Does tfswitch verifies the sha256sums?
Closed this issue · 2 comments
When tfswitch
downloads a terraform
binary, does it verifies the sha256sum
advertised on hashicorp release site (https://releases.hashicorp.com/terraform)?
If yes, it will be good to advertise the same in the README.md
:)
As far as I can tell it does not.
The download is done by this method ->
terraform-switcher/lib/download.go
Line 13 in d7dfd1b
It is called from here and I don't see any signature verification until the method exits -> https://github.com/warrensbox/terraform-switcher/blob/master/lib/install.go#L136
I am not sure if sha256
check will do anything to ensure clean source. Only signature check against trusted key would.
It is not done here either.
Duplicates #160, will close this issue.
I already started implementing a checksum check.