Provider has incorrect checksum when downloaded from GitHub (darwin/arm64)

[niclic]

Datadog Terraform Provider Version

v3.39.0

Terraform Version

1.8.3

What resources or data sources are affected?

• DataDog provider

Terraform Configuration Files

terraform {
  required_providers {
    datadog = {
      source = "DataDog/datadog"
    }
  }
}

Relevant debug or panic output

terraform init
# Initializing the backend...

# Initializing provider plugins...
# - Finding latest version of datadog/datadog...
# - Installing datadog/datadog v3.39.0...
# ╷
# │ Error: Failed to install provider
# │
# │ Error while installing datadog/datadog v3.39.0: archive has incorrect checksum zh:3a5613917fdea83288d2ecff9543b15f6989771505549519297d9d630a8367f7
# │ (expected zh:e1338c712edb4a87b7ebeb9bd4f7ae72dc3b7574fdac45bc8e2d0cef784e0597)

Expected Behavior

• Checksum should match what is published in the registry.

Actual Behavior

• Provider has incorrect checksum when downloaded from GitHub.

Steps to Reproduce

1. Get provider details for os and arch.

# get provider details from registry
curl -s https://registry.terraform.io/v1/providers/datadog/datadog/3.39.0/download/darwin/amd64 | jq

# download checksum list from specified shasums_url
wget -q https://github.com/DataDog/terraform-provider-datadog/releases/download/v3.39.0/terraform-provider-datadog_3.39.0_SHA256SUMS

# get the checksum for this os and arch
cat terraform-provider-datadog_3.39.0_SHA256SUMS | grep terraform-provider-datadog_3.39.0_darwin_arm64.zip
# e1338c712edb4a87b7ebeb9bd4f7ae72dc3b7574fdac45bc8e2d0cef784e0597  terraform-provider-datadog_3.39.0_darwin_arm64.zip

2. Download provider from GitHub - FAILED.

This is where terraform init looks to download the provider from. When reviewing debug output, I notice that other providers are downloaded from https://releases.hashicorp.com.

# download provider from specified download_url
wget -q  https://github.com/DataDog/terraform-provider-datadog/releases/download/v3.39.0/terraform-provider-datadog_3.39.0_darwin_arm64.zip

# get checksum
shasum --algorithm 256 terraform-provider-datadog_3.39.0_darwin_arm64.zip
# 3a5613917fdea83288d2ecff9543b15f6989771505549519297d9d630a8367f7  terraform-provider-datadog_3.39.0_darwin_arm64.zip

# validate checksum
shasum --algorithm 256 --check terraform-provider-datadog_3.39.0_SHA256SUMS
# ...
# terraform-provider-datadog_3.39.0_darwin_arm64.zip: FAILED
# shasum: WARNING: 1 computed checksum did NOT match

4. Download provider from https://releases.hashicorp.com - OK.

# download provider directly from releases.hashicorp.com
rm -rf terraform-provider-datadog_3.39.0_darwin_arm64.zip && \
wget -q https://releases.hashicorp.com/terraform-provider-datadog/3.39.0/terraform-provider-datadog_3.39.0_darwin_arm64.zip -O terraform-provider-datadog_3.39.0_darwin_arm64.zip

# get checksum
shasum --algorithm 256 terraform-provider-datadog_3.39.0_darwin_arm64.zip
# e1338c712edb4a87b7ebeb9bd4f7ae72dc3b7574fdac45bc8e2d0cef784e0597  terraform-provider-datadog_3.39.0_darwin_arm64_v2.zip

# validate checksum
shasum --algorithm 256 --check terraform-provider-datadog_3.39.0_SHA256SUMS
# terraform-provider-datadog_3.39.0_darwin_arm64.zip: OK

Important Factoids

• We recently moved to new company laptops (Apple M1) and are now running behind a strict corporate firewall with some restrictions on GitHub.
• However, firewall team has confirmed there were no issues reported in their logs and their is no modification of archives happening.
• No issues on previous laptops (Apple Intel).

References

No response

[niclic]

Got my hands on a different M1 laptop that is not connected to the network and confirmed that the checksums do match. This is clearly a local issue where the archives are being manipulated somehow during download. We have asked the security teams here to investigate.