Improve security of downloading a binary by checking the fingerprint

[arthurzenika]

Is your feature request related to a problem? Please describe

I'm not sure if this is already done or if it's the plugin's responsibility, but it would be nice to have some sort of check that the binary being download is the one published by the upstream organisation that compiles it.

If we take the example of kubectl the documentation https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/ encourages to "Validate the binary"

echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check

This doesn't seem to be checked by asdf

Describe the proposed solution

Add the sha256 or other metadata that enables adsf or it's plugins to validate the binary download

Describe similar asdf features and why they are not sufficient

Haven't found any mention of fingerprints in the documentation.

Quick read of https://github.com/asdf-community/asdf-kubectl/blob/master/bin/install seems to show this is not done.

Describe other workarounds you've considered

Having some sort of post hook or other script that checks the fingerprints ?

[amrox]

AFAIK, it is the plugin's responsibility to check fingerprints or checksums. I do it here in my asdf-clang-tools plugin.

My guess is that this would be difficult to implement in a generalized way due to asdf's plugin architecture. We may be able to encourage plugin author's to validate checksums by adding it to the documentation or plugin templates however.