docker-hub-images icon indicating copy to clipboard operation
docker-hub-images copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Use the local sha256hash

Open jon-r-marston opened this issue 5 years ago • 1 comments

Forgive me if I'm being a plonker, but doesn't it make more sense to use the locally stored sha256hash to verify the .zip file?

If the remote file repo has been compromised then it makes sense that the nefarious individual involved might also alter the hash file to match their new version of the file.

If you're only protecting against corrupt downloads, then admittedly, the original method would suffice.

jon-r-marston avatar Apr 22 '20 08:04 jon-r-marston

CLA assistant check
All committers have signed the CLA.

hashicorp-cla avatar Apr 22 '20 08:04 hashicorp-cla