Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify downloaded binary #21

Open
findmyname666 opened this issue Jul 14, 2023 · 1 comment
Open

Verify downloaded binary #21

findmyname666 opened this issue Jul 14, 2023 · 1 comment

Comments

@findmyname666
Copy link

findmyname666 commented Jul 14, 2023
edited
Loading

It is a good security practice to "verify" downloaded binaries from the internet.
Therefore please add functionality to check the binary checksum.
For example plugin for Terraform does it.
@looztra
Copy link
Owner

looztra commented Aug 23, 2024

Good point, but from my understanding, the hashicorp plugin can do that securely as hashicorp provides a signature that can be used to verify that the checksum file is the one expected.

We could verify that the downloaded file matches the sha256sum provided, but I assume if someone would spoof the downloaded file, they would also spoof the sha256sum file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@looztra @findmyname666