Enable installing binaries from multiple domains

[richlander]

Related: #2121
Blocking: dotnet/core#9724

The following are safe domains:

• download.visualstudio.microsoft.com
• builds.dotnet.microsoft.com

This code needs to change:

vscode-dotnet-runtime/vscode-dotnet-runtime-library/src/Acquisition/GlobalInstallerResolver.ts

Lines 250 to 255 in 674f368

	if(!(installerUrl as string).startsWith('https://download.visualstudio.microsoft.com/'))
	{
	const releaseJsonErr = new DotnetInvalidReleasesJSONError(new EventBasedError('DotnetInvalidReleasesJSONError',
	`The url: ${installerUrl} is hosted on an unexpected domain.
	We cannot verify that .NET downloads are hosted in a secure location, so we have rejected .NET. The url should be download.visualstudio.microsoft.com.
	Please report this issue so it can be remedied or investigated.`), getInstallFromContext(this.context));

I'm hoping we can target this change for 2.2.8. I'd propose merging the PR above one week after the extension was released. After a week, we're likely well into the long tail.

[baronfel]

Frankly I'm not sure we should be applying any additional checks on the content of the releases.json file. If a) we have that file, and b) we can use a MS public signature to verify the contents (this would require publishing sidecar signature files) then we should just trust it.

[richlander]

That is a good point. We should be doing something similar to:

dotnet/core#7641 (comment)

I can imagine two things:

• Validate the signature / checksum.
• Validate that the domain ends in microsoft.com.

Validating the specific domain seems like tighter coupling (as demonstrated) than we need/want.

[nagilson]

We can certainly simplify the check to be whether the domain ends in microsoft.com.

We do validate the hashes on the files but we need to make sure that the releases.json is valid as well, do we have an easy place to get hashes for that as of right now? If that is on a web store as well, then that would need to be validated.

[richlander]

I'm hoping to get checksums deployed beside each asset. I have a tracking issue for it. I'm hope that will happen this month.

[nagilson]

Extracting the domain from a string is actually a pretty hard problem with a lot of edge cases. I think I'm going to add builds.dotnet.microsoft.com to the list of acceptable terms for now as a stopgap and then if the checksums come out this month we can change to doing that.

[richlander]

StartsWith has a lot going for it w/rt simplicity.