HashiCorp Terraform Checksum Verification

Martez Reed
|
17 May 2022

How do we verify that the Terraform binary we download is the same as the one HashiCorp produced?

Ensuring the integrity of software is important to help prevent a malicious actor from tricking us into using a modified version of Terraform as well as ensuring the version we’re using isn’t corrupted. Checksums are used when there is a need to verify the integrity of software or data. The checksum process compares hashes of the software similar to how fingerprints are used for verification.

Verifying the Terraform binary integrity?

HashiCorp includes a checksum file with their releases (https://releases.hashicorp.com/terraform/1.1.9) which contains the checksums for each of the archives associated with a given release. The Terraform binary itself does not include a checksum but the archive that includes the binary is checksummed. The contents of the file looks similar to the text show below.

c902b3c12042ac1d950637c2dd72ff19139519658f69290b310f1a5924586286  terraform_1.1.9_darwin_amd64.zip
918a8684da5a5529285135f14b09766bd4eb0e8c6612a4db7c121174b4831739  terraform_1.1.9_darwin_arm64.zip
a5890d9c9f08c9160b37e3156ff2a1bc33de1db68ee942f12c4f60e8e74c8e02  terraform_1.1.9_freebsd_386.zip
c204f1ca8162feb59d39bf905d8a1d7687a72b2884d81214ced8ac327908352e  terraform_1.1.9_freebsd_amd64.zip
c27e4b9d88598a55fe5dd0e79746e6b77eb582e12aaf4689935d0c16aa9ceebe  terraform_1.1.9_freebsd_arm.zip
a29a5c069e1712753ed553f7c6e63f1cd35caefee73496210461c05158b836b4  terraform_1.1.9_linux_386.zip
9d2d8a89f5cc8bc1c06cb6f34ce76ec4b99184b07eb776f8b39183b513d7798a  terraform_1.1.9_linux_amd64.zip
e8a09d1fe5a68ed75e5fabe26c609ad12a7e459002dea6543f1084993b87a266  terraform_1.1.9_linux_arm64.zip
800eee18651b5e552772c60fc1b5eb00cdcefddf11969412203c6de6189aa10a  terraform_1.1.9_linux_arm.zip
b7b509b5a0bae6d1f7e2a61d6e4deccba41e691204148f9451efe353e15ece2d  terraform_1.1.9_openbsd_386.zip
c702a8b31d90c9ced4b95e7facc8d7828f2a31453acc9fc258b9fffeda5ded52  terraform_1.1.9_openbsd_amd64.zip
704190dfb5cd923c2949787505f72227b2b090674f1c8ce941ca180d82d7a4ff  terraform_1.1.9_solaris_amd64.zip
fd2b9bc7506a85f5293d0e2d12ab5ac3be34b5915f2ae7ae7dfdc178e0abad94  terraform_1.1.9_windows_386.zip
ab4df98d2256a74c151ea7ccfd69a4ad9487b4deba86a61727fb07a1348311cc  terraform_1.1.9_windows_amd64.zip

In this case we’ll compare the checksum from the downloaded file with the corresponding checksum in the file to see if the two match.

Additional Resources

HashiCorp Learn Guide: https://learn.hashicorp.com/tutorials/terraform/verify-archive

Written By

Martez Reed

Solutions architect specializing in automation & orchestration. Interested in configuration management, CI/CD pipelines, infrastructure as code (IaC), and orchestrating disparate pieces of automation.

HashiCorp Terraform Code Signing

Signing software has become critically important given the recent supply chain attacks. How do we verify that the software we’re downloading is …

Martez Reed
21 Apr, 2022

Enabling Cloud Workload Identity for vSphere Virtual Machines

One of the major benefits of using the public cloud is the integrated identity and access management (IAM). This simplifies the process of granting …