From b26c6b665bbd076c391e8274ac38c0b7c0d35cc8 Mon Sep 17 00:00:00 2001
From: Michele Locati <michele@locati.it>
Date: Mon, 21 Oct 2024 09:03:06 +0200
Subject: [PATCH 1/4] Check hash of downloaded setup

---
 README.md  |  1 +
 action.yml | 25 ++++++++++++++++++++++++-
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 215c810..32202ec 100644
--- a/README.md
+++ b/README.md
@@ -28,6 +28,7 @@ Parameters
 | check-sig           | true                                         | Whether to check the setup.ini signature
 | add-to-path         | true                                         | Whether to add Cygwin's `/bin` directory to the system `PATH`
 | allow-test-packages | false                                        | Consider package versions marked test for installation
+| check-hash          | true                                         | Whether to check the hash of the downloaded Cygwin installer.
 
 Line endings
 ------------
diff --git a/action.yml b/action.yml
index 7e2c458..ab1ba8c 100644
--- a/action.yml
+++ b/action.yml
@@ -33,11 +33,16 @@ inputs:
     description: Consider package versions marked test
     required: false
     default: false
+  check-hash:
+    description: Check the hash of the installer
+    required: false
+    default: 'true'
 
 runs:
   using: "composite"
   steps:
     - run: |
+        $ErrorActionPreference = 'Stop'
         $platform = '${{ inputs.platform }}'
         $platform = $platform -replace '^(x64|amd64)$', 'x86_64'
         $platform = $platform -replace '^i686$', 'x86'
@@ -46,7 +51,25 @@ runs:
           echo "unknown platform $platform"
           exit 1
         }
-        Invoke-WebRequest https://cygwin.com/setup-$platform.exe -OutFile C:\setup.exe
+        $setupFileName = "setup-$platform.exe"
+        Invoke-WebRequest "https://cygwin.com/$setupFileName" -OutFile C:\setup.exe
+
+        if ('${{ inputs.check-hash }}'.ToLower() -in @('','true', 'yes', '1', 'on')) {
+          $actualHash = $(Get-FileHash -LiteralPath C:\setup.exe -Algorithm SHA512).Hash
+          $expectedHashLines = $(Invoke-WebRequest -Uri https://cygwin.com/sha512.sum).ToString() -split "`n"
+          foreach ($expectedHashLine in $expectedHashLines) {
+            if ($expectedHashLine -match "^(\S+)\s+(\S+)$") {
+              $expectedHash = $matches[1]
+              $expectedFileName = $matches[2]
+              if ($expectedFileName -ieq $setupFileName) {
+                if ($expectedHash -ine $actualHash) {
+                  throw "Invalid hash of the downloaded setup!`nExpected: $expectedHashLine`nActual  : $actualHash  $expectedFileName"
+                }
+                Write-Host "The downloaded file has the expected hash ($actualHash)"
+              }
+            }
+          }
+        }
 
         $packages = '${{ inputs.packages }}'
         $pkg_list = $packages.Split('', [System.StringSplitOptions]::RemoveEmptyEntries)

From 7427b3dd7391052e5e396e169a810ca0e31c3f07 Mon Sep 17 00:00:00 2001
From: Michele Locati <michele@locati.it>
Date: Thu, 24 Oct 2024 08:32:16 +0200
Subject: [PATCH 2/4] Show a warning if we can't find the hash of the setup
 file

---
 action.yml | 26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/action.yml b/action.yml
index ab1ba8c..f4bac9b 100644
--- a/action.yml
+++ b/action.yml
@@ -54,19 +54,23 @@ runs:
         $setupFileName = "setup-$platform.exe"
         Invoke-WebRequest "https://cygwin.com/$setupFileName" -OutFile C:\setup.exe
 
-        if ('${{ inputs.check-hash }}'.ToLower() -in @('','true', 'yes', '1', 'on')) {
-          $actualHash = $(Get-FileHash -LiteralPath C:\setup.exe -Algorithm SHA512).Hash
+        if ('${{ inputs.check-hash }}' -eq 'true') {
           $expectedHashLines = $(Invoke-WebRequest -Uri https://cygwin.com/sha512.sum).ToString() -split "`n"
+          $expectedHash = ''
           foreach ($expectedHashLine in $expectedHashLines) {
-            if ($expectedHashLine -match "^(\S+)\s+(\S+)$") {
-              $expectedHash = $matches[1]
-              $expectedFileName = $matches[2]
-              if ($expectedFileName -ieq $setupFileName) {
-                if ($expectedHash -ine $actualHash) {
-                  throw "Invalid hash of the downloaded setup!`nExpected: $expectedHashLine`nActual  : $actualHash  $expectedFileName"
-                }
-                Write-Host "The downloaded file has the expected hash ($actualHash)"
-              }
+            if ($expectedHashLine.EndsWith(" $setupFileName")) {
+              $expectedHash = $($expectedHashLine -split '\s+')[0]
+              break
+            }
+          }
+          if ($expectedHash -eq '') {
+            Write-Output -InputObject "::warning::Unable to find the hash for the file $setupFileName in https://cygwin.com/sha512.sum"
+          } else {
+            $actualHash = $(Get-FileHash -LiteralPath C:\setup.exe -Algorithm SHA512).Hash
+            if ($actualHash -ine $expectedHash) {
+              throw "Invalid hash of the downloaded setup!`nExpected: $expectedHash`nActual  : $actualHash"
+            } else {
+              Write-Output -InputObject "The downloaded file has the expected hash ($expectedHash)"
             }
           }
         }

From a39f5017ed3d38dd9115e978944dfc53e71093c8 Mon Sep 17 00:00:00 2001
From: Michele Locati <michele@locati.it>
Date: Thu, 24 Oct 2024 08:41:13 +0200
Subject: [PATCH 3/4] Update the type of the default values of the action
 options

They must be strings accordingly to the docs: see
https://docs.github.com/en/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions#inputsinput_iddefault
---
 action.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/action.yml b/action.yml
index f4bac9b..0775d2d 100644
--- a/action.yml
+++ b/action.yml
@@ -18,7 +18,7 @@ inputs:
   check-sig:
     description: Should the setup.ini file signature be checked?
     required: false
-    default: true
+    default: 'true'
   pubkeys:
     description: Absolute paths of extra public key files (RFC4880 format), separated by whitespace
     required: false
@@ -28,11 +28,11 @@ inputs:
   add-to-path:
     description: Should Cygwin's bin directory be added to the system PATH?
     required: false
-    default: true
+    default: 'true'
   allow-test-packages:
     description: Consider package versions marked test
     required: false
-    default: false
+    default: 'false'
   check-hash:
     description: Check the hash of the installer
     required: false

From 2fea0d796f2145aa429118e0bc4a59fab0b95b08 Mon Sep 17 00:00:00 2001
From: Michele Locati <michele@locati.it>
Date: Thu, 24 Oct 2024 08:54:43 +0200
Subject: [PATCH 4/4] Throw an exception if the downloaded setup is empty

---
 action.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/action.yml b/action.yml
index 0775d2d..3c400c4 100644
--- a/action.yml
+++ b/action.yml
@@ -53,6 +53,9 @@ runs:
         }
         $setupFileName = "setup-$platform.exe"
         Invoke-WebRequest "https://cygwin.com/$setupFileName" -OutFile C:\setup.exe
+        if ((Get-Item -LiteralPath 'C:\setup.exe').Length -eq 0) {
+          throw "The downloaded setup has a zero length!"
+        }
 
         if ('${{ inputs.check-hash }}' -eq 'true') {
           $expectedHashLines = $(Invoke-WebRequest -Uri https://cygwin.com/sha512.sum).ToString() -split "`n"