switched to hash validation instead of 7-zip testing, fixes #148

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## January 2020
+
+- [Added] Hash values of Sitecore downloads are now validated before being used. If a file hash does not match the expected value, the build will fail with a message explaining what happened and how to resolve. See [#148](https://github.com/Sitecore/docker-images/issues/148). Thanks [@michaellwest](https://github.com/michaellwest) :+1:
+- [Changed] 7-zip is removed from the `sitecore-assets` images since it was only used for validating Sitecore downloads which is now done by validating file hashes instead.
+
 ## December 2019
 
 - [Changed] Added `.gitkeep` to `$DefaultExcludedFiles` parameter in `Watch-Directory.ps1`.

modules/SitecoreImageBuilder/SitecoreImageBuilder.psm1

@@ -39,13 +39,11 @@ function Invoke-PackageRestore
     $ProgressPreference = "SilentlyContinue"
 
     $sitecoreDownloadUrl = "https://dev.sitecore.net"
-
-    # Load packages file
-    $packagesFile = Get-Item -Path (Join-Path $PSScriptRoot "..\..\sitecore-packages.json")
-    $packages = $packagesFile | Get-Content | ConvertFrom-Json
-
     $destinationPath = $Destination.TrimEnd('\')
 
+    # Load packages
+    $packages = $packages = Get-Packages
+
     # Ensure destination exists
     if (!(Test-Path $destinationPath -PathType "Container"))
     {
@@ -80,7 +78,7 @@ function Invoke-PackageRestore
 
         if ($null -eq $package)
         {
-            throw ("Required package '{0}' was not defined in '{1}' so it can't be downloaded, please add the package ' { 2 }' manually." -f $fileName, $packagesFile.FullName, $filePath)
+            throw ("Required package '{0}' was not defined in 'sitecore-packages.json' so it can't be downloaded, please add the package ' {1}' manually." -f $fileName, $filePath)
         }
 
         $fileUrl = $package.url
@@ -172,12 +170,18 @@ function Invoke-Build
         [Parameter(Mandatory = $false)]
         [ValidateSet("Always", "Never")]
         [string]$PullMode = "Always"
+        ,
+        [Parameter(Mandatory = $false)]
+        [switch]$SkipHashValidation
     )
 
     # Setup
     $ErrorActionPreference = "STOP"
     $ProgressPreference = "SilentlyContinue"
 
+    # Load packages
+    $packages = $packages = Get-Packages
+
     # Find out what to build
     $specs = Initialize-BuildSpecifications -Specifications (Get-BuildSpecifications -Path $Path -AutoGenerateWindowsVersionTags $AutoGenerateWindowsVersionTags) -InstallSourcePath $InstallSourcePath -Tags $Tags -ImplicitTagsBehavior $ImplicitTagsBehavior -DeprecatedTagsBehavior $DeprecatedTagsBehavior -ExperimentalTagBehavior $ExperimentalTagBehavior
 
@@ -241,25 +245,56 @@ function Invoke-Build
                 $previousDigest = (docker image inspect $tag) | ConvertFrom-Json | ForEach-Object { $_.Id }
             }
 
-            # Copy license.xml and any missing source files into build context
+            # Copy any missing source files into build context
             $spec.Sources | ForEach-Object {
                 $sourcePath = $_
 
-                # continue if source file doesn't exist
+                # Continue if source file doesn't exist
                 if (!(Test-Path $sourcePath))
                 {
-                    Write-Warning "Source file '$sourcePath' is missing..."
+                    Write-Warning "Optional source file '$sourcePath' is missing..."
 
                     return
                 }
 
                 $sourceItem = Get-Item -Path $sourcePath
                 $targetPath = Join-Path $spec.Path $sourceItem.Name
 
+                # Copy if target doesn't exist. Legacy support: Always copy if the source is license.xml.
                 if (!(Test-Path -Path $targetPath) -or ($sourceItem.Name -eq "license.xml"))
                 {
                     Copy-Item $sourceItem -Destination $targetPath -Verbose:$VerbosePreference
                 }
+
+                # Check to see if we can lookup the hash of the source filename in sitecore-packages.json
+                if (!$SkipHashValidation.IsPresent)
+                {
+                    $package = $packages."$($sourceItem.Name)"
+
+                    if ($null -ne $package -and ![string]::IsNullOrEmpty($package.hash))
+                    {
+                        $exceptedTargetFileHash = $package.hash
+
+                        # Calculate hash of target file
+                        $currentTargetFileHash = Get-FileHash -Path $targetPath -Algorithm "SHA256" | Select-Object -ExpandProperty "Hash"
+
+                        # Compare hashes and fail if not the same
+                        if ($currentTargetFileHash -eq $exceptedTargetFileHash)
+                        {
+                            Write-Host ("### Hash of '{0}' is valid." -f $sourceItem.Name)
+                        }
+                        else
+                        {
+                            Remove-Item -Path $targetPath -Force -Verbose:$VerbosePreference
+
+                            throw ("Hash of '{0}' is invalid:`n Expected: {1}`n Current : {2}`nThe target file '{3}' was deleted, please also delete the source file '{4}', re-download and try again." -f $sourceItem.Name, $exceptedTargetFileHash, $currentTargetFileHash, $targetPath, $sourceItem.FullName)
+                        }
+                    }
+                    else
+                    {
+                        Write-Verbose ("Skipping hash validation on '{0}', package was not found or no hash was defined." -f $sourceItem.Name)
+                    }
+                }
             }
 
             # Build image
@@ -804,3 +839,14 @@ function Get-LatestSupportedVersionTags
     Write-Output ("*:{0}*{1}" -f $latest.Sitecore, $latest.NanoServer)
     Write-Output ("*:{0}*{1}" -f $latest.Redis, $latest.WindowsServerCore)
 }
+
+function Get-Packages
+{
+    [CmdletBinding()]
+    param()
+
+    $packagesFile = Get-Item -Path (Join-Path $PSScriptRoot "..\..\sitecore-packages.json")
+    $packages = $packagesFile | Get-Content | ConvertFrom-Json
+
+    Write-Output $packages
+}