Commit 26a8bee5 authored by Steve Azzopardi's avatar Steve Azzopardi

Add checksum checks for downloaded zip

We are downloading files from the internet during build time. We should
check the hash of each file we download to make sure the correct thing
is downloaded.
parent b92bfbaa
Pipeline #49897799 passed with stages
in 30 minutes and 26 seconds
......@@ -6,12 +6,18 @@ SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPref
ARG GIT_VERSION
ARG GIT_VERSION_BUILD
ARG GIT_256_CHECKSUM
ARG GIT_LFS_VERSION
ARG GIT_LFS_256_CHECKSUM
RUN Invoke-Webrequest "https://github.com/git-for-windows/git/releases/download/v${Env:GIT_VERSION}.windows.${Env:GIT_VERSION_BUILD}/MinGit-${Env:GIT_VERSION}-64-bit.zip" -OutFile git.zip -UseBasicParsing
RUN Expand-Archive -Path git.zip -DestinationPath git
RUN Invoke-Webrequest "https://github.com/git-lfs/git-lfs/releases/download/v${Env:GIT_LFS_VERSION}/git-lfs-windows-amd64-v${Env:GIT_LFS_VERSION}.zip" -OutFile git-lfs.zip -UseBasicParsing
COPY [".\\helpers\\checksum.ps1", ".\\"]
RUN powershell -File .\checksum.ps1 -TargetFile git.zip -ExpectedHash ${Env:GIT_256_CHECKSUM}
RUN powershell -File .\checksum.ps1 -TargetFile git-lfs.zip -ExpectedHash ${Env:GIT_LFS_256_CHECKSUM}
RUN Expand-Archive -Path git.zip -DestinationPath git
RUN Expand-Archive -Path git-lfs.zip -DestinationPath git-lfs
FROM mcr.microsoft.com/windows/nanoserver:1803
......
......@@ -6,12 +6,18 @@ SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPref
ARG GIT_VERSION
ARG GIT_VERSION_BUILD
ARG GIT_256_CHECKSUM
ARG GIT_LFS_VERSION
ARG GIT_LFS_256_CHECKSUM
RUN Invoke-Webrequest "https://github.com/git-for-windows/git/releases/download/v${Env:GIT_VERSION}.windows.${Env:GIT_VERSION_BUILD}/MinGit-${Env:GIT_VERSION}-64-bit.zip" -OutFile git.zip -UseBasicParsing
RUN Expand-Archive -Path git.zip -DestinationPath git
RUN Invoke-Webrequest "https://github.com/git-lfs/git-lfs/releases/download/v${Env:GIT_LFS_VERSION}/git-lfs-windows-amd64-v${Env:GIT_LFS_VERSION}.zip" -OutFile git-lfs.zip -UseBasicParsing
COPY [".\\helpers\\checksum.ps1", ".\\"]
RUN powershell -File .\checksum.ps1 -TargetFile git.zip -ExpectedHash ${Env:GIT_256_CHECKSUM}
RUN powershell -File .\checksum.ps1 -TargetFile git-lfs.zip -ExpectedHash ${Env:GIT_LFS_256_CHECKSUM}
RUN Expand-Archive -Path git.zip -DestinationPath git
RUN Expand-Archive -Path git-lfs.zip -DestinationPath git-lfs
FROM mcr.microsoft.com/windows/nanoserver:1809_amd64
......
param(
[string]$TargetFile,
[string]$ExpectedHash
)
$hash = Get-FileHash -Path $TargetFile -Algorithm SHA256
if (-not ($hash.Hash -eq $ExpectedHash)) {
Write-Warning "SHA256 checksum for $TargetFile is invalid"
exit 1
}
Write-Output "SHA256 checksum for $TargetFile is valid"
exit 0
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment