alikins
commented
5 years ago Partially implemented by https://github.com/ansible/mazer/pull/277
277 implements checking the sha256 of the downloaded artifact against an expected sha256
that was provided by the galaxy REST API.
Feature Request
Use Case
Currently, there is no way to verify a downloaded ansible collection artifact is the artifact that was intended, or to verify it hasn't been corrupted or manipulated. There is a detached sha256sum of the artifact calculated and included on 'mazer publish', so that should be exposed in Galaxy API and used by mazer.