From 27262823071ef67450b532721430814f2a1a4994 Mon Sep 17 00:00:00 2001
From: findkim <kngo@hashicorp.com>
Date: Thu, 21 Mar 2019 14:38:20 -0500
Subject: [PATCH] plugin/discovery: add context for provider discovery
 verification

---
 plugin/discovery/get.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/plugin/discovery/get.go b/plugin/discovery/get.go
index 795782d6a..5e0520e44 100644
--- a/plugin/discovery/get.go
+++ b/plugin/discovery/get.go
@@ -211,6 +211,16 @@ func (i *ProviderInstaller) Get(provider string, req Constraints) (PluginMeta, t
 	providerURL := downloadURLs.DownloadURL
 
 	if !i.SkipVerify {
+		// Terraform verifies the integrity of a provider release before downloading
+		// the plugin binary. The digital signature (SHA256SUMS.sig) on the
+		// release distribution (SHA256SUMS) is verified with the public key of the
+		// publisher provided in the Terraform Registry response, ensuring that
+		// everything is as intended by the publisher. The checksum of the provider
+		// plugin is expected in the SHA256SUMS file and is double checked to match
+		// the checksum of the original published release to the Registry. This
+		// enforces immutability of releases between the Registry and the plugin's
+		// host location. Lastly, the integrity of the binary is verified upon
+		// download matches the Registry and signed checksum.
 		sha256, err := i.getProviderChecksum(downloadURLs)
 		if err != nil {
 			return PluginMeta{}, diags, err