From ae487529f383479af89499cea4548c1d89d9ffb0 Mon Sep 17 00:00:00 2001
From: Erik Bershel <110455084+erik-bershel@users.noreply.github.com>
Date: Wed, 4 Oct 2023 14:58:45 +0200
Subject: [PATCH] [Windows] Add checksum validation for Stack (#8403)

---
 images/win/scripts/Installers/Install-Stack.ps1 | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/images/win/scripts/Installers/Install-Stack.ps1 b/images/win/scripts/Installers/Install-Stack.ps1
index d1e53ed5b..95cb35a28 100644
--- a/images/win/scripts/Installers/Install-Stack.ps1
+++ b/images/win/scripts/Installers/Install-Stack.ps1
@@ -1,6 +1,7 @@
 ################################################################################
 ##  File:  Install-Stack.ps1
 ##  Desc:  Install Stack for Windows
+##  Supply chain security: Stack - checksum validation
 ################################################################################
 
 Write-Host "Get the latest Stack version..."
@@ -14,6 +15,13 @@ $StackToolcachePath = Join-Path $Env:AGENT_TOOLSDIRECTORY "stack\$Version"
 $DestinationPath = Join-Path $StackToolcachePath "x64"
 $StackArchivePath = Start-DownloadWithRetry -Url $DownloadUrl
 
+#region Supply chain security - Stack
+$fileHash = (Get-FileHash -Path $StackArchivePath -Algorithm SHA256).Hash
+$hashUrl = $StackReleasesJson.assets | Where-Object { $_.name.EndsWith("$DownloadFilePattern.sha256") } | Select-Object -ExpandProperty "browser_download_url" -First 1
+$externalHash = (Invoke-RestMethod -Uri $hashURL).ToString().Split("`n").Where({ $_ -ilike "*$DownloadFilePattern*" }).Split(' ')[0]
+Use-ChecksumComparison $fileHash $externalHash
+#endregion
+
 Write-Host "Expand stack archive"
 Extract-7Zip -Path $StackArchivePath -DestinationPath $DestinationPath