fix(template): NSIS download fix meta-refresh regex to match downloads.sf.net token URL

This commit is contained in:
Simone
2026-05-11 20:38:36 +02:00
parent 133701dd60
commit 1ad9b4dd4f
+30 -11
View File
@@ -1196,23 +1196,42 @@ $nsisExe = 'C:\Program Files (x86)\NSIS\makensis.exe'
if (Test-Path $nsisExe) { if (Test-Path $nsisExe) {
Write-Host "NSIS already installed." Write-Host "NSIS already installed."
} else { } else {
$nsisUrl = "https://prdownloads.sourceforge.net/nsis/nsis-$NSISVersion-setup.exe" # SourceForge redirect chain:
# Step 1: sf.net/.../download?use_mirror=autoselect → 200 HTML meta-refresh
# The meta-refresh URL is: https://downloads.sourceforge.net/project/nsis/...?ts=TOKEN
# That tokenised URL resolves directly to the binary (no further HTML).
# Strategy: fetch the HTML page, extract the meta-refresh URL, download it immediately
# (the ts= token is short-lived, so we use it right away).
$nsisPageUrl = "https://sourceforge.net/projects/nsis/files/NSIS%20$($NSISVersion.Split('.')[0])/$NSISVersion/nsis-$NSISVersion-setup.exe/download?use_mirror=autoselect"
$nsisInstaller = 'C:\CI\nsis_installer.exe' $nsisInstaller = 'C:\CI\nsis_installer.exe'
Write-Host "Downloading NSIS $NSISVersion from SourceForge..." $sfUA = @{ 'User-Agent' = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' }
# SourceForge returns an HTML redirect page when accessed with PS default User-Agent.
# Supplying a browser-like User-Agent forces the CDN to serve the raw binary. Write-Host "Resolving NSIS $NSISVersion download URL from SourceForge..."
try { try {
Invoke-WebRequest -Uri $nsisUrl -OutFile $nsisInstaller -UseBasicParsing ` $sfPage = Invoke-WebRequest -Uri $nsisPageUrl -UseBasicParsing -MaximumRedirection 5 `
-Headers @{ 'User-Agent' = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' } -Headers $sfUA
} catch { throw "Failed to download NSIS from '$nsisUrl': $_" } } catch { throw "Failed to reach SourceForge download page: $_" }
# Guard: verify downloaded file is a valid PE executable (MZ magic bytes).
# If SourceForge still returned an HTML page the installer would silently corrupt # Extract tokenised URL from: <meta http-equiv="refresh" content="5; url=https://downloads.sourceforge.net/...?ts=...">
# the WinRM session — fail fast with a clear message instead. $nsisCdnUrl = $null
if ($sfPage.RawContent -match 'content="\d+;\s*url=(https://downloads\.sourceforge\.net/[^"]+)"') {
$nsisCdnUrl = $Matches[1]
}
if (-not $nsisCdnUrl) {
throw "Could not extract tokenised download URL from SourceForge page for NSIS $NSISVersion. " +
"Page structure may have changed."
}
Write-Host "Downloading NSIS $NSISVersion from SourceForge..."
try {
Invoke-WebRequest -Uri $nsisCdnUrl -OutFile $nsisInstaller -UseBasicParsing -Headers $sfUA
} catch { throw "Failed to download NSIS from '$nsisCdnUrl': $_" }
# Guard: verify the file is a valid PE executable (MZ magic bytes).
$peBytes = [System.IO.File]::ReadAllBytes($nsisInstaller) $peBytes = [System.IO.File]::ReadAllBytes($nsisInstaller)
if ($peBytes.Length -lt 2 -or $peBytes[0] -ne 0x4D -or $peBytes[1] -ne 0x5A) { if ($peBytes.Length -lt 2 -or $peBytes[0] -ne 0x4D -or $peBytes[1] -ne 0x5A) {
Remove-Item $nsisInstaller -ErrorAction SilentlyContinue Remove-Item $nsisInstaller -ErrorAction SilentlyContinue
throw "NSIS download is not a valid PE executable (MZ header missing). " + throw "NSIS download is not a valid PE executable (MZ header missing). " +
"SourceForge likely returned an HTML page. Set `$script:Hashes['NSIS']` to pin a known-good hash." "SourceForge may have returned HTML instead of the binary."
} }
Assert-Hash -FilePath $nsisInstaller -Label "nsis-$NSISVersion-setup.exe" ` Assert-Hash -FilePath $nsisInstaller -Label "nsis-$NSISVersion-setup.exe" `
-Expected $script:Hashes['NSIS'] -Expected $script:Hashes['NSIS']