Closed spodkowinski closed 8 years ago
This feels more secured...
This feels more secured...
I don’t totally get this. There is an advantage in checking the SHA256 sum, I agree, but once you have the Git repository, you can also check if your working copy was modified. If yes, just reset and you have the key again. If you don’t trust Ansible Galaxy or another distribution mechanism for the role to deliver an unmodified version, having the SHA256 sum in the delivered file won’t really protect you. The only actual advantage I see is that it is easier to verify the SHA256 sum directly from the defaults file than manually hashing the file in your copy of the role and comparing the checksum with the web.
However, I might be wrong here – so I’m open to change it to downloading instead of delivery from the local machine.
Although I'm pretty sure you're a trustworthy guy, I'd hesitate to use the provided cert without checking it's authenticity. This would involve finding the download url, downloading the cert from letsencryptorg and comparing/replacing the provided cert. It's just effort you can avoid by downloading the cert on the host.
You’re right, after consulting my pillow on this matter I realized that it makes more sense to use the original + checksum. I’ll test and merge this one soon.
Fixes #7