rhass
commented
6 years ago :+1: :shipit:
Note, checksum will throw an error if there is a checksum mismatch.
Open philsnow opened 6 years ago
rhass
commented
6 years ago :+1: :shipit:
Note, checksum will throw an error if there is a checksum mismatch.
philsnow
commented
6 years ago Note,
checksumwill throw an error if there is a checksum mismatch.
I can't find the code that raises any such error in chef 12.12 or HEAD. The description of checksum re remote_file on https://docs.chef.io/resource_remote_file.html says
The SHA-256 checksum of the file. Use to prevent a file from being re-downloaded. When the local file matches the checksum, the chef-client does not download it.
I'd be very interested if you can point out where in chef there's an error thrown if the listed checksum doesn't match the checksum of the bytes that get downloaded by the remote_file resource.
After fetching this URI the recipe runs it as root. Short of verifying the integrity of the installer in some way, the installer should be downloaded over HTTPS at the least.
Note that there's a
checksumdirective in theremote_file, but that doesn't do what you might think it does: instead of verifying that the downloaded artifact has the expected checksum, it just uses the checksum as a hint to tell whether to re-download the file.