HashiCorp Terraform Code Signing
Signing software has become critically important given the recent supply chain attacks. How do we verify that the software we’re downloading is …
How do we verify that the Terraform binary we download is the same as the one HashiCorp produced?
Ensuring the integrity of software is important to help prevent a malicious actor from tricking us into using a modified version of Terraform as well as ensuring the version we’re using isn’t corrupted. Checksums are used when there is a need to verify the integrity of software or data. The checksum process compares hashes of the software similar to how fingerprints are used for verification.
HashiCorp includes a checksum file with their releases (https://releases.hashicorp.com/terraform/1.1.9) which contains the checksums for each of the archives associated with a given release. The Terraform binary itself does not include a checksum but the archive that includes the binary is checksummed. The contents of the file looks similar to the text show below.
c902b3c12042ac1d950637c2dd72ff19139519658f69290b310f1a5924586286 terraform_1.1.9_darwin_amd64.zip
918a8684da5a5529285135f14b09766bd4eb0e8c6612a4db7c121174b4831739 terraform_1.1.9_darwin_arm64.zip
a5890d9c9f08c9160b37e3156ff2a1bc33de1db68ee942f12c4f60e8e74c8e02 terraform_1.1.9_freebsd_386.zip
c204f1ca8162feb59d39bf905d8a1d7687a72b2884d81214ced8ac327908352e terraform_1.1.9_freebsd_amd64.zip
c27e4b9d88598a55fe5dd0e79746e6b77eb582e12aaf4689935d0c16aa9ceebe terraform_1.1.9_freebsd_arm.zip
a29a5c069e1712753ed553f7c6e63f1cd35caefee73496210461c05158b836b4 terraform_1.1.9_linux_386.zip
9d2d8a89f5cc8bc1c06cb6f34ce76ec4b99184b07eb776f8b39183b513d7798a terraform_1.1.9_linux_amd64.zip
e8a09d1fe5a68ed75e5fabe26c609ad12a7e459002dea6543f1084993b87a266 terraform_1.1.9_linux_arm64.zip
800eee18651b5e552772c60fc1b5eb00cdcefddf11969412203c6de6189aa10a terraform_1.1.9_linux_arm.zip
b7b509b5a0bae6d1f7e2a61d6e4deccba41e691204148f9451efe353e15ece2d terraform_1.1.9_openbsd_386.zip
c702a8b31d90c9ced4b95e7facc8d7828f2a31453acc9fc258b9fffeda5ded52 terraform_1.1.9_openbsd_amd64.zip
704190dfb5cd923c2949787505f72227b2b090674f1c8ce941ca180d82d7a4ff terraform_1.1.9_solaris_amd64.zip
fd2b9bc7506a85f5293d0e2d12ab5ac3be34b5915f2ae7ae7dfdc178e0abad94 terraform_1.1.9_windows_386.zip
ab4df98d2256a74c151ea7ccfd69a4ad9487b4deba86a61727fb07a1348311cc terraform_1.1.9_windows_amd64.zip
In this case we’ll compare the checksum from the downloaded file with the corresponding checksum in the file to see if the two match.
HashiCorp Learn Guide: https://learn.hashicorp.com/tutorials/terraform/verify-archive
Signing software has become critically important given the recent supply chain attacks. How do we verify that the software we’re downloading is …
One of the major benefits of using the public cloud is the integrated identity and access management (IAM). This simplifies the process of granting …