_ARCHIVE_URL")
+use_checksum_comparison "$NUNIT_ARCHIVE_PATH" "$NUNIT_ARCHIVE_SHA256"
 echo "Installing NUnit ${NUNIT_VERSION}..."
 sudo mkdir -p "$NUNIT_VERSION_PATH"
 sudo unzip -q "$NUNIT_ARCHIVE_PATH" -d "$NUNIT_VERSION_PATH"
diff --git a/images/macos/scripts/build/install-python.sh b/images/macos/scripts/build/install-python.sh
index 978a19340..91269d19f 100644
--- a/images/macos/scripts/build/install-python.sh
+++ b/images/macos/scripts/build/install-python.sh
@@ -11,6 +11,8 @@ echo "Installing Python Tooling"
 if is_Monterey || is_BigSur; then
     echo "Install latest Python 2"
     python2_pkg=$(download_with_retry "https://www.python.org/ftp/python/2.7.18/python-2.7.18-macosx10.9.pkg")
+    python2_pkg_sha256="c570f38b05dd8b112ad21b418cdf51a9816d62f9f44746452739d421be24d50c"
+    use_checksum_comparison "$python2_pkg" "$python2_pkg_sha256"
 
     choice_changes_xml=$(mktemp /tmp/python2_choice_changes.xml.XXXXXX)
     sudo installer -showChoiceChangesXML -pkg "$python2_pkg" -target / | tee "$choice_changes_xml" > /dev/null
diff --git a/images/macos/scripts/helpers/utils.sh b/images/macos/scripts/helpers/utils.sh
index cb644b41c..2954ff0c6 100644
--- a/images/macos/scripts/helpers/utils.sh
+++ b/images/macos/scripts/helpers/utils.sh
@@ -235,3 +235,25 @@ get_arch() {
         echo "x64"
     fi
 }
+
+use_checksum_comparison() {
+    local file_path=$1
+    local checksum=$2
+    local sha_type=${3:-"256"}
+
+    echo "Performing checksum verification"
+
+    if [[ ! -f "$file_path" ]]; then
+        echo "File not found: $file_path"
+        exit 1
+    fi
+
+    local_file_hash=$(shasum --algorithm "$sha_type" "$file_path" | awk '{print $1}')
+
+    if [[ "$local_file_hash" != "$checksum" ]]; then
+        echo "Checksum verification failed. Expected hash: $checksum; Actual hash: $local_file_hash."
+        exit 1
+    else
+        echo "Checksum verification passed"
+    fi
+}
diff --git a/images/macos/toolsets/toolset-13.json b/images/macos/toolsets/toolset-13.json
index ced440632..8ae38ebe1 100644
--- a/images/macos/toolsets/toolset-13.json
+++ b/images/macos/toolsets/toolset-13.json
@@ -222,10 +222,12 @@
     },
     "mono": {
         "framework":{
-            "version": "6.12.0.188"
+            "version": "6.12.0.188",
+            "sha256": "07cdd4e5e72b562892960b7fc73af470db7a4ffc2f68bb834eb3d0a874bbd12c"
         },
         "nunit": {
-            "version": "3.15.4"
+            "version": "3.15.4",
+            "sha256": "356dab61433b5be76b76fd0e2e979bda56d164f6d85a900e55c3a4a5fffa28de"
         }
     }
 }
diff --git a/images/macos/toolsets/toolset-14.json b/images/macos/toolsets/toolset-14.json
index dbe70586d..2158f4fb4 100644
--- a/images/macos/toolsets/toolset-14.json
+++ b/images/macos/toolsets/toolset-14.json
@@ -124,10 +124,12 @@
     },
     "mono": {
         "framework":{
-            "version": "6.12.0.188"
+            "version": "6.12.0.188",
+            "sha256": "07cdd4e5e72b562892960b7fc73af470db7a4ffc2f68bb834eb3d0a874bbd12c"
         },
         "nunit": {
-            "version": "3.15.4"
+            "version": "3.15.4",
+            "sha256": "356dab61433b5be76b76fd0e2e979bda56d164f6d85a900e55c3a4a5fffa28de"
         }
     }
 }