Add Windows 10 Redstone 5 17763.379 builds

* Closes #25

.whitesource

@@ -0,0 +1,8 @@
+{
+  "checkRunSettings": {
+    "vulnerableCheckRunConclusionLevel": "failure"
+  },
+  "issueSettings": {
+    "minSeverityLevel": "LOW"
+  }
+}

README.md

@@ -1,5 +1,5 @@
-Fido: Full ISO Download Script (for Windows retail ISOs)
-========================================================
+Fido: A PowerShell download script for Windows ISOs and UEFI Shell
+==================================================================
 
 [![Licence](https://img.shields.io/badge/license-GPLv3-blue.svg?style=flat-square)](https://www.gnu.org/licenses/gpl-3.0.en.html)
 [![Github stats](https://img.shields.io/github/downloads/pbatard/Fido/total.svg?style=flat-square)](https://github.com/pbatard/Fido/releases)
@@ -7,26 +7,32 @@ Fido: Full ISO Download Script (for Windows retail ISOs)
 Description
 -----------
 
-Fido is a PowerShell script that is primarily designed to be used in [Rufus](https://github.com/pbatard/rufus) but that
-can also be used in standalone fashion, and that automates access to the official Windows retail ISO download links.
+Fido is a PowerShell script that is primarily designed to be used in [Rufus](https://github.com/pbatard/rufus), but that
+can also be used in standalone fashion, and whose purpose is to automate access to the official Microsoft Windows retail
+ISO download links as well as provide convenient access to bootable UEFI Shell images.
 
-We decided to create this script because, while Microsoft does make retail ISO download links freely and publicly
-available on their website (at least for Windows 8 and Windows 10), it only does so after actively forcing users to
-jump through a lot of unwarranted hoops, that create an exceedingly counterproductive, if not downright unfriendly,
-consumer experience, which greatly detracts from what people really want (direct access to ISO downloads).
+This script exists because, while Microsoft does make retail ISO download links freely and publicly available (at least
+for Windows 8 and Windows 10), it only does so after actively forcing users to jump through a lot of unwarranted hoops,
+that create an exceedingly counterproductive, if not downright unfriendly, consumer experience and that greatly detract
+from what people really want (direct access to ISO downloads).
 
-As to the reason one might want to download Windows __retail__ ISOs, as opposed to the ISOs that can be generated by
-Microsoft's own Media Creation Tool (MCT), this is because it is only with an official retail ISO that one can assert
-with complete certainty whether its content has been altered in any way or not. Indeed, retail Microsoft's ISOs are the
-only ones you will be able to obtain an official SHA-1 for (from sites [such as this one](https://msdn.rg-adguard.net/public.php))
-for instance) allowing you to be 100% certain that the image you are using is non corrupted and safe to use.
+As to the reason one might want to download Windows __retail__ ISOs, as opposed to the ISOs that are generated by
+Microsoft's own Media Creation Tool (MCT), this is because using official retail ISOs is currently the only way to
+assert with absolute certainty that the OS content has not been altered. Indeed, because there only exists a single
+master for each of them, Microsoft retail ISOs are the only ones you can obtain an official SHA-1 for (from MSDN, if you
+have access to it, or from sites [such as this one](https://msdn.rg-adguard.net/public.php)) allowing you to be 100%
+sure that the image you are using has not been corrupted and is safe to use.
 
-This, in turn, offers assurance that the content __YOU__ are using to install your OS, and which it is indeed critical
-to validate beforehand if you care about security, does matches bit for bit the one that Microsoft officially released.
+This, in turn, offers assurance that the content __YOU__ are using to install your OS, which it is indeed critical to
+validate beforehand if you have the slightest concern about security, does match, bit for bit, the one that Microsoft
+released.
 
-On the other hand, because no two MCT ISOs are the same (due to MCT always regenerating the ISO content on the fly)
-it is impossible to get the same kind of assurance from non-retail ISOs. Hence the need to provide users with a much
-easier and less restrictive way to access official retail ISOs...
+On the other hand, regardless of the manner in which Microsoft's Media Creation Tool produces its content, because no
+two MCT ISOs are ever the same (due to MCT always regenerating the ISO content on the fly) it is currently impossible to
+validate with absolute certainty whether any ISO that was generated by the MCT is safe to use. Especially, unlike what
+is the case for retail ISOs, it is impossible to tell whether an MCT ISO may have been corrupted after generation.
+
+Hence the need to provide users with a much easier and less restrictive way to access official retail ISOs...
 
 License
 -------
@@ -36,7 +42,7 @@ License
 How it works
 ------------
 
-The script basically performs the same operation as one might perform when visiting either of the following ULRs (that
+The script basically performs the same operation as one might perform when visiting either of the following URLs (that
 is, provided that you have also changed your `User-Agent` browser string, since, when they detect that you are using a
 version of Windows that is the same as the one you are trying to download, the Microsoft web servers at these addresses
 redirect you __away__ from the pages that allow you to download retail ISOs):
@@ -44,22 +50,84 @@ redirect you __away__ from the pages that allow you to download retail ISOs):
 * https://www.microsoft.com/software-download/Windows8ISO
 * https://www.microsoft.com/software-download/Windows10ISO
 
-After visiting those with a full browser (Internet Explorer, running through the `Invoke-WebRequest` PowerShell Cmdlet),
-to confirm that they are accessible queries web APIs on the Microsoft servers to first request the language selection
-available for the for the version of Windows that was selected, and then the download links for the various architecture
-enabled for that version + language combination.
+After checking access to these URLs, to confirm that they are accessible, the script first queries the web API from the
+Microsoft servers, to request the language selection available for the version of Windows selected, and then requests
+the actual download links for all the architectures available for that language + version.
 
 Requirements
 ------------
 
-PowerShell 3.0 or later is required. But the script does detect if you are using an older version and points you to the
-relevant PowerShell 3.0 download page if needed, which should only be the case if you are running a vanilla version of
-Windows 7.
+PowerShell 3.0 or later is required. However the script should detect if you are using an older version and point you to
+the relevant PowerShell 3.0 download page if needed (which should only ever occur if you are running a vanilla version
+of Windows 7).
 
-Also, because Internet Explorer is being used behind the scenes, if you haven't gone through the first time setup for
-Internet Explorer, you may receive an error about it when running the script. If that is the case, then you need to
-make sure that you manually launch IE at least once and complete the setup.
+Note that the current version of the script does not need Internet Explorer to be installed and should also work with
+PowerShell 7.
 
-Note that, if running this script elevated, this annoyance can be avoided by using the `-DisableFirstRunCustomize`
-option (which basically __temporarily__ creates the key of the same name in the registry __if__ it doesn't already
-exist, to bypass that behaviour).
+Commandline mode
+----------------
+
+Fido supports commandline mode whereas, whenever one of the following options is provided, a GUI is not instantiated
+and you can instead generate the ISO download from within a PowerShell console or script.
+
+The options are:
+- `Win`: Specify Windows version (e.g. _"Windows 10"_). Abbreviated version should work as well (e.g `-Win 10`) as long
+   as it is unique enough. If this option isn't specified, the most recent version of Windows is automatically selected.  
+   You can obtain a list of supported versions by specifying `-Win List`.
+- `Rel`: Specify Windows release (e.g. _"21H1"_). If this option isn't specified, the most recent release for the chosen
+   version of Windows is automatically selected. You can also use `-Rel Latest` to force the most recent to be used.
+   You can obtain a list of supported versions by specifying `-Rel List`.
+- `Ed`: Specify Windows edition (e.g. _"Pro/Home"_). Abbreviated editions should work as well (e.g `-Ed Pro`) as long
+   as it is unique enough. If this option isn't specified, the most recent version of Windows is automatically selected.  
+   You can obtain a list of supported versions by specifying `-Ed List`.
+- `Lang`: Specify Windows language (e.g. _"Arabic"_). Abbreviated or part of a language (e.g. `-Lang Int` for
+   `English International`) should work as long as it's unique enough. If this option isn't specified, the script attempts
+   to select the same language as the system locale.  
+   You can obtain a list of supported languages by specifying `-Lang List`.
+- `Arch`: Specify Windows architecture (e.g. _"x64"_). If this option isn't specified, the script attempts to use the same
+   architecture as the one from the current system.
+- `GetUrl`: By default, the script attempts to automatically launch the download. But when using the `-GetUrl` switch,
+   the script only displays the download URL, which can then be piped into another command or into a file.
+
+Examples of a commandline download:
+
+```
+PS C:\Projects\Fido> .\Fido.ps1 -Win 10
+No release specified (-Rel). Defaulting to '21H1 (Build 19043.985 - 2021.05)'.
+No edition specified (-Ed). Defaulting to 'Windows 10 Home/Pro'.
+No language specified (-Lang). Defaulting to 'English International'.
+No architecture specified (-Arch). Defaulting to 'x64'.
+Selected: Windows 10 21H1 (Build 19043.985 - 2021.05), Home/Pro, English International, x64
+Downloading 'Win10_21H1_EnglishInternational_x64.iso' (5.0 GB)...
+PS C:\Projects\Fido> .\Fido.ps1 -Win 10 -Rel List
+Please select a Windows Release (-Rel) for Windows 10 (or use 'Latest' for most recent):
+ - 21H1 (Build 19043.985 - 2021.05)
+ - 20H2 (Build 19042.631 - 2020.12)
+ - 20H2 (Build 19042.508 - 2020.10)
+ - 20H1 (Build 19041.264 - 2020.05)
+ - 19H2 (Build 18363.418 - 2019.11)
+ - 19H1 (Build 18362.356 - 2019.09)
+ - 19H1 (Build 18362.30 - 2019.05)
+ - 1809 R2 (Build 17763.107 - 2018.10)
+ - 1809 R1 (Build 17763.1 - 2018.09)
+ - 1803 (Build 17134.1 - 2018.04)
+ - 1709 (Build 16299.15 - 2017.09)
+ - 1703 [Redstone 2] (Build 15063.0 - 2017.03)
+ - 1607 [Redstone 1] (Build 14393.0 - 2016.07)
+ - 1511 R3 [Threshold 2] (Build 10586.164 - 2016.04)
+ - 1511 R2 [Threshold 2] (Build 10586.104 - 2016.02)
+ - 1511 R1 [Threshold 2] (Build 10586.0 - 2015.11)
+ - 1507 [Threshold 1] (Build 10240.16384 - 2015.07)
+PS C:\Projects\Fido> .\Fido.ps1 -Win 10 -Rel 20H2 -Ed Edu -Lang Fre -Arch x86 -GetUrl
+https://software-download.microsoft.com/db/Win10_Edu_20H2_v2_French_x32.iso?t=c48b32d3-4cf3-46f3-a8ad-6dd9568ff4eb&e=1629113408&h=659cdd60399584c5dc1d267957924fbd
+```
+
+Additional Notes
+----------------
+
+Because of its intended usage with Rufus, this script is not designed to cover every possible retail ISO downloads.
+Instead we mostly chose the ones that the general public is likely to request. For instance, we currently have no plan
+to add support for LTSB/LTSC Windows 10 ISOs downloads.
+
+If you are interested in such downloads, then you are kindly invited to visit the relevant download pages from Microsoft
+such as [this one](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) for LTSC versions.

sign.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# This script creates the RSA-2048 signatures for our downloadable content
+# Creates an LZMA compressed Fido.ps1 (including decompressed size) and sign it
 
 PRIVATE_KEY=/d/Secured/Akeo/Rufus/private.pem
 PUBLIC_KEY=/d/Secured/Akeo/Rufus/public.pem
@@ -20,11 +20,17 @@ sign_file() {
   fi
 }
 
+# Update the Authenticode signature
+cmd.exe /c '"C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool" sign /v /sha1 9ce9a71ccab3b38a74781b975f1c228222cf7d3b /fd SHA256 /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp Fido.ps1'
 read -s -p "Enter pass phrase for `realpath $PRIVATE_KEY`: " PASSWORD
 echo
 # Confirm that the pass phrase is valid by trying to sign a dummy file
 openssl dgst -sha256 -sign $PRIVATE_KEY -passin pass:$PASSWORD $PUBLIC_KEY >/dev/null 2>&1 || { echo Invalid pass phrase; exit 1; }
 
-find . -maxdepth 1 -name "*.ps1" | while read FILE; do sign_file; done
+lzma -kf Fido.ps1
+# The 'lzma' utility does not add the uncompressed size, so we must add it manually. And yes, this whole
+# gymkhana is what one must actually go through to insert a 64-bit little endian size into a binary file...
+printf "00: %016X" `stat -c "%s" Fido.ps1` | xxd -r | xxd -p -c1 | tac | xxd -p -r | dd of=Fido.ps1.lzma seek=5 bs=1 status=none conv=notrunc
+find . -maxdepth 1 -name "Fido.ps1.lzma" | while read FILE; do sign_file; done
 # Clear the PASSWORD variable just in case
 PASSWORD=`head -c 50 /dev/random | base64`