Skip to content

Commit

Permalink
Terraform: Validate checksum of downloaded release
Browse files Browse the repository at this point in the history 
To ensure that every build gets the exactly the same version/release that we
have specified.

This will guard against the unlikely events that the release has been
updated without changing the version number (accidentally or maliciously) or
our download has been MITMed.

The checksum has been taken from:

- https://releases.hashicorp.com/terraform/0.6.13/terraform_0.6.13_SHA256SUMS

This isn't perfect, as described in the following article, but it's still
good practice:

- https://micahflee.com/2016/02/backdoored-linux-mint-and-the-perils-of-checksums/
  • Loading branch information
@dcarley
dcarley committed Apr 29, 2016
1 parent 8996330 commit a5a48d2
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions terraform/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ FROM alpine:3.3

ENV PATH $PATH:/usr/local/bin
ENV TERRAFORM_VER 0.6.13
ENV TERRAFORM_SUM 8eeddca53958d5c871de93a624eb0f5971f97cbaf107e0b2d1cc289f2ac21b79
ENV TERRAFORM_ZIP terraform_${TERRAFORM_VER}_linux_amd64.zip
ENV BINARY_WHITELIST \
terraform \
Expand All @@ -17,5 +18,6 @@ ENV BINARY_WHITELIST \
RUN apk add --update openssl openssh-client ca-certificates && rm -rf /var/cache/apk/*
RUN set -ex \
&& wget https://releases.hashicorp.com/terraform/${TERRAFORM_VER}/${TERRAFORM_ZIP} -O /tmp/${TERRAFORM_ZIP} \
&& echo "${TERRAFORM_SUM} /tmp/${TERRAFORM_ZIP}" | sha256sum -c - \
&& unzip /tmp/${TERRAFORM_ZIP} -d /usr/local/bin ${BINARY_WHITELIST} \
&& rm /tmp/${TERRAFORM_ZIP}

0 comments on commit a5a48d2

Please sign in to comment.