ResiLien
/
terraform
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

plugin/discovery: add context for provider discovery verification

This commit is contained in:
findkim 2019-03-21 14:38:20 -05:00
parent 1a32617d5e
commit 2726282307
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
plugin/discovery/get.go
View File

@ -211,6 +211,16 @@ func (i *ProviderInstaller) Get(provider string, req Constraints) (PluginMeta, t
providerURL := downloadURLs.DownloadURL providerURL := downloadURLs.DownloadURL
if !i.SkipVerify { if !i.SkipVerify {
// Terraform verifies the integrity of a provider release before downloading
// the plugin binary. The digital signature (SHA256SUMS.sig) on the
// release distribution (SHA256SUMS) is verified with the public key of the
// publisher provided in the Terraform Registry response, ensuring that
// everything is as intended by the publisher. The checksum of the provider
// plugin is expected in the SHA256SUMS file and is double checked to match
// the checksum of the original published release to the Registry. This
// enforces immutability of releases between the Registry and the plugin's
// host location. Lastly, the integrity of the binary is verified upon
// download matches the Registry and signed checksum.
sha256, err := i.getProviderChecksum(downloadURLs) sha256, err := i.getProviderChecksum(downloadURLs)
if err != nil { if err != nil {
return PluginMeta{}, diags, err return PluginMeta{}, diags, err