From b26c6b665bbd076c391e8274ac38c0b7c0d35cc8 Mon Sep 17 00:00:00 2001
From: Michele Locati <michele@locati.it>
Date: Mon, 21 Oct 2024 09:03:06 +0200
Subject: [PATCH] Check hash of downloaded setup

---
 README.md  |  1 +
 action.yml | 25 ++++++++++++++++++++++++-
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 215c810..32202ec 100644
--- a/README.md
+++ b/README.md
@@ -28,6 +28,7 @@ Parameters
 | check-sig           | true                                         | Whether to check the setup.ini signature
 | add-to-path         | true                                         | Whether to add Cygwin's `/bin` directory to the system `PATH`
 | allow-test-packages | false                                        | Consider package versions marked test for installation
+| check-hash          | true                                         | Whether to check the hash of the downloaded Cygwin installer.
 
 Line endings
 ------------
diff --git a/action.yml b/action.yml
index 7e2c458..ab1ba8c 100644
--- a/action.yml
+++ b/action.yml
@@ -33,11 +33,16 @@ inputs:
     description: Consider package versions marked test
     required: false
     default: false
+  check-hash:
+    description: Check the hash of the installer
+    required: false
+    default: 'true'
 
 runs:
   using: "composite"
   steps:
     - run: |
+        $ErrorActionPreference = 'Stop'
         $platform = '${{ inputs.platform }}'
         $platform = $platform -replace '^(x64|amd64)$', 'x86_64'
         $platform = $platform -replace '^i686$', 'x86'
@@ -46,7 +51,25 @@ runs:
           echo "unknown platform $platform"
           exit 1
         }
-        Invoke-WebRequest https://cygwin.com/setup-$platform.exe -OutFile C:\setup.exe
+        $setupFileName = "setup-$platform.exe"
+        Invoke-WebRequest "https://cygwin.com/$setupFileName" -OutFile C:\setup.exe
+
+        if ('${{ inputs.check-hash }}'.ToLower() -in @('','true', 'yes', '1', 'on')) {
+          $actualHash = $(Get-FileHash -LiteralPath C:\setup.exe -Algorithm SHA512).Hash
+          $expectedHashLines = $(Invoke-WebRequest -Uri https://cygwin.com/sha512.sum).ToString() -split "`n"
+          foreach ($expectedHashLine in $expectedHashLines) {
+            if ($expectedHashLine -match "^(\S+)\s+(\S+)$") {
+              $expectedHash = $matches[1]
+              $expectedFileName = $matches[2]
+              if ($expectedFileName -ieq $setupFileName) {
+                if ($expectedHash -ine $actualHash) {
+                  throw "Invalid hash of the downloaded setup!`nExpected: $expectedHashLine`nActual  : $actualHash  $expectedFileName"
+                }
+                Write-Host "The downloaded file has the expected hash ($actualHash)"
+              }
+            }
+          }
+        }
 
         $packages = '${{ inputs.packages }}'
         $pkg_list = $packages.Split('', [System.StringSplitOptions]::RemoveEmptyEntries)