Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does tfswitch verifies the sha256sums? #290

Closed
vikas027 opened this issue Feb 21, 2023 · 2 comments · Fixed by #334
Closed

Does tfswitch verifies the sha256sums? #290

vikas027 opened this issue Feb 21, 2023 · 2 comments · Fixed by #334
Assignees
@warrensbox
Labels
duplicate This issue or pull request already exists enhancement Refactor existing code for better performance and quality

Comments

@vikas027
Copy link

When tfswitch downloads a terraform binary, does it verifies the sha256sum advertised on hashicorp release site (https://releases.hashicorp.com/terraform)?
If yes, it will be good to advertise the same in the README.md :)
@vikas027 vikas027 added the enhancement Refactor existing code for better performance and quality label Feb 21, 2023
@apogrebnyak
Copy link

As far as I can tell it does not.

The download is done by this method ->

terraform-switcher/lib/download.go

Line 13 in d7dfd1b

func DownloadFromURL(installLocation string, url string) (string, error) {

It is called from here and I don't see any signature verification until the method exits -> https://github.com/warrensbox/terraform-switcher/blob/master/lib/install.go#L136

I am not sure if sha256 check will do anything to ensure clean source. Only signature check against trusted key would.
It is not done here either.

@MatrixCrawler
Copy link
Collaborator

MatrixCrawler commented Mar 27, 2024
edited

Duplicates #160, will close this issue.
I already started implementing a checksum check.

@MatrixCrawler MatrixCrawler closed this as not planned Won't fix, can't repro, duplicate, stale Mar 27, 2024
@MatrixCrawler MatrixCrawler reopened this Mar 27, 2024
@MatrixCrawler MatrixCrawler closed this as not planned Won't fix, can't repro, duplicate, stale Mar 27, 2024
@MatrixCrawler MatrixCrawler added the duplicate This issue or pull request already exists label Mar 28, 2024
@MatrixCrawler MatrixCrawler mentioned this issue Mar 28, 2024
Merged
MatrixCrawler added a commit to MatrixCrawler/terraform-switcher that referenced this issue Mar 28, 2024
@MatrixCrawler
- implemented check for signature and checksums for warrensbox#160 and
c932b6f 
…warrensbox#290

- added github action for testing
- added test for checksum matching
- add gitattributes for windows testing. if not present the lf line endings will be converted to crlf which messes with the checksum tests.
- update changelog and readme
MatrixCrawler added a commit to MatrixCrawler/terraform-switcher that referenced this issue Mar 28, 2024
@MatrixCrawler
- implemented check for signature and checksums for warrensbox#160 and
204c661 
…warrensbox#290

- added github action for testing
- added test for checksum matching
- add gitattributes for windows testing. if not present the lf line endings will be converted to crlf which messes with the checksum tests.
- update changelog and readme
@MatrixCrawler MatrixCrawler linked a pull request Mar 28, 2024 that will close this issue
Checksum check for TF Binaries #334
Merged
MatrixCrawler added a commit to MatrixCrawler/terraform-switcher that referenced this issue Mar 28, 2024
@MatrixCrawler
- implemented check for signature and checksums for warrensbox#160 and
253a515 
…warrensbox#290

- added github action for testing
- added test for checksum matching
- add gitattributes for windows testing. if not present the lf line endings will be converted to crlf which messes with the checksum tests.
- update changelog and readme
MatrixCrawler added a commit to MatrixCrawler/terraform-switcher that referenced this issue Apr 2, 2024
@MatrixCrawler
- implemented check for signature and checksums for warrensbox#160 and
ca5001b 
…warrensbox#290

- added github action for testing
- added test for checksum matching
- add gitattributes for windows testing. if not present the lf line endings will be converted to crlf which messes with the checksum tests.
- update changelog and readme
MatrixCrawler added a commit to MatrixCrawler/terraform-switcher that referenced this issue Apr 3, 2024
@MatrixCrawler
- implemented check for signature and checksums for warrensbox#160 and
03cf51d 
…warrensbox#290

- added github action for testing
- added test for checksum matching
- add gitattributes for windows testing. if not present the lf line endings will be converted to crlf which messes with the checksum tests.
- update changelog and readme
MatrixCrawler added a commit to MatrixCrawler/terraform-switcher that referenced this issue Apr 3, 2024
@MatrixCrawler
- implemented check for signature and checksums for warrensbox#160 and
519be70 
…warrensbox#290

- added github action for testing
- added test for checksum matching
- add gitattributes for windows testing. if not present the lf line endings will be converted to crlf which messes with the checksum tests.
- update changelog and readme
MatrixCrawler added a commit to MatrixCrawler/terraform-switcher that referenced this issue Apr 3, 2024
@MatrixCrawler
- implemented check for signature and checksums for warrensbox#160 and
acf7325 
…warrensbox#290

- added github action for testing
- added test for checksum matching
- add gitattributes for windows testing. if not present the lf line endings will be converted to crlf which messes with the checksum tests.
- update changelog and readme
MatrixCrawler added a commit to MatrixCrawler/terraform-switcher that referenced this issue Apr 5, 2024
@MatrixCrawler
- implemented check for signature and checksums for warrensbox#160 and
a87470f 
…warrensbox#290

- added github action for testing
- added test for checksum matching
- add gitattributes for windows testing. if not present the lf line endings will be converted to crlf which messes with the checksum tests.
- update changelog and readme
MatrixCrawler added a commit to MatrixCrawler/terraform-switcher that referenced this issue Apr 5, 2024
@MatrixCrawler
- implemented check for signature and checksums for warrensbox#160 and
c206f43 
…warrensbox#290

- added github action for testing
- added test for checksum matching
- add gitattributes for windows testing. if not present the lf line endings will be converted to crlf which messes with the checksum tests.
- update changelog and readme
MatrixCrawler added a commit that referenced this issue Apr 5, 2024
@MatrixCrawler
Checksum check for TF Binaries (#334)
40cb5f6 
Co-authored-by: George L. Yermulnik <yz@yz.kiev.ua>

- implemented check for signature and checksums for #160 and #290
- added test for checksum matching
- add gitattributes for windows testing. if not present the lf line endings will be converted to crlf which messes with the checksum tests.
- make public key options configurable via command line
- delete hash files after checking the signatures and checksums
- remove obsolete go.yml which is replaced with build.yml
- move default values into defaults.go
- replace unnecessary function calls with defer
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@warrensbox warrensbox

Labels
duplicate This issue or pull request already exists enhancement Refactor existing code for better performance and quality
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Checksum check for TF Binaries MatrixCrawler/terraform-switcher
4 participants
@apogrebnyak @MatrixCrawler @vikas027 @warrensbox