[ISSUE] Checksum changed for 1.47.0?

[ghost]

Hey folks, OpenTofu maintainer here. We received a complaint from a user that the checksum for Linux/AMD64 version 1.47.0 changed from c89f9dcd0b6159d3f15e74083c0e71dc7d799ed8ae61385b5962c8394314b684 to a4b2ebf71205365d3d30be4f288c100359a81c40da9f37e23947c9dea3521b3c and they are unable to install the provider.

Can someone with a visible org membership in the Databricks GitHub organization please confirm that this is not a supply chain attack and we are safe to reindex the provider? (We treat versions as soft-immutable to protect against supply chain attacks.)

(Also, if I may ask for an additional favor, could you please submit your public GPG key here so we can verify the binaries in the future?)

[pietern]

Hi! It is possible they observed a different hash for a very brief time window (max 15 mins). We had to run the release twice because the goreleaser action was broken (action log). The hashes you mention are both listed in the two separate job runs of goreleaser, so they are both expected.

We can submit our GPG key.

Thanks for raising this!

[oliverangelil]

Issue continues to pop up right now. Experiencing the same in two separate and independent VMs.

[ghost]

Thanks for confirming @pietern , I'll trigger the reindex shortly. Re: grace period that is not possible with our current architecture because we don't request permissions from provider authors to set up webhooks, but I opened an issue (please 👍 it) that would let provider authors request reindexing.

[oliverangelil]

fixed now. Thanks for the impressive turnaround time both!