Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify Downloads Checksum & Signature #160

Closed
markmsmith opened this issue Apr 26, 2021 · 0 comments · Fixed by #334
Closed

Verify Downloads Checksum & Signature #160

markmsmith opened this issue Apr 26, 2021 · 0 comments · Fixed by #334
Assignees
@MatrixCrawler
Labels
documentation Add or improve documentation: README/CHANGELOG/comments on code enhancement Refactor existing code for better performance and quality new feature New feature or request

Comments

@markmsmith
Copy link

Due to the increasing frequency of supply chain attacks, it would be nice if tfswitch verified the checksums and gpg signatures of terraform when it downloads it for the first time, as described here:
https://www.hashicorp.com/security#template-page-security:~:text=Release%20Archive%20Checksum%20Verification

Here's some example bash code that may provide a useful starting point for doing the equivalent in Go:
https://gist.github.com/markmsmith/cda59d5f24a812bea66fb3dbd7612397
@MatrixCrawler MatrixCrawler added the new feature New feature or request label Mar 27, 2024
MatrixCrawler added a commit to MatrixCrawler/terraform-switcher that referenced this issue Mar 27, 2024
@MatrixCrawler
- implemented check for signature and checksums for warrensbox#160
6429afb
@MatrixCrawler MatrixCrawler mentioned this issue Mar 27, 2024
Closed
@MatrixCrawler MatrixCrawler added documentation Add or improve documentation: README/CHANGELOG/comments on code enhancement Refactor existing code for better performance and quality labels Mar 27, 2024
MatrixCrawler added a commit to MatrixCrawler/terraform-switcher that referenced this issue Mar 28, 2024
@MatrixCrawler
- implemented check for signature and checksums for warrensbox#160
ff288f4
@MatrixCrawler MatrixCrawler self-assigned this Mar 28, 2024
@MatrixCrawler MatrixCrawler mentioned this issue Mar 28, 2024
Merged
MatrixCrawler added a commit to MatrixCrawler/terraform-switcher that referenced this issue Mar 28, 2024
@MatrixCrawler
- implemented check for signature and checksums for warrensbox#160 and
c932b6f 
…warrensbox#290

- added github action for testing
- added test for checksum matching
- add gitattributes for windows testing. if not present the lf line endings will be converted to crlf which messes with the checksum tests.
- update changelog and readme
MatrixCrawler added a commit to MatrixCrawler/terraform-switcher that referenced this issue Mar 28, 2024
@MatrixCrawler
- implemented check for signature and checksums for warrensbox#160 and
204c661 
…warrensbox#290

- added github action for testing
- added test for checksum matching
- add gitattributes for windows testing. if not present the lf line endings will be converted to crlf which messes with the checksum tests.
- update changelog and readme
MatrixCrawler added a commit to MatrixCrawler/terraform-switcher that referenced this issue Mar 28, 2024
@MatrixCrawler
- implemented check for signature and checksums for warrensbox#160 and
253a515 
…warrensbox#290

- added github action for testing
- added test for checksum matching
- add gitattributes for windows testing. if not present the lf line endings will be converted to crlf which messes with the checksum tests.
- update changelog and readme
MatrixCrawler added a commit to MatrixCrawler/terraform-switcher that referenced this issue Apr 2, 2024
@MatrixCrawler
- implemented check for signature and checksums for warrensbox#160 and
ca5001b 
…warrensbox#290

- added github action for testing
- added test for checksum matching
- add gitattributes for windows testing. if not present the lf line endings will be converted to crlf which messes with the checksum tests.
- update changelog and readme
MatrixCrawler added a commit to MatrixCrawler/terraform-switcher that referenced this issue Apr 3, 2024
@MatrixCrawler
- implemented check for signature and checksums for warrensbox#160 and
03cf51d 
…warrensbox#290

- added github action for testing
- added test for checksum matching
- add gitattributes for windows testing. if not present the lf line endings will be converted to crlf which messes with the checksum tests.
- update changelog and readme
MatrixCrawler added a commit to MatrixCrawler/terraform-switcher that referenced this issue Apr 3, 2024
@MatrixCrawler
- implemented check for signature and checksums for warrensbox#160 and
519be70 
…warrensbox#290

- added github action for testing
- added test for checksum matching
- add gitattributes for windows testing. if not present the lf line endings will be converted to crlf which messes with the checksum tests.
- update changelog and readme
MatrixCrawler added a commit to MatrixCrawler/terraform-switcher that referenced this issue Apr 3, 2024
@MatrixCrawler
- implemented check for signature and checksums for warrensbox#160 and
acf7325 
…warrensbox#290

- added github action for testing
- added test for checksum matching
- add gitattributes for windows testing. if not present the lf line endings will be converted to crlf which messes with the checksum tests.
- update changelog and readme
MatrixCrawler added a commit to MatrixCrawler/terraform-switcher that referenced this issue Apr 5, 2024
@MatrixCrawler
- implemented check for signature and checksums for warrensbox#160 and
a87470f 
…warrensbox#290

- added github action for testing
- added test for checksum matching
- add gitattributes for windows testing. if not present the lf line endings will be converted to crlf which messes with the checksum tests.
- update changelog and readme
MatrixCrawler added a commit to MatrixCrawler/terraform-switcher that referenced this issue Apr 5, 2024
@MatrixCrawler
- implemented check for signature and checksums for warrensbox#160 and
c206f43 
…warrensbox#290

- added github action for testing
- added test for checksum matching
- add gitattributes for windows testing. if not present the lf line endings will be converted to crlf which messes with the checksum tests.
- update changelog and readme
MatrixCrawler added a commit that referenced this issue Apr 5, 2024
@MatrixCrawler
Checksum check for TF Binaries (#334)
40cb5f6 
Co-authored-by: George L. Yermulnik <[email protected]>

- implemented check for signature and checksums for #160 and #290
- added test for checksum matching
- add gitattributes for windows testing. if not present the lf line endings will be converted to crlf which messes with the checksum tests.
- make public key options configurable via command line
- delete hash files after checking the signatures and checksums
- remove obsolete go.yml which is replaced with build.yml
- move default values into defaults.go
- replace unnecessary function calls with defer
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MatrixCrawler MatrixCrawler

Labels
documentation Add or improve documentation: README/CHANGELOG/comments on code enhancement Refactor existing code for better performance and quality new feature New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Checksum check for TF Binaries MatrixCrawler/terraform-switcher
2 participants
@markmsmith @MatrixCrawler