From 617431d010db023e21c63fda3795947b905854cc Mon Sep 17 00:00:00 2001 From: Scott Fryer <60462088+steelhead31@users.noreply.github.com> Date: Fri, 13 Sep 2024 11:18:46 +0100 Subject: [PATCH] Docker: Include checksum validation for Cygwin & Ansible Downloads (#3730) * WindowsPB: Add Cygwin Download Validation * Docker: Update Windows Dockerfile to verify downloads. * Test --- ansible/docker/Dockerfile.win2022 | 32 ++++++++++++++++--- .../roles/cygwin/tasks/main.yml | 4 +++ 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/ansible/docker/Dockerfile.win2022 b/ansible/docker/Dockerfile.win2022 index 94f4b6e628..3674a2f145 100644 --- a/ansible/docker/Dockerfile.win2022 +++ b/ansible/docker/Dockerfile.win2022 @@ -3,17 +3,41 @@ FROM mcr.microsoft.com/windows/servercore:ltsc2022 # Specify this with --build-arg PW=SomePassword ARG PW=T3mp=Passwd +# Download Cygwin Bootstrapper & Verify Its Checksum +RUN powershell -Command \ + "wget -UseBasicParsing https://cygwin.com/setup-x86_64.exe -OutFile setup-x86_64.exe; \ + $expectedChecksum = 'e7815d360ab098fdd1f03f10f43f363c73a632e8866e304c72573cf1e6a0dec8'; \ + $fileChecksum = CertUtil -hashfile setup-x86_64.exe SHA256 | Select-String -Pattern '([A-Fa-f0-9]{64})' | ForEach-Object { $_.Matches[0].Groups[1].Value }; \ + if ($fileChecksum -ne $expectedChecksum) { \ + Write-Host 'Checksum verification failed!' -ForegroundColor Red; \ + Remove-Item setup-x86_64.exe; \ + exit 1; \ + } else { \ + Write-Host 'Checksum verification succeeded!' -ForegroundColor Green; \ + }" + # Set up cygwin with git and ansible as a bootstrap, and add to system default path -RUN powershell wget -UseBasicParsing https://cygwin.com/setup-x86_64.exe -OutFile setup-x86_64.exe & \ - setup-x86_64.exe --packages git,ansible --download --local-install --delete-orphans --site https://mirrors.kernel.org/sourceware/cygwin --local-package-dir c:\cygwin_packages --root C:\cygwin64 --wait --quiet-mode & \ +RUN setup-x86_64.exe --packages git,ansible --download --local-install --delete-orphans --site https://mirrors.kernel.org/sourceware/cygwin --local-package-dir c:\cygwin_packages --root C:\cygwin64 --wait --quiet-mode & \ C:\cygwin64\bin\git config --system core.autocrlf false & \ del setup-x86_64.exe & \ setx PATH "c:\cygwin64\bin;%PATH%" & \ mkdir c:\temp +# Download Ansible Config Script & Verify Its Checksum +RUN powershell -Command \ + "wget https://raw.githubusercontent.com/ansible/ansible/dd4c56e4d68664e4a50292aa19ea61b15c92287c/examples/scripts/ConfigureRemotingForAnsible.ps1 -OutFile ConfigureRemotingForAnsible.ps1; \ + $expectedChecksum = '201ad16584f79292044dc21c78c6688dce07f94d769f5e69631b46c3c13036fc'; \ + $fileChecksum = CertUtil -hashfile ConfigureRemotingForAnsible.ps1 SHA256 | Select-String -Pattern '([A-Fa-f0-9]{64})' | ForEach-Object { $_.Matches[0].Groups[1].Value }; \ + if ($fileChecksum -ne $expectedChecksum) { \ + Write-Host 'Checksum verification failed!' -ForegroundColor Red; \ + Remove-Item ConfigureRemotingForAnsible.ps1; \ + exit 1; \ + } else { \ + Write-Host 'Checksum verification succeeded!' -ForegroundColor Green; \ + }" + # Set up WinRM for the ansible connection -RUN powershell wget -UseBasicParsing https://raw.githubusercontent.com/ansible/ansible/dd4c56e4d68664e4a50292aa19ea61b15c92287c/examples/scripts/ConfigureRemotingForAnsible.ps1 -OutFile ConfigureRemotingForAnsible.ps1 & \ - PowerShell .\ConfigureRemotingForAnsible.ps1 -CertValidityDays 9999 & \ +RUN PowerShell .\ConfigureRemotingForAnsible.ps1 -CertValidityDays 9999 & \ PowerShell .\ConfigureRemotingForAnsible.ps1 -EnableCredSSP & \ PowerShell .\ConfigureRemotingForAnsible.ps1 -ForceNewSSLCert & \ PowerShell .\ConfigureRemotingForAnsible.ps1 -SkipNetworkProfileCheck diff --git a/ansible/playbooks/AdoptOpenJDK_Windows_Playbook/roles/cygwin/tasks/main.yml b/ansible/playbooks/AdoptOpenJDK_Windows_Playbook/roles/cygwin/tasks/main.yml index fdde87f728..2c129f8a0e 100644 --- a/ansible/playbooks/AdoptOpenJDK_Windows_Playbook/roles/cygwin/tasks/main.yml +++ b/ansible/playbooks/AdoptOpenJDK_Windows_Playbook/roles/cygwin/tasks/main.yml @@ -12,7 +12,11 @@ win_get_url: url: https://cygwin.com/setup-x86_64.exe dest: C:\temp\cygwin.exe + force: no + checksum: e7815d360ab098fdd1f03f10f43f363c73a632e8866e304c72573cf1e6a0dec8 + checksum_algorithm: sha256 when: not cygwin_installed.stat.exists + register: cygwin_download tags: cygwin # If you update this with a new package, modify the "Test