Verify Downloads Checksum & Signature
Closed this issue · 0 comments
markmsmith commented
Due to the increasing frequency of supply chain attacks, it would be nice if tfswitch verified the checksums and gpg signatures of terraform when it downloads it for the first time, as described here:
https://www.hashicorp.com/security#template-page-security:~:text=Release%20Archive%20Checksum%20Verification
Here's some example bash code that may provide a useful starting point for doing the equivalent in Go:
https://gist.github.com/markmsmith/cda59d5f24a812bea66fb3dbd7612397