From 7fe17c761427b487b5b81414b894cb4d95a517c9 Mon Sep 17 00:00:00 2001
From: sergei-pyshnoi <121864472+sergei-pyshnoi@users.noreply.github.com>
Date: Fri, 15 Dec 2023 16:44:17 +0100
Subject: [PATCH] [MacOS] Pin sha256 for xcode (#9007)

* pin sha256 for xcode

* add sha256 for xcode 15.1
---
 images/macos/scripts/build/Install-Xcode.ps1  |  2 +-
 .../scripts/helpers/Xcode.Installer.psm1      | 13 ++++++++++--
 images/macos/toolsets/toolset-11.json         | 12 +++++------
 images/macos/toolsets/toolset-12.json         | 14 ++++++-------
 images/macos/toolsets/toolset-13.json         | 21 ++++++++++---------
 images/macos/toolsets/toolset-14.json         |  8 +++----
 6 files changed, 40 insertions(+), 30 deletions(-)

diff --git a/images/macos/scripts/build/Install-Xcode.ps1 b/images/macos/scripts/build/Install-Xcode.ps1
index 1e4edfc1f..6219becee 100644
--- a/images/macos/scripts/build/Install-Xcode.ps1
+++ b/images/macos/scripts/build/Install-Xcode.ps1
@@ -21,7 +21,7 @@ $xcodeVersions | ForEach-Object -ThrottleLimit $threadCount -Parallel {
     Import-Module "$env:HOME/image-generation/helpers/Common.Helpers.psm1"
     Import-Module "$env:HOME/image-generation/helpers/Xcode.Installer.psm1" -DisableNameChecking
 
-    Install-XcodeVersion -Version $_.version -LinkTo $_.link
+    Install-XcodeVersion -Version $_.version -LinkTo $_.link -Sha256Sum $_.sha256
     Confirm-XcodeIntegrity -Version $_.link
 }
 
diff --git a/images/macos/scripts/helpers/Xcode.Installer.psm1 b/images/macos/scripts/helpers/Xcode.Installer.psm1
index 9ce10ac62..0efb531ea 100644
--- a/images/macos/scripts/helpers/Xcode.Installer.psm1
+++ b/images/macos/scripts/helpers/Xcode.Installer.psm1
@@ -6,7 +6,9 @@ function Install-XcodeVersion {
         [Parameter(Mandatory)]
         [string] $Version,
         [Parameter(Mandatory)]
-        [string] $LinkTo
+        [string] $LinkTo,
+        [Parameter(Mandatory)]
+        [string] $Sha256Sum
     )
 
     $xcodeDownloadDirectory = "$env:HOME/Library/Caches/XcodeInstall"
@@ -28,8 +30,15 @@ function Invoke-DownloadXcodeArchive {
     $tempXipDirectory = New-Item -Path $DownloadDirectory -Name "Xcode$Version" -ItemType "Directory"
     $xcodeFileName = 'Xcode-{0}.xip' -f $Version
     $xcodeUri = '{0}{1}?{2}'-f ${env:XCODE_INSTALL_STORAGE_URL}, $xcodeFileName, ${env:XCODE_INSTALL_SAS}
-    Invoke-DownloadWithRetry -Url $xcodeUri -Path (Join-Path $tempXipDirectory.FullName $xcodeFileName) | Out-Null
+    $xcodeFullPath = Join-Path $tempXipDirectory.FullName $xcodeFileName
+    Invoke-DownloadWithRetry -Url $xcodeUri -Path $xcodeFullPath | Out-Null
 
+    # Validating checksum
+    $xcodeSha256 = Get-FileHash -Path $xcodeFullPath -Algorithm SHA256 | Select-Object -ExpandProperty Hash
+    if ($xcodeSha256 -ne $Sha256Sum) {
+        throw "Xcode $Version checksum mismatch. Expected: $Sha256Sum, Actual: $xcodeSha256"
+    }
+  
     return $tempXipDirectory
 }
 
diff --git a/images/macos/toolsets/toolset-11.json b/images/macos/toolsets/toolset-11.json
index a7b656d94..d278f8ed8 100644
--- a/images/macos/toolsets/toolset-11.json
+++ b/images/macos/toolsets/toolset-11.json
@@ -3,12 +3,12 @@
         "default": "13.2.1",
         "x64": {
             "versions": [
-                { "link": "13.2.1", "version": "13.2.1+13C100", "symlinks": ["13.2"] },
-                { "link": "13.1", "version": "13.1.0+13A1030d" },
-                { "link": "13.0", "version": "13.0.0+13A233" },
-                { "link": "12.5.1", "version": "12.5.1+12E507", "symlinks": ["12.5"] },
-                { "link": "12.4", "version": "12.4.0+12D4e" },
-                { "link": "11.7", "version": "11.7.0-GM+11E801a", "symlinks": ["11.7_beta"] }
+                { "link": "13.2.1", "version": "13.2.1+13C100", "symlinks": ["13.2"], "sha256": "D3BFCC6225D531587490C0DFC0926C80B7D50D17671DC8F25868F965F5D65F9D" },
+                { "link": "13.1", "version": "13.1.0+13A1030d", "sha256": "4EFDEEA0EEEDA1957BB394128CCCD1DAAC3CB0A3D074224E0FAB90855CCA09C4" },
+                { "link": "13.0", "version": "13.0.0+13A233", "sha256": "1D8257750A4E0333A2B372B32381BE5EC9B29704C8A0D44CE2E6D26D1CF4301E" },
+                { "link": "12.5.1", "version": "12.5.1+12E507", "symlinks": ["12.5"], "sha256": "2592BF58E654440B3DF7062219DBBD24BDF345FAE6BA000756D6D5B1166A7168" },
+                { "link": "12.4", "version": "12.4.0+12D4e", "sha256": "CC8D10155258F9DDAA5E422AB8F50E6058758C95208E58E59B5DB1DB033CE2FF" },
+                { "link": "11.7", "version": "11.7.0-GM+11E801a", "symlinks": ["11.7_beta"], "sha256": "A53FDEAB92326CD9BF93A1B5FAE01E3D658B04DA60DFF5DE74141CABA0808B03" }
             ]
         }
     },
diff --git a/images/macos/toolsets/toolset-12.json b/images/macos/toolsets/toolset-12.json
index 72e06fc76..8e9e51711 100644
--- a/images/macos/toolsets/toolset-12.json
+++ b/images/macos/toolsets/toolset-12.json
@@ -3,13 +3,13 @@
         "default": "14.2",
         "x64": {
             "versions": [
-                { "link": "14.2", "version": "14.2.0+14C18", "install_runtimes": "true" },
-                { "link": "14.1", "version": "14.1.0+14B47b", "install_runtimes": "true" },
-                { "link": "14.0.1", "version": "14.0.1+14A400", "symlinks": ["14.0"], "install_runtimes": "true" },
-                { "link": "13.4.1", "version": "13.4.1+13F100", "symlinks": ["13.4"] },
-                { "link": "13.3.1", "version": "13.3.1+13E500a", "symlinks": ["13.3"] },
-                { "link": "13.2.1", "version": "13.2.1+13C100", "symlinks": ["13.2"] },
-                { "link": "13.1", "version": "13.1.0+13A1030d" }
+                { "link": "14.2", "version": "14.2.0+14C18", "install_runtimes": "true", "sha256": "686B9D53CA49E50D563BC0104B1E8B4F7CCFE80064A6D689965FB819BF8EFE72" },
+                { "link": "14.1", "version": "14.1.0+14B47b", "install_runtimes": "true", "sha256": "12F8A3AEF78BF354470AD8B351ADDD925C8EDAD888137D138CA50A8130EB9F2F" },
+                { "link": "14.0.1", "version": "14.0.1+14A400", "symlinks": ["14.0"], "install_runtimes": "true", "sha256": "EDB4DDCE02F92338E3D10B011FC86CD26520E3238585F06F3C182880DDD3B2AF" },
+                { "link": "13.4.1", "version": "13.4.1+13F100", "symlinks": ["13.4"], "sha256": "A1E0DBD6D5A96C4A6D3D63600B58486759AA836C2D9F7E8FA6D7DA4C7399638B" },
+                { "link": "13.3.1", "version": "13.3.1+13E500a", "symlinks": ["13.3"], "sha256": "D10B4644DB84BA43F7B18CE94FB3CA1ACD255D39781F4AF8FC88BD8581E08F97" },
+                { "link": "13.2.1", "version": "13.2.1+13C100", "symlinks": ["13.2"], "sha256": "D3BFCC6225D531587490C0DFC0926C80B7D50D17671DC8F25868F965F5D65F9D" },
+                { "link": "13.1", "version": "13.1.0+13A1030d", "sha256": "4EFDEEA0EEEDA1957BB394128CCCD1DAAC3CB0A3D074224E0FAB90855CCA09C4" }
             ]
         }
     },
diff --git a/images/macos/toolsets/toolset-13.json b/images/macos/toolsets/toolset-13.json
index c5efecde9..3a095d0e0 100644
--- a/images/macos/toolsets/toolset-13.json
+++ b/images/macos/toolsets/toolset-13.json
@@ -3,20 +3,21 @@
         "default": "14.3.1",
         "x64": {
             "versions": [
-                { "link": "15.1", "version": "15.1.0+15C65", "install_runtimes": "true"},
-                { "link": "15.0.1", "version": "15.0.1+15A507", "symlinks": ["15.0"], "install_runtimes": "true"},
-                { "link": "14.3.1", "version": "14.3.1+14E300c","symlinks": ["14.3"], "install_runtimes": "true"},
-                { "link": "14.2", "version": "14.2.0+14C18", "install_runtimes": "true"},
-                { "link": "14.1", "version": "14.1.0+14B47b", "install_runtimes": "true"}
+                { "link": "15.1", "version": "15.1.0+15C65", "install_runtimes": "true", "sha256": "857D8DB537BAC82BF99DE0E1D3895D214D4D02101C1340CEF3DAF6E821BA1D05"},
+                { "link": "15.0.1", "version": "15.0.1+15A507", "symlinks": ["15.0"], "install_runtimes": "true", "sha256": "5AC17AE6060CAFC3C7112C6DA0B153450BE21F1DE6632777FBA9FBC9D999C9E8"},
+                { "link": "14.3.1", "version": "14.3.1+14E300c","symlinks": ["14.3"], "install_runtimes": "true", "sha256": "B5CC7BF37447C32A971B37D71C7DA1AF7ABB45CEE4B96FE126A1D3B0D2C260AF"},
+                { "link": "14.2", "version": "14.2.0+14C18", "install_runtimes": "true", "sha256": "686B9D53CA49E50D563BC0104B1E8B4F7CCFE80064A6D689965FB819BF8EFE72"},
+                { "link": "14.1", "version": "14.1.0+14B47b", "install_runtimes": "true", "sha256": "12F8A3AEF78BF354470AD8B351ADDD925C8EDAD888137D138CA50A8130EB9F2F"}
+
                 ]
         },
         "arm64":{
             "versions": [
-                { "link": "15.1", "version": "15.1.0+15C65", "install_runtimes": "true"},
-                { "link": "15.0.1", "version": "15.0.1+15A507", "symlinks": ["15.0"], "install_runtimes": "true"},
-                { "link": "14.3.1", "version": "14.3.1+14E300c","symlinks": ["14.3"], "install_runtimes": "true" },
-                { "link": "14.2", "version": "14.2.0+14C18", "install_runtimes": "true" },
-                { "link": "14.1", "version": "14.1.0+14B47b", "install_runtimes": "true" }
+                { "link": "15.1", "version": "15.1.0+15C65", "install_runtimes": "true", "sha256": "857D8DB537BAC82BF99DE0E1D3895D214D4D02101C1340CEF3DAF6E821BA1D05"},
+                { "link": "15.0.1", "version": "15.0.1+15A507", "symlinks": ["15.0"], "install_runtimes": "true", "sha256": "5AC17AE6060CAFC3C7112C6DA0B153450BE21F1DE6632777FBA9FBC9D999C9E8"},
+                { "link": "14.3.1", "version": "14.3.1+14E300c","symlinks": ["14.3"], "install_runtimes": "true", "sha256": "B5CC7BF37447C32A971B37D71C7DA1AF7ABB45CEE4B96FE126A1D3B0D2C260AF"},
+                { "link": "14.2", "version": "14.2.0+14C18", "install_runtimes": "true", "sha256": "686B9D53CA49E50D563BC0104B1E8B4F7CCFE80064A6D689965FB819BF8EFE72"},
+                { "link": "14.1", "version": "14.1.0+14B47b", "install_runtimes": "true", "sha256": "12F8A3AEF78BF354470AD8B351ADDD925C8EDAD888137D138CA50A8130EB9F2F"}
             ]
         }
     },
diff --git a/images/macos/toolsets/toolset-14.json b/images/macos/toolsets/toolset-14.json
index 2158f4fb4..f0bcd66fb 100644
--- a/images/macos/toolsets/toolset-14.json
+++ b/images/macos/toolsets/toolset-14.json
@@ -3,14 +3,14 @@
         "default": "15.0.1",
         "x64": {
             "versions": [
-                { "link": "15.0.1", "version": "15.0.1+15A507", "symlinks": ["15.0"], "install_runtimes": "true"},
-                { "link": "14.3.1", "version": "14.3.1+14E300c","symlinks": ["14.3"], "install_runtimes": "true"}
+                { "link": "15.0.1", "version": "15.0.1+15A507", "symlinks": ["15.0"], "install_runtimes": "true", "sha256": "5AC17AE6060CAFC3C7112C6DA0B153450BE21F1DE6632777FBA9FBC9D999C9E8"},
+                { "link": "14.3.1", "version": "14.3.1+14E300c","symlinks": ["14.3"], "install_runtimes": "true", "sha256": "B5CC7BF37447C32A971B37D71C7DA1AF7ABB45CEE4B96FE126A1D3B0D2C260AF"}
             ]
         },
         "arm64":{
             "versions": [
-                { "link": "15.0.1", "version": "15.0.1+15A507", "symlinks": ["15.0"], "install_runtimes": "true"},
-                { "link": "14.3.1", "version": "14.3.1+14E300c","symlinks": ["14.3"], "install_runtimes": "true"}
+                { "link": "15.0.1", "version": "15.0.1+15A507", "symlinks": ["15.0"], "install_runtimes": "true", "sha256": "5AC17AE6060CAFC3C7112C6DA0B153450BE21F1DE6632777FBA9FBC9D999C9E8"},
+                { "link": "14.3.1", "version": "14.3.1+14E300c","symlinks": ["14.3"], "install_runtimes": "true", "sha256": "B5CC7BF37447C32A971B37D71C7DA1AF7ABB45CEE4B96FE126A1D3B0D2C260AF"}
             ]
         }
     },