Skip to content

Commit 4871529

Browse files
compnerdcompnerd
committed
build: add additional download checking for the image
Ensure that the downloaded image matches the expected image. This ensures that we catch download errors as well as provides some level of security by requiring that the download checksum matches.
1 parent 67c67a0 commit 4871529

File tree

1 file changed

+31
-17
lines changed

1 file changed

+31
-17
lines changed

utils/build.ps1

Lines changed: 31 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -42,12 +42,12 @@ An array of architectures for which the Swift SDK should be built.
4242
The product version to be used when building the installer.
4343
Supports semantic version strings.
4444
45-
.PARAMETER PinnedBranch
46-
The branch for the snapshot to build the early components with.
47-
48-
.PARAMETER PinnedToolchain
45+
.PARAMETER PinnedBuild
4946
The toolchain snapshot to build the early components with.
5047
48+
.PARAMETER PinnedSHA256
49+
The SHA256 for the pinned toolchain.
50+
5151
.PARAMETER WinSDKVersion
5252
The version number of the Windows SDK to be used.
5353
Overrides the value resolved by the Visual Studio command prompt.
@@ -93,8 +93,8 @@ param(
9393
[string] $SwiftDebugFormat = "dwarf",
9494
[string[]] $SDKs = @("X64","X86","Arm64"),
9595
[string] $ProductVersion = "0.0.0",
96-
[string] $PinnedBranch = "swift-5.9-release",
97-
[string] $PinnedToolchain = "swift-5.9-RELEASE",
96+
[string] $PinnedBuild = "https://download.swift.org/swift-5.9-release/windows10/swift-5.9-RELEASE/swift-5.9-RELEASE-windows10.exe",
97+
[string] $PinnedSHA256 = "EAB668ABFF903B4B8111FD27F49BAD470044B6403C6FA9CCD357AE831909856D",
9898
[string] $WinSDKVersion = "",
9999
[switch] $SkipBuild = $false,
100100
[switch] $SkipRedistInstall = $false,
@@ -217,6 +217,7 @@ function Get-InstallDir($Arch) {
217217
}
218218

219219
$NugetRoot = "$BinaryCache\nuget"
220+
$PinnedToolchain = [IO.Path]::GetFileNameWithoutExtension($PinnedBuild)
220221

221222
$LibraryRoot = "$ImageRoot\Library"
222223
$ToolchainInstallRoot = "$(Get-InstallDir $HostArch)\Toolchains\$ProductVersion+Asserts"
@@ -422,25 +423,38 @@ function Ensure-WindowsSDK {
422423
}
423424

424425
function Ensure-SwiftToolchain($Arch) {
425-
if (Test-Path "$BinaryCache\toolchains\$PinnedToolchain\Library\Developer\Toolchains\unknown-Asserts-development.xctoolchain\usr\bin\swiftc.exe") {
426-
return
427-
}
428-
429426
if (-not (Test-Path $BinaryCache\wix-4.0.1.zip)) {
427+
Write-Output "WiX not found. Downloading from nuget.org..."
430428
Invoke-Program curl.exe -sL https://www.nuget.org/api/v2/package/wix/4.0.1 --output $BinaryCache\wix-4.0.1.zip --create-dirs
431429
}
430+
431+
if (-not $ToBatch) {
432+
$SHA256 = Get-FileHash -Path "$BinaryCache\wix-4.0.1.zip" -Algorithm SHA256
433+
if ($SHA256.Hash -ne "756AD3115F0CE808313266F4E401C0F520D319211DE0B9D8D7E7697020E0C461") {
434+
throw "WiX SHA256 mismatch ($($SHA256.Hash) vs 756AD3115F0CE808313266F4E401C0F520D319211DE0B9D8D7E7697020E0C461)"
435+
}
436+
}
437+
432438
New-Item -ItemType Directory -ErrorAction Ignore $BinaryCache\wix-4.0.1 | Out-Null
439+
Write-Output "Extracting WiX..."
433440
Expand-Archive -Path $BinaryCache\wix-4.0.1.zip -Destination $BinaryCache\wix-4.0.1 -Force
434441

435-
Write-Output "Swift toolchain not found. Downloading from swift.org..."
436-
$SwiftToolchainURL = "https://swift.org/builds/${PinnedBranch}/windows10/${PinnedToolchain}/${PinnedToolchain}-windows10.exe"
437-
New-Item -ItemType Directory -ErrorAction Ignore "$BinaryCache\toolchains" | Out-Null
438-
if (-not (Test-Path "$BinaryCache\toolchains\${PinnedToolchain}.exe")) {
439-
(New-Object Net.WebClient).DownloadFile($SwiftToolchainURL, "$BinaryCache\toolchains\${PinnedToolchain}.exe")
442+
if (-not (Test-Path "$BinaryCache\${PinnedToolchain}.exe")) {
443+
Write-Output "Swift toolchain not found. Downloading from swift.org..."
444+
(New-Object Net.WebClient).DownloadFile($PinnedBuild, "$BinaryCache\${PinnedToolchain}.exe")
445+
# Invoke-Program curl.exe -sL $PinnedBuild --output $BinaryCache\${PinnedToolchain}.exe --create-dirs
446+
}
447+
448+
if (-not $ToBatch) {
449+
$SHA256 = Get-FileHash -Path "$BinaryCache\${PinnedToolchain}.exe" -Algorithm SHA256
450+
if ($SHA256.Hash -ne $PinnedSHA256) {
451+
throw "SHA256 mismatch ($($SHA256.Hash) vs ${PinnedSHA256})"
452+
}
440453
}
441454

442-
Write-Output "Installing Swift toolchain..."
443-
Invoke-Program "$BinaryCache\wix-4.0.1\tools\net6.0\any\wix.exe" -- burn extract "$BinaryCache\toolchains\${PinnedToolchain}.exe" -out "$BinaryCache\toolchains\"
455+
New-Item -ItemType Directory -ErrorAction Ignore "$BinaryCache\toolchains" | Out-Null
456+
Write-Output "Extracting Swift toolchain..."
457+
Invoke-Program "$BinaryCache\wix-4.0.1\tools\net6.0\any\wix.exe" -- burn extract "$BinaryCache\${PinnedToolchain}.exe" -out "$BinaryCache\toolchains\"
444458
Invoke-Program -OutNull msiexec.exe /qn /a "$BinaryCache\toolchains\a0" TARGETDIR="$BinaryCache\toolchains\${PinnedToolchain}"
445459
Invoke-Program -OutNull msiexec.exe /qn /a "$BinaryCache\toolchains\a1" TARGETDIR="$BinaryCache\toolchains\${PinnedToolchain}"
446460
Invoke-Program -OutNull msiexec.exe /qn /a "$BinaryCache\toolchains\a2" TARGETDIR="$BinaryCache\toolchains\${PinnedToolchain}"

0 commit comments

Comments
 (0)