diff --git a/images/win/scripts/ImageHelpers/ImageHelpers.psm1 b/images/win/scripts/ImageHelpers/ImageHelpers.psm1 index f2ae79e4c..76c31bb1f 100644 --- a/images/win/scripts/ImageHelpers/ImageHelpers.psm1 +++ b/images/win/scripts/ImageHelpers/ImageHelpers.psm1 @@ -57,4 +57,5 @@ Export-ModuleMember -Function @( 'Get-ModuleVersionAsJob' 'Use-ChecksumComparison' 'Get-HashFromGitHubReleaseBody' + 'Test-FileSignature' ) diff --git a/images/win/scripts/ImageHelpers/InstallHelpers.ps1 b/images/win/scripts/ImageHelpers/InstallHelpers.ps1 index ffedcff5f..a40202530 100644 --- a/images/win/scripts/ImageHelpers/InstallHelpers.ps1 +++ b/images/win/scripts/ImageHelpers/InstallHelpers.ps1 @@ -29,7 +29,7 @@ function Install-Binary [Parameter(Mandatory, ParameterSetName="LocalPath")] [String] $FilePath, [String[]] $ArgumentList, - [String] $ExpectedSignature + [String[]] $ExpectedSignature ) if ($PSCmdlet.ParameterSetName -eq "LocalPath") @@ -47,14 +47,13 @@ function Install-Binary if ($ExpectedSignature) { Test-FileSignature -FilePath $filePath -ExpectedThumbprint $ExpectedSignature - } else { throw "ExpectedSignature parameter is specified, but no signature is provided." } } - + # MSI binaries should be installed via msiexec.exe $fileExtension = ([System.IO.Path]::GetExtension($Name)).Replace(".", "") if ($fileExtension -eq "msi") @@ -722,18 +721,27 @@ function Test-FileSignature { [Parameter(Mandatory=$true)] [string]$FilePath, [Parameter(Mandatory=$true)] - [string]$ExpectedThumbprint + [string[]]$ExpectedThumbprint ) - + $signature = Get-AuthenticodeSignature $FilePath - + if ($signature.Status -ne "Valid") { throw "Signature status is not valid. Status: $($signature.Status)" } - - if ($signature.SignerCertificate.Thumbprint.Contains($ExpectedThumbprint) -ne $true) { - throw "Signature thumbprint do not match expected" + + foreach ($thumbprint in $ExpectedThumbprint) { + if ($signature.SignerCertificate.Thumbprint.Contains($thumbprint)) { + Write-Output "Signature for $FilePath is valid" + $signatureMatched = $true + return + } } - Write-Output "Signature for $FilePath is valid" + if ($signatureMatched) { + Write-Output "Signature for $FilePath is valid" + } + else { + throw "Signature thumbprint do not match expected." + } } diff --git a/images/win/scripts/ImageHelpers/VisualStudioHelpers.ps1 b/images/win/scripts/ImageHelpers/VisualStudioHelpers.ps1 index e68f76479..e02c52fad 100644 --- a/images/win/scripts/ImageHelpers/VisualStudioHelpers.ps1 +++ b/images/win/scripts/ImageHelpers/VisualStudioHelpers.ps1 @@ -28,7 +28,8 @@ Function Install-VisualStudio { [Parameter(Mandatory)] [String] $Edition, [Parameter(Mandatory)] [String] $Channel, [Parameter(Mandatory)] [String[]] $RequiredComponents, - [String] $ExtraArgs = "" + [String] $ExtraArgs = "", + [Parameter(Mandatory)] [String] $SignatureThumbprint ) $bootstrapperUrl = "https://aka.ms/vs/${Version}/${Channel}/vs_${Edition}.exe" @@ -40,6 +41,9 @@ Function Install-VisualStudio { $BootstrapperName = [IO.Path]::GetFileName($BootstrapperUrl) $bootstrapperFilePath = Start-DownloadWithRetry -Url $BootstrapperUrl -Name $BootstrapperName + # Verify that the bootstrapper is signed by Microsoft + Test-FileSignature -FilePath $bootstrapperFilePath -ExpectedThumbprint $SignatureThumbprint + try { Write-Host "Enable short name support on Windows needed for Xamarin Android AOT, defaults appear to have been changed in Azure VMs" $shortNameEnableProcess = Start-Process -FilePath fsutil.exe -ArgumentList ('8dot3name', 'set', '0') -Wait -PassThru @@ -124,4 +128,4 @@ function Get-VisualStudioComponents { (Get-VisualStudioInstance).Packages | Where-Object type -in 'Component', 'Workload' | Sort-Object Id, Version | Select-Object @{n = 'Package'; e = {$_.Id}}, Version | Where-Object { $_.Package -notmatch "[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}" } -} \ No newline at end of file +} diff --git a/images/win/scripts/Installers/Install-AWS.ps1 b/images/win/scripts/Installers/Install-AWS.ps1 index 0a319a3ec..347525439 100644 --- a/images/win/scripts/Installers/Install-AWS.ps1 +++ b/images/win/scripts/Installers/Install-AWS.ps1 @@ -10,7 +10,8 @@ Choco-Install -PackageName awscli # Install Session Manager Plugin for the AWS CLI $sessionManagerName = "SessionManagerPluginSetup.exe" $sessionManagerUrl = "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/windows/$sessionManagerName" -Install-Binary -Url $sessionManagerUrl -Name $sessionManagerName -ArgumentList ("/silent", "/install") +$sessionManagerSignatureThumbprint = "FF457E5732E98A9F156E657F8CC7C4432507C3BB" +Install-Binary -Url $sessionManagerUrl -Name $sessionManagerName -ArgumentList ("/silent", "/install") -ExpectedSignature $sessionManagerSignatureThumbprint $env:Path = $env:Path + ";$env:ProgramFiles\Amazon\SessionManagerPlugin\bin" # Install AWS SAM CLI diff --git a/images/win/scripts/Installers/Install-AzureCli.ps1 b/images/win/scripts/Installers/Install-AzureCli.ps1 index f5ef1724b..e3a02dac4 100644 --- a/images/win/scripts/Installers/Install-AzureCli.ps1 +++ b/images/win/scripts/Installers/Install-AzureCli.ps1 @@ -13,7 +13,8 @@ ${env:AZURE_CONFIG_DIR} = $azureCliConfigPath #temporary pin 2.52.0 version $azCliUrl = 'https://azcliprod.blob.core.windows.net/msi/azure-cli-2.52.0-x64.msi' -Install-Binary -Url $azCliUrl -Name 'azure-cli.msi' +$azCliSignatureThumbprint = "72105B6D5F370B62FD5C82F1512F7AD7DEE5F2C0" +Install-Binary -Url $azCliUrl -Name 'azure-cli.msi' -ExpectedSignature $azCliSignatureThumbprint $azureCliExtensionPath = Join-Path $Env:CommonProgramFiles 'AzureCliExtensionDirectory' $null = New-Item -ItemType 'Directory' -Path $azureCliExtensionPath diff --git a/images/win/scripts/Installers/Install-AzureCosmosDbEmulator.ps1 b/images/win/scripts/Installers/Install-AzureCosmosDbEmulator.ps1 index ba7922a73..697eaf853 100644 --- a/images/win/scripts/Installers/Install-AzureCosmosDbEmulator.ps1 +++ b/images/win/scripts/Installers/Install-AzureCosmosDbEmulator.ps1 @@ -5,7 +5,8 @@ $InstallerName = "AzureCosmosDBEmulator.msi" $InstallerUrl = "https://aka.ms/cosmosdb-emulator" +$SignatureThumbprint = "F372C27F6E052A6BE8BAB3112B465C692196CD6F" -Install-Binary -Url $InstallerUrl -Name $InstallerName +Install-Binary -Url $InstallerUrl -Name $InstallerName -ExpectedSignature $SignatureThumbprint -Invoke-PesterTests -TestFile "Tools" -TestName "Azure Cosmos DB Emulator" \ No newline at end of file +Invoke-PesterTests -TestFile "Tools" -TestName "Azure Cosmos DB Emulator" diff --git a/images/win/scripts/Installers/Install-BizTalkBuildComponent.ps1 b/images/win/scripts/Installers/Install-BizTalkBuildComponent.ps1 index 8f4462961..2dd4cbbf0 100644 --- a/images/win/scripts/Installers/Install-BizTalkBuildComponent.ps1 +++ b/images/win/scripts/Installers/Install-BizTalkBuildComponent.ps1 @@ -73,6 +73,11 @@ Write-Host "Unzip $setupZipFile to $setupPath..." Extract-7Zip -Path $setupZipFile -DestinationPath $setupPath Remove-Item $setupZipFile +# Verify signature +$BuildComponentSignatureThumbprint = "8740DF4ACB749640AD318E4BE842F72EC651AD80" +Test-FileSignature -FilePath "$setupPath\Bootstrap.msi" -ExpectedThumbprint $BuildComponentSignatureThumbprint +Test-FileSignature -FilePath "$setupPath\BuildComponentSetup.msi" -ExpectedThumbprint $BuildComponentSignatureThumbprint + # Install Install-Msi -MsiPath "$setupPath\Bootstrap.msi" -LogPath "$setupPath\bootstrap.log" Install-Msi -MsiPath "$setupPath\BuildComponentSetup.msi" -LogPath "$setupPath\buildComponentSetup.log" @@ -80,4 +85,4 @@ Install-Msi -MsiPath "$setupPath\BuildComponentSetup.msi" -LogPath "$setupPath\ Remove-Item $setupPath -Recurse -Force # Test -Invoke-PesterTests -TestFile "BizTalk" -TestName "BizTalk Build Component Setup" \ No newline at end of file +Invoke-PesterTests -TestFile "BizTalk" -TestName "BizTalk Build Component Setup" diff --git a/images/win/scripts/Installers/Install-Choco.ps1 b/images/win/scripts/Installers/Install-Choco.ps1 index 4aa814a56..889c350d3 100644 --- a/images/win/scripts/Installers/Install-Choco.ps1 +++ b/images/win/scripts/Installers/Install-Choco.ps1 @@ -17,8 +17,11 @@ if ($userPath) { $env:Path = $systemPath } -# Run the installer -Invoke-Expression ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1')) +# Verify and run choco installer +$signatureThumbprint = "83AC7D88C66CB8680BCE802E0F0F5C179722764B" +$InstallScriptPath = Start-DownloadWithRetry -Url 'https://chocolatey.org/install.ps1' +Test-FileSignature -FilePath $InstallScriptPath -ExpectedThumbprint $signatureThumbprint +Invoke-Expression $InstallScriptPath # Turn off confirmation choco feature enable -n allowGlobalConfirmation diff --git a/images/win/scripts/Installers/Install-Chrome.ps1 b/images/win/scripts/Installers/Install-Chrome.ps1 index 486d4d76d..6ae1473e3 100644 --- a/images/win/scripts/Installers/Install-Chrome.ps1 +++ b/images/win/scripts/Installers/Install-Chrome.ps1 @@ -4,9 +4,10 @@ ################################################################################ # Download and install latest Chrome browser +$ChromeSignatureThumbprint = "2673EA6CC23BEFFDA49AC715B121544098A1284C" $ChromeInstallerFile = "googlechromestandaloneenterprise64.msi" $ChromeInstallerUrl = "https://dl.google.com/tag/s/dl/chrome/install/${ChromeInstallerFile}" -Install-Binary -Url $ChromeInstallerUrl -Name $ChromeInstallerFile -ArgumentList @() +Install-Binary -Url $ChromeInstallerUrl -Name $ChromeInstallerFile -ArgumentList @() -ExpectedSignature $ChromeSignatureThumbprint # Prepare firewall rules Write-Host "Adding the firewall rule for Google update blocking..." @@ -84,4 +85,4 @@ $PathValue = Get-ItemPropertyValue -Path $regEnvKey -Name 'Path' $PathValue += ";$ChromeDriverPath\" Set-ItemProperty -Path $regEnvKey -Name 'Path' -Value $PathValue -Invoke-PesterTests -TestFile "Browsers" -TestName "Chrome" \ No newline at end of file +Invoke-PesterTests -TestFile "Browsers" -TestName "Chrome" diff --git a/images/win/scripts/Installers/Install-CloudFoundryCli.ps1 b/images/win/scripts/Installers/Install-CloudFoundryCli.ps1 index 2bc7e4b0d..8b4416b17 100644 --- a/images/win/scripts/Installers/Install-CloudFoundryCli.ps1 +++ b/images/win/scripts/Installers/Install-CloudFoundryCli.ps1 @@ -20,4 +20,8 @@ Extract-7Zip -Path $CloudFoundryArchPath -DestinationPath $CloudFoundryCliPath # Add cf to path Add-MachinePathItem $CloudFoundryCliPath -Invoke-PesterTests -TestFile "CLI.Tools" -TestName "CloudFoundry CLI" \ No newline at end of file +# Validate cf signature +$CloudFoundrySignatureThumbprint = "4C69EDD13930ED01B83DD1D17B09C434DC1F2177" +Test-FileSignature -FilePath "$CloudFoundryCliPath\cf.exe" -ExpectedThumbprint $CloudFoundrySignatureThumbprint + +Invoke-PesterTests -TestFile "CLI.Tools" -TestName "CloudFoundry CLI" diff --git a/images/win/scripts/Installers/Install-DACFx.ps1 b/images/win/scripts/Installers/Install-DACFx.ps1 index 86695a559..087ae6336 100644 --- a/images/win/scripts/Installers/Install-DACFx.ps1 +++ b/images/win/scripts/Installers/Install-DACFx.ps1 @@ -5,7 +5,8 @@ $InstallerName = "DacFramework.msi" $InstallerUrl = "https://aka.ms/dacfx-msi" +$SignatureThumbprint = "72105B6D5F370B62FD5C82F1512F7AD7DEE5F2C0" -Install-Binary -Url $InstallerUrl -Name $InstallerName +Install-Binary -Url $InstallerUrl -Name $InstallerName -ExpectedSignature $SignatureThumbprint -Invoke-PesterTests -TestFile "Tools" -TestName "DACFx" \ No newline at end of file +Invoke-PesterTests -TestFile "Tools" -TestName "DACFx" diff --git a/images/win/scripts/Installers/Install-Edge.ps1 b/images/win/scripts/Installers/Install-Edge.ps1 index 5e5b42c3d..57ba8940e 100644 --- a/images/win/scripts/Installers/Install-Edge.ps1 +++ b/images/win/scripts/Installers/Install-Edge.ps1 @@ -26,6 +26,7 @@ Write-Host "Download Microsoft Edge WebDriver..." $EdgeDriverLatestVersion = Get-Content -Path $EdgeDriverVersionFile $EdgeDriverArchName = "edgedriver_win64.zip" + $EdgeDriverDownloadUrl = "https://msedgedriver.azureedge.net/${EdgeDriverLatestVersion}/${EdgeDriverArchName}" $EdgeDriverArchPath = Start-DownloadWithRetry -Url $EdgeDriverDownloadUrl -Name $EdgeDriverArchName @@ -33,6 +34,10 @@ $EdgeDriverArchPath = Start-DownloadWithRetry -Url $EdgeDriverDownloadUrl -Name Write-Host "Expand Microsoft Edge WebDriver archive..." Extract-7Zip -Path $EdgeDriverArchPath -DestinationPath $EdgeDriverPath +#Validate the EdgeDriver signature +$EdgeDriverSignatureThumbprint = ("7C94971221A799907BB45665663BBFD587BAC9F8", "70E52D50651BB9E8DC08DE566C4DD5713833B038") +Test-FileSignature -FilePath "$EdgeDriverPath\msedgedriver.exe" -ExpectedThumbprint $EdgeDriverSignatureThumbprint + Write-Host "Setting the environment variables..." setx EdgeWebDriver "$EdgeDriverPath" /M diff --git a/images/win/scripts/Installers/Install-Firefox.ps1 b/images/win/scripts/Installers/Install-Firefox.ps1 index f66a72e1b..ad91611eb 100644 --- a/images/win/scripts/Installers/Install-Firefox.ps1 +++ b/images/win/scripts/Installers/Install-Firefox.ps1 @@ -45,8 +45,12 @@ $GeckoDriverArchPath = Start-DownloadWithRetry -Url $GeckoDriverDownloadUrl -Nam Write-Host "Expand Gecko WebDriver archive..." Extract-7Zip -Path $GeckoDriverArchPath -DestinationPath $GeckoDriverPath +# Validate Gecko WebDriver signature +$GeckoDriverSignatureThumbprint = "1326B39C3D5D2CA012F66FB439026F7B59CB1974" +Test-FileSignature -FilePath "$GeckoDriverPath/geckodriver.exe" -ExpectedThumbprint $GeckoDriverSignatureThumbprint + Write-Host "Setting the environment variables..." Add-MachinePathItem -PathItem $GeckoDriverPath setx GeckoWebDriver "$GeckoDriverPath" /M -Invoke-PesterTests -TestFile "Browsers" -TestName "Firefox" \ No newline at end of file +Invoke-PesterTests -TestFile "Browsers" -TestName "Firefox" diff --git a/images/win/scripts/Installers/Install-GoogleCloudCLI.ps1 b/images/win/scripts/Installers/Install-GoogleCloudCLI.ps1 index fdb0b4f7c..8b793b3b7 100644 --- a/images/win/scripts/Installers/Install-GoogleCloudCLI.ps1 +++ b/images/win/scripts/Installers/Install-GoogleCloudCLI.ps1 @@ -6,6 +6,8 @@ # https://cloud.google.com/sdk/docs/downloads-interactive $googleCloudCLIInstaller = "https://dl.google.com/dl/cloudsdk/channels/rapid/GoogleCloudSDKInstaller.exe" $argumentList = @("/S", "/allusers", "/noreporting") -Install-Binary -Url $googleCloudCLIInstaller -Name "GoogleCloudSDKInstaller.exe" -ArgumentList $argumentList +$googleCloudCLISignatureThumbprint = "2673EA6CC23BEFFDA49AC715B121544098A1284C" + +Install-Binary -Url $googleCloudCLIInstaller -Name "GoogleCloudSDKInstaller.exe" -ArgumentList $argumentList -ExpectedSignature $googleCloudCLISignatureThumbprint Invoke-PesterTests -TestFile "Tools" -TestName "GoogleCloudCLI" diff --git a/images/win/scripts/Installers/Install-NET48-devpack.ps1 b/images/win/scripts/Installers/Install-NET48-devpack.ps1 index 33d4f355e..348924908 100644 --- a/images/win/scripts/Installers/Install-NET48-devpack.ps1 +++ b/images/win/scripts/Installers/Install-NET48-devpack.ps1 @@ -6,8 +6,9 @@ # .NET 4.8 Dev pack $InstallerName = "ndp48-devpack-enu.exe" $InstallerUrl = "https://download.visualstudio.microsoft.com/download/pr/014120d7-d689-4305-befd-3cb711108212/0307177e14752e359fde5423ab583e43/${InstallerName}" +$InstallerSignatureThumbprint = "C82273A065EC470FB1EBDE846A91E6FFB29E9C12" $ArgumentList = ("Setup", "/passive", "/norestart") -Install-Binary -Url $InstallerUrl -Name $InstallerName -ArgumentList $ArgumentList +Install-Binary -Url $InstallerUrl -Name $InstallerName -ArgumentList $ArgumentList -ExpectedSignature $InstallerSignatureThumbprint -Invoke-PesterTests -TestFile "Tools" -TestName "NET48" \ No newline at end of file +Invoke-PesterTests -TestFile "Tools" -TestName "NET48" diff --git a/images/win/scripts/Installers/Install-NET48.ps1 b/images/win/scripts/Installers/Install-NET48.ps1 index 4e4c507c0..271b11cd5 100644 --- a/images/win/scripts/Installers/Install-NET48.ps1 +++ b/images/win/scripts/Installers/Install-NET48.ps1 @@ -6,6 +6,7 @@ # .NET 4.8 Dev pack $InstallerName = "ndp48-x86-x64-allos-enu.exe" $InstallerUrl = "https://download.visualstudio.microsoft.com/download/pr/2d6bb6b2-226a-4baa-bdec-798822606ff1/8494001c276a4b96804cde7829c04d7f/${InstallerName}" +$InstallerSignatureThumbprint = "ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B" $ArgumentList = ("Setup", "/passive", "/norestart") -Install-Binary -Url $InstallerUrl -Name $InstallerName -ArgumentList $ArgumentList +Install-Binary -Url $InstallerUrl -Name $InstallerName -ArgumentList $ArgumentList -ExpectedSignature $InstallerSignatureThumbprint diff --git a/images/win/scripts/Installers/Install-PostgreSQL.ps1 b/images/win/scripts/Installers/Install-PostgreSQL.ps1 index 38be7e00b..40fd2e00f 100644 --- a/images/win/scripts/Installers/Install-PostgreSQL.ps1 +++ b/images/win/scripts/Installers/Install-PostgreSQL.ps1 @@ -48,7 +48,7 @@ do { $ErrorActionPreference = $ErrorActionOldValue $InstallerName = $InstallerUrl.Split('/')[-1] $ArgumentList = ("--install_runtimes 0","--superpassword root","--enable_acledit 1","--unattendedmodeui none","--mode unattended") -Install-Binary -Url $InstallerUrl -Name $InstallerName -ArgumentList $ArgumentList +Install-Binary -Url $InstallerUrl -Name $InstallerName -ArgumentList $ArgumentList -ExpectedSignature (Get-ToolsetContent).postgresql.signature # Get Path to pg_ctl.exe $pgPath = (Get-CimInstance Win32_Service -Filter "Name LIKE 'postgresql-%'").PathName @@ -79,4 +79,4 @@ $pgService = Get-Service -Name postgresql* Stop-Service -InputObject $pgService Set-Service -InputObject $pgService -StartupType Disabled -Invoke-PesterTests -TestFile "Databases" -TestName "PostgreSQL" \ No newline at end of file +Invoke-PesterTests -TestFile "Databases" -TestName "PostgreSQL" diff --git a/images/win/scripts/Installers/Install-SQLPowerShellTools.ps1 b/images/win/scripts/Installers/Install-SQLPowerShellTools.ps1 index 37f5ece9b..1be0946a7 100644 --- a/images/win/scripts/Installers/Install-SQLPowerShellTools.ps1 +++ b/images/win/scripts/Installers/Install-SQLPowerShellTools.ps1 @@ -4,16 +4,17 @@ ################################################################################ $BaseUrl = "https://download.microsoft.com/download/B/1/7/B1783FE9-717B-4F78-A39A-A2E27E3D679D/ENU/x64" +$SignatureThumbrint = "9ACA9419E53D3C9E56396DD2335FF683A8B0B8F3" # install required MSIs $SQLSysClrTypesName = "SQLSysClrTypes.msi" $SQLSysClrTypesUrl = "${BaseUrl}/${SQLSysClrTypesName}" -Install-Binary -Url $SQLSysClrTypesUrl -Name $SQLSysClrTypesName +Install-Binary -Url $SQLSysClrTypesUrl -Name $SQLSysClrTypesName -ExpectedSignature $SignatureThumbrint $SharedManagementObjectsName = "SharedManagementObjects.msi" $SharedManagementObjectsUrl = "${BaseUrl}/${SharedManagementObjectsName}" -Install-Binary -Url $SharedManagementObjectsUrl -Name $SharedManagementObjectsName +Install-Binary -Url $SharedManagementObjectsUrl -Name $SharedManagementObjectsName -ExpectedSignature $SignatureThumbrint $PowerShellToolsName = "PowerShellTools.msi" $PowerShellToolsUrl = "${BaseUrl}/${PowerShellToolsName}" -Install-Binary -Url $PowerShellToolsUrl -Name $PowerShellToolsName +Install-Binary -Url $PowerShellToolsUrl -Name $PowerShellToolsName -ExpectedSignature $SignatureThumbrint diff --git a/images/win/scripts/Installers/Install-ServiceFabricSDK.ps1 b/images/win/scripts/Installers/Install-ServiceFabricSDK.ps1 index 12c544ffd..abd3a0e99 100644 --- a/images/win/scripts/Installers/Install-ServiceFabricSDK.ps1 +++ b/images/win/scripts/Installers/Install-ServiceFabricSDK.ps1 @@ -15,11 +15,11 @@ $serviceFabricSDKVersion = (Get-ToolsetContent).serviceFabric.sdk.version $InstallerName = "MicrosoftServiceFabric.${serviceFabricRuntimeVersion}.exe" $InstallerUrl = "https://download.microsoft.com/download/b/8/a/b8a2fb98-0ec1-41e5-be98-9d8b5abf7856/${InstallerName}" $ArgumentList = ("/accepteula ","/quiet","/force") -Install-Binary -Url $InstallerUrl -Name $InstallerName -ArgumentList $ArgumentList +Install-Binary -Url $InstallerUrl -Name $InstallerName -ArgumentList $ArgumentList -ExpectedSignature (Get-ToolsetContent).serviceFabric.runtime.signature # Install Service Fabric SDK $InstallerName = "MicrosoftServiceFabricSDK.${serviceFabricSDKVersion}.msi" $InstallerUrl = "https://download.microsoft.com/download/b/8/a/b8a2fb98-0ec1-41e5-be98-9d8b5abf7856/${InstallerName}" -Install-Binary -Url $InstallerUrl -Name $InstallerName +Install-Binary -Url $InstallerUrl -Name $InstallerName -ExpectedSignature (Get-ToolsetContent).serviceFabric.sdk.signature -Invoke-PesterTests -TestFile "Tools" -TestName "ServiceFabricSDK" +Invoke-PesterTests -TestFile "Tools" -TestName "ServiceFabricSDK" diff --git a/images/win/scripts/Installers/Install-VCRedist.ps1 b/images/win/scripts/Installers/Install-VCRedist.ps1 index 41a62f7d2..46646fb09 100644 --- a/images/win/scripts/Installers/Install-VCRedist.ps1 +++ b/images/win/scripts/Installers/Install-VCRedist.ps1 @@ -8,8 +8,9 @@ $vc2010x86URI = "https://download.microsoft.com/download/1/6/5/165255E7-1014-4D0 $vc2010x64Name = "vcredist_x64.exe" $vc2010x64URI = "https://download.microsoft.com/download/1/6/5/165255E7-1014-4D0A-B094-B6A430A6BFFC/${Vc2010x64Name}" $argumentList = ("/install", "/quiet", "/norestart") +$vcSignatureThumbprint = "ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B" -Install-Binary -Url $vc2010x86URI -Name $vc2010x86Name -ArgumentList $argumentList -Install-Binary -Url $vc2010x64URI -Name $vc2010x64Name -ArgumentList $argumentList +Install-Binary -Url $vc2010x86URI -Name $vc2010x86Name -ArgumentList $argumentList -ExpectedSignature $vcSignatureThumbprint +Install-Binary -Url $vc2010x64URI -Name $vc2010x64Name -ArgumentList $argumentList -ExpectedSignature $vcSignatureThumbprint Invoke-PesterTests -TestFile "Tools" -TestName "VCRedist" diff --git a/images/win/scripts/Installers/Install-VS.ps1 b/images/win/scripts/Installers/Install-VS.ps1 index 707080f0e..b9865294e 100644 --- a/images/win/scripts/Installers/Install-VS.ps1 +++ b/images/win/scripts/Installers/Install-VS.ps1 @@ -11,7 +11,8 @@ Install-VisualStudio ` -Edition $toolset.visualStudio.edition ` -Channel $toolset.visualStudio.channel ` -RequiredComponents $toolset.visualStudio.workloads ` - -ExtraArgs "--allWorkloads --includeRecommended --remove Component.CPython3.x64" + -ExtraArgs "--allWorkloads --includeRecommended --remove Component.CPython3.x64" ` + -SignatureThumbprint $toolset.visualStudio.signature # Find the version of VS installed for this instance # Only supports a single instance @@ -30,25 +31,29 @@ $newContent = '{"Extensions":[{"Key":"1e906ff5-9da8-4091-a299-5c253c55fdc9","Val Set-Content -Path "$vsInstallRoot\Common7\IDE\Extensions\MachineState.json" -Value $newContent if (Test-IsWin19) { + # Install Windows 10 SDK version 10.0.14393.795 + $sdkSignatureThumbprint = "C91545B333C52C4465DE8B90A3FAF4E1D9C58DFA" $sdkUrl = "https://go.microsoft.com/fwlink/p/?LinkId=838916" $sdkFileName = "sdksetup14393.exe" $argumentList = ("/q", "/norestart", "/ceip off", "/features OptionId.WindowsSoftwareDevelopmentKit") - Install-Binary -Url $sdkUrl -Name $sdkFileName -ArgumentList $argumentList - + Install-Binary -Url $sdkUrl -Name $sdkFileName -ArgumentList $argumentList -ExpectedSignature $sdkSignatureThumbprint + # Install Windows 11 SDK version 10.0.22621.0 - $sdkUrl = "https://go.microsoft.com/fwlink/p/?linkid=2196241" - $sdkFileName = "sdksetup22621.exe" - $argumentList = ("/q", "/norestart", "/ceip off", "/features OptionId.UWPManaged OptionId.UWPCPP OptionId.UWPLocalized OptionId.DesktopCPPx86 OptionId.DesktopCPPx64 OptionId.DesktopCPParm64") - Install-Binary -Url $sdkUrl -Name $sdkFileName -ArgumentList $argumentList + $sdkSignatureThumbprint = "E4C5C5FCDB68B930EE4E19BC25D431EF6D864C51" + $sdkUrl = "https://go.microsoft.com/fwlink/p/?linkid=2196241" + $sdkFileName = "sdksetup22621.exe" + $argumentList = ("/q", "/norestart", "/ceip off", "/features OptionId.UWPManaged OptionId.UWPCPP OptionId.UWPLocalized OptionId.DesktopCPPx86 OptionId.DesktopCPPx64 OptionId.DesktopCPParm64") + Install-Binary -Url $sdkUrl -Name $sdkFileName -ArgumentList $argumentList -ExpectedSignature $sdkSignatureThumbprint } -if (Test-IsWin22) { +if (Test-IsWin22) { # Install Windows 10 SDK version 10.0.17763 + $sdkSignatureThumbprint = "7535269B94C1FEA4A5EF6D808E371DA242F27936" $sdkUrl = "https://go.microsoft.com/fwlink/p/?LinkID=2033908" $sdkFileName = "sdksetup17763.exe" $argumentList = ("/q", "/norestart", "/ceip off", "/features OptionId.UWPManaged OptionId.UWPCPP OptionId.UWPLocalized OptionId.DesktopCPPx86 OptionId.DesktopCPPx64 OptionId.DesktopCPParm64") - Install-Binary -Url $sdkUrl -Name $sdkFileName -ArgumentList $argumentList + Install-Binary -Url $sdkUrl -Name $sdkFileName -ArgumentList $argumentList -ExpectedSignature $sdkSignatureThumbprint } Invoke-PesterTests -TestFile "VisualStudio" diff --git a/images/win/scripts/Installers/Install-WDK.ps1 b/images/win/scripts/Installers/Install-WDK.ps1 index 04c13e187..345bbe541 100644 --- a/images/win/scripts/Installers/Install-WDK.ps1 +++ b/images/win/scripts/Installers/Install-WDK.ps1 @@ -8,10 +8,13 @@ if (Test-IsWin22) { # SDK available through Visual Studio $wdkUrl = "https://go.microsoft.com/fwlink/?linkid=2196230" $FilePath = "C:\Program Files (x86)\Windows Kits\10\Vsix\VS2022\*\WDK.vsix" + $wdkSignatureThumbprint = "DE2396BCEB7E3CD13BF3D370424A560F97CABDE7" } elseif (Test-IsWin19) { $winSdkUrl = "https://go.microsoft.com/fwlink/?linkid=2173743" $wdkUrl = "https://go.microsoft.com/fwlink/?linkid=2166289" $FilePath = "C:\Program Files (x86)\Windows Kits\10\Vsix\VS2019\WDK.vsix" + $wdkSignatureThumbprint = "914A09C2E02C696AF394048BCB8D95449BCD5B9E" + $winSdkSignatureThumbprint = "44796EB5BD439B4BFB078E1DC2F8345AE313CBB1" } else { throw "Invalid version of Visual Studio is found. Either 2019 or 2022 are required" } @@ -20,11 +23,11 @@ $argumentList = ("/features", "+", "/quiet") if (Test-IsWin19) { # `winsdksetup.exe /features + /quiet` installs all features without showing the GUI - Install-Binary -Url $winSdkUrl -Name "winsdksetup.exe" -ArgumentList $argumentList + Install-Binary -Url $winSdkUrl -Name "winsdksetup.exe" -ArgumentList $argumentList -ExpectedSignature $winSdkSignatureThumbprint } # `wdksetup.exe /features + /quiet` installs all features without showing the GUI -Install-Binary -Url $wdkUrl -Name "wdksetup.exe" -ArgumentList $argumentList +Install-Binary -Url $wdkUrl -Name "wdksetup.exe" -ArgumentList $argumentList -ExpectedSignature $wdkSignatureThumbprint # Need to install the VSIX to get the build targets when running VSBuild $FilePath = Resolve-Path -Path $FilePath diff --git a/images/win/scripts/Installers/Install-WebPlatformInstaller.ps1 b/images/win/scripts/Installers/Install-WebPlatformInstaller.ps1 index 90e102d00..c83dd458e 100644 --- a/images/win/scripts/Installers/Install-WebPlatformInstaller.ps1 +++ b/images/win/scripts/Installers/Install-WebPlatformInstaller.ps1 @@ -6,6 +6,7 @@ # Download and install WebPlatformInstaller $webPlatformInstallerFile = "WebPlatformInstaller_x64_en-US.msi" $webPlatformInstallerUrl = "http://go.microsoft.com/fwlink/?LinkId=287166" -Install-Binary -Url $webPlatformInstallerUrl -Name $webPlatformInstallerFile +$webPlatformInstallerSignatureThumbprint = "C3A3D43788E7ABCD287CB4F5B6583043774F99D2" +Install-Binary -Url $webPlatformInstallerUrl -Name $webPlatformInstallerFile -ExpectedSignature $webPlatformInstallerSignatureThumbprint -Invoke-PesterTests -TestFile "Tools" -TestName "WebPlatformInstaller" \ No newline at end of file +Invoke-PesterTests -TestFile "Tools" -TestName "WebPlatformInstaller" diff --git a/images/win/scripts/Installers/Install-WinAppDriver.ps1 b/images/win/scripts/Installers/Install-WinAppDriver.ps1 index 3a503b8b7..cdd34079e 100644 --- a/images/win/scripts/Installers/Install-WinAppDriver.ps1 +++ b/images/win/scripts/Installers/Install-WinAppDriver.ps1 @@ -6,8 +6,9 @@ $LatestReleaseUrl = 'https://api.github.com/repos/microsoft/WinAppDriver/releases/latest' $InstallerUrl = (Invoke-RestMethod -Uri $LatestReleaseUrl).assets.browser_download_url $InstallerName = "WindowsApplicationDriver.msi" +$InstallerSignatureThumbprint = "2485A7AFA98E178CB8F30C9838346B514AEA4769" [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -Install-Binary -Url $InstallerUrl -Name $InstallerName +Install-Binary -Url $InstallerUrl -Name $InstallerName -ExpectedSignature $InstallerSignatureThumbprint Invoke-PesterTests -TestFile "WinAppDriver" -TestName "WinAppDriver" diff --git a/images/win/toolsets/toolset-2019.json b/images/win/toolsets/toolset-2019.json index 823b25f10..c8f29f715 100644 --- a/images/win/toolsets/toolset-2019.json +++ b/images/win/toolsets/toolset-2019.json @@ -267,6 +267,7 @@ "subversion" : "16", "edition" : "Enterprise", "channel": "release", + "signature": "72105B6D5F370B62FD5C82F1512F7AD7DEE5F2C0", "workloads": [ "Component.Dotfuscator", "Component.Linux.CMake", @@ -412,10 +413,12 @@ }, "serviceFabric": { "runtime": { - "version": "9.1.1436.9590" + "version": "9.1.1436.9590", + "signature": "AFBF0B8B6A18F7E23CCA1DDCD0AC1A55B4035173" }, "sdk": { - "version": "6.1.1436" + "version": "6.1.1436", + "signature": "AFBF0B8B6A18F7E23CCA1DDCD0AC1A55B4035173" } }, "dotnet": { @@ -478,7 +481,8 @@ "version": "16" }, "postgresql": { - "version": "14" + "version": "14", + "signature": "698BA51AA27CC31282AACA5055E4B9190BC6C0E9" }, "kotlin": { "version": "latest", diff --git a/images/win/toolsets/toolset-2022.json b/images/win/toolsets/toolset-2022.json index 1a9625cd5..a85dd6ee7 100644 --- a/images/win/toolsets/toolset-2022.json +++ b/images/win/toolsets/toolset-2022.json @@ -177,6 +177,7 @@ "subversion" : "17", "edition" : "Enterprise", "channel": "release", + "signature": "72105B6D5F370B62FD5C82F1512F7AD7DEE5F2C0", "workloads": [ "Component.Dotfuscator", "Component.Linux.CMake", @@ -353,10 +354,12 @@ }, "serviceFabric": { "runtime": { - "version": "9.1.1436.9590" + "version": "9.1.1436.9590", + "signature": "AFBF0B8B6A18F7E23CCA1DDCD0AC1A55B4035173" }, "sdk": { - "version": "6.1.1436" + "version": "6.1.1436", + "signature": "AFBF0B8B6A18F7E23CCA1DDCD0AC1A55B4035173" } }, "dotnet": { @@ -418,7 +421,8 @@ "version": "8.2" }, "postgresql": { - "version": "14" + "version": "14", + "signature": "698BA51AA27CC31282AACA5055E4B9190BC6C0E9" }, "kotlin": { "version": "latest",