From 61b06f2c8e8dd5044f500db4979b8173c26eee68 Mon Sep 17 00:00:00 2001
From: Craig Comstock <craig.comstock@northern.tech>
Date: Wed, 25 Oct 2023 10:52:27 -0500
Subject: [PATCH] Added checksums for wix tools coming from sftp cache

Just to be sure if sftp cache is compromised, fail if checksums don't match.

Ticket: ENT-10801
Changelog: none
---
 build-scripts/package-msi | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/build-scripts/package-msi b/build-scripts/package-msi
index c333f6e6c..4d3868124 100755
--- a/build-scripts/package-msi
+++ b/build-scripts/package-msi
@@ -17,8 +17,13 @@ else
     echo '
 get /export/images/windows/wix310-binaries.zip
 get /export/images/windows/wine-folder.tar.xz
-'  |  sftp -i ~/.ssh/build_artifacts_cache.id_rsa -b - jenkins_sftp_cache@build-artifacts-cache.cloud.cfengine.com
+'  |  sftp -b - jenkins_sftp_cache@build-artifacts-cache.cloud.cfengine.com
 
+    # check checksums
+    sha256sum -c - <<EOF || exit 42
+493145b3fac22bdf8c55142a9f96ef8136d56b38d78a2322f13f1ba11f9cf2f8  wix310-binaries.zip
+3510fd8c4ecb4a9c479dfe43849183c666f9e41b019fc7135dc8735d0032d16e  wine-folder.tar.xz
+EOF
     # Install Wix tools
     mkdir -p "$WIXPATH"
     cd "$WIXPATH" || exit