search

terraform-linters / tflint-ruleset-aws

TFLint ruleset for terraform-provider-aws
Mozilla Public License 2.0
327 stars 71 forks source link

Installation failure—macOS—Failed to verify checksums #174

Closed bgshacklett closed 2 years ago

bgshacklett commented 3 years ago

When following the directions in the README, I'm getting an error stating that there was a checksum mismatch.

.tflint.hcl:

plugin "aws" {
    enabled = true
    version = "0.7.0"
    source  = "github.com/terraform-linters/tflint-ruleset-aws"
}

tflint --init output:

❯ TFLINT_LOG=debug tflint --init
12:25:43 config.go:105: [INFO] Load config: .tflint.hcl
12:25:43 config.go:324: [DEBUG] Config loaded
12:25:43 config.go:325: [DEBUG]   Module: false
12:25:43 config.go:326: [DEBUG]   Force: false
12:25:43 config.go:327: [DEBUG]   IgnoreModules: map[string]bool{}
12:25:43 config.go:328: [DEBUG]   Varfiles: []string{}
12:25:43 config.go:329: [DEBUG]   Variables: []string{}
12:25:43 config.go:330: [DEBUG]   DisabledByDefault: false
12:25:43 config.go:331: [DEBUG]   Rules: map[string]*tflint.RuleConfig{}
12:25:43 config.go:332: [DEBUG]   Plugins: map[string]*tflint.PluginConfig{"aws":(*tflint.PluginConfig)(0xc0000c8080)}
Installing `aws` plugin...
12:25:43 install.go:80: [DEBUG] Mkdir plugin dir: /Users/brian.shacklett/.tflint.d/plugins/github.com/terraform-linters/tflint-ruleset-aws/0.7.0
12:25:43 install.go:153: [DEBUG] Request to https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/tags/v0.7.0
12:25:44 install.go:160: [DEBUG] asset found: checksums.txt
12:25:44 install.go:160: [DEBUG] asset found: checksums.txt.sig
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_darwin_amd64.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_darwin_arm64.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_freebsd_386.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_freebsd_amd64.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_freebsd_arm.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_freebsd_arm64.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_linux_386.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_linux_amd64.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_linux_arm.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_linux_arm64.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_netbsd_386.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_netbsd_amd64.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_netbsd_arm.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_openbsd_386.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_openbsd_amd64.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_openbsd_arm.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_openbsd_arm64.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_windows_386.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_windows_amd64.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_windows_arm.zip
12:25:44 install.go:90: [DEBUG] Download checksums.txt
12:25:44 install.go:176: [DEBUG] Request to https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/assets/43504208
12:25:44 install.go:194: [DEBUG] Downloaded to /var/folders/w3/llk_25v55mn1wk78cwbz66qm0000gq/T/tflint-download-temp-file-255622989
12:25:44 install.go:101: [DEBUG] Download checksums.txt.sig
12:25:44 install.go:176: [DEBUG] Request to https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/assets/43504692
12:25:44 install.go:194: [DEBUG] Downloaded to /var/folders/w3/llk_25v55mn1wk78cwbz66qm0000gq/T/tflint-download-temp-file-344556616
12:25:44 install.go:116: [DEBUG] Verified signature successfully
12:25:44 install.go:119: [DEBUG] Download tflint-ruleset-aws_darwin_amd64.zip
12:25:44 install.go:176: [DEBUG] Request to https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/assets/43504240
12:25:47 install.go:194: [DEBUG] Downloaded to /var/folders/w3/llk_25v55mn1wk78cwbz66qm0000gq/T/tflint-download-temp-file-621248775
Failed to install a plugin. An error occurred:

Error: Failed to verify checksums: Failed to match checksums: expected=dc13dec45ed96e3e30d363015416bff1ac5b64334db2e24e66273418fd9d9bd8, actual=cff18d5b2498086d7dc1820f5e049f2b78a9fc611f12ff7f4d82326b31904cd1
wata727 commented 3 years ago

Umm, I can't reproduce this failure in my environment.

% TFLINT_LOG=debug tflint --init
02:19:47 config.go:105: [INFO] Load config: .tflint.hcl
02:19:47 config.go:324: [DEBUG] Config loaded
02:19:47 config.go:325: [DEBUG]   Module: false
02:19:47 config.go:326: [DEBUG]   Force: false
02:19:47 config.go:327: [DEBUG]   IgnoreModules: map[string]bool{}
02:19:47 config.go:328: [DEBUG]   Varfiles: []string{}
02:19:47 config.go:329: [DEBUG]   Variables: []string{}
02:19:47 config.go:330: [DEBUG]   DisabledByDefault: false
02:19:47 config.go:331: [DEBUG]   Rules: map[string]*tflint.RuleConfig{}
02:19:47 config.go:332: [DEBUG]   Plugins: map[string]*tflint.PluginConfig{"aws":(*tflint.PluginConfig)(0xc00038c
f80)}
Installing `aws` plugin...
02:19:47 install.go:80: [DEBUG] Mkdir plugin dir: /Users/watanabekazuma/.tflint.d/plugins/github.com/terraform-li
nters/tflint-ruleset-aws/0.7.0
02:19:47 install.go:153: [DEBUG] Request to https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/rel
eases/tags/v0.7.0
02:19:48 install.go:160: [DEBUG] asset found: checksums.txt
02:19:48 install.go:160: [DEBUG] asset found: checksums.txt.sig
02:19:48 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_darwin_amd64.zip
02:19:48 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_darwin_arm64.zip
02:19:48 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_freebsd_386.zip
02:19:48 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_freebsd_amd64.zip
02:19:48 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_freebsd_arm.zip
02:19:48 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_freebsd_arm64.zip
02:19:48 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_linux_386.zip
02:19:48 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_linux_amd64.zip
02:19:48 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_linux_arm.zip
02:19:48 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_linux_arm64.zip
02:19:48 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_netbsd_386.zip
02:19:48 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_netbsd_amd64.zip
02:19:48 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_netbsd_arm.zip
02:19:48 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_openbsd_386.zip
02:19:48 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_openbsd_amd64.zip
02:19:48 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_openbsd_arm.zip
02:19:48 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_openbsd_arm64.zip
02:19:48 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_windows_386.zip
02:19:48 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_windows_amd64.zip
02:19:48 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_windows_arm.zip
02:19:48 install.go:90: [DEBUG] Download checksums.txt
02:19:48 install.go:176: [DEBUG] Request to https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/assets/43504208
02:19:49 install.go:194: [DEBUG] Downloaded to /var/folders/ds/c5vrpyx94xv7xxzvrf9_qyx00000gn/T/tflint-download-temp-file-895313512
02:19:49 install.go:101: [DEBUG] Download checksums.txt.sig
02:19:49 install.go:176: [DEBUG] Request to https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/assets/43504692
02:19:49 install.go:194: [DEBUG] Downloaded to /var/folders/ds/c5vrpyx94xv7xxzvrf9_qyx00000gn/T/tflint-download-temp-file-524633255
02:19:49 install.go:116: [DEBUG] Verified signature successfully
02:19:49 install.go:119: [DEBUG] Download tflint-ruleset-aws_darwin_amd64.zip
02:19:49 install.go:176: [DEBUG] Request to https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/assets/43504240
02:19:51 install.go:194: [DEBUG] Downloaded to /var/folders/ds/c5vrpyx94xv7xxzvrf9_qyx00000gn/T/tflint-download-temp-file-216159706
02:19:51 install.go:135: [DEBUG] Matched checksum successfully
02:19:51 install.go:210: [DEBUG] file found in zip: tflint-ruleset-aws
02:19:54 install.go:141: [DEBUG] Installed /Users/watanabekazuma/.tflint.d/plugins/github.com/terraform-linters/tflint-ruleset-aws/0.7.0/tflint-ruleset-aws successfully
Installed `aws` (source: github.com/terraform-linters/tflint-ruleset-aws, version: 0.7.0)

And the checksum of the zip file seems to match the expected output:

% shasum -a 256 ~/Downloads/tflint-ruleset-aws_darwin_amd64.zip
dc13dec45ed96e3e30d363015416bff1ac5b64334db2e24e66273418fd9d9bd8  /Users/watanabekazuma/Downloads/tflint-ruleset-aws_darwin_amd64.zip

It is possible that the downloaded file is actually corrupted.

bgshacklett commented 3 years ago

FWIW, I'm still trying to isolate when and, ideally, how, this is happening. I'll report back when I have more data.

wata727 commented 2 years ago

It seems that there is no update for a while, so I will close it. If you find the cause, open a new issue.

scottelundgren commented 2 years ago

Having the same issue with newest version: .tflint.hcl:

plugin "aws" {
  enabled = true
  version = "0.8.0"
  source  = "github.com/terraform-linters/tflint-ruleset-aws"
}

tflint --init output:

➜ TFLINT_LOG=debug tflint --init
16:17:01 config.go:105: [INFO] Load config: .tflint.hcl
16:17:01 config.go:324: [DEBUG] Config loaded
16:17:01 config.go:325: [DEBUG]   Module: false
16:17:01 config.go:326: [DEBUG]   Force: false
16:17:01 config.go:327: [DEBUG]   IgnoreModules: map[string]bool{}
16:17:01 config.go:328: [DEBUG]   Varfiles: []string{}
16:17:01 config.go:329: [DEBUG]   Variables: []string{}
16:17:01 config.go:330: [DEBUG]   DisabledByDefault: false
16:17:01 config.go:331: [DEBUG]   Rules: map[string]*tflint.RuleConfig{}
16:17:01 config.go:332: [DEBUG]   Plugins: map[string]*tflint.PluginConfig{"aws":(*tflint.PluginConfig)(0xc00096e300)}
Installing `aws` plugin...
16:17:01 install.go:80: [DEBUG] Mkdir plugin dir: /Users/scott.lundgren/.tflint.d/plugins/github.com/terraform-linters/tflint-ruleset-aws/0.8.0
16:17:01 install.go:153: [DEBUG] Request to https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/tags/v0.8.0
16:17:01 install.go:160: [DEBUG] asset found: checksums.txt
16:17:01 install.go:160: [DEBUG] asset found: checksums.txt.sig
16:17:01 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_darwin_amd64.zip
16:17:01 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_darwin_arm64.zip
16:17:01 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_freebsd_386.zip
16:17:01 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_freebsd_amd64.zip
16:17:01 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_freebsd_arm.zip
16:17:01 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_freebsd_arm64.zip
16:17:01 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_linux_386.zip
16:17:01 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_linux_amd64.zip
16:17:01 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_linux_arm.zip
16:17:01 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_linux_arm64.zip
16:17:01 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_netbsd_386.zip
16:17:01 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_netbsd_amd64.zip
16:17:01 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_netbsd_arm.zip
16:17:01 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_openbsd_386.zip
16:17:01 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_openbsd_amd64.zip
16:17:01 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_openbsd_arm.zip
16:17:01 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_openbsd_arm64.zip
16:17:01 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_windows_386.zip
16:17:01 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_windows_amd64.zip
16:17:01 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_windows_arm.zip
16:17:01 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_windows_arm64.zip
16:17:01 install.go:90: [DEBUG] Download checksums.txt
16:17:01 install.go:176: [DEBUG] Request to https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/assets/46653909
16:17:02 install.go:194: [DEBUG] Downloaded to /var/folders/sj/7kjnx3r961vfw9_2qmqp9c040000gp/T/tflint-download-temp-file-298348246
16:17:02 install.go:101: [DEBUG] Download checksums.txt.sig
16:17:02 install.go:176: [DEBUG] Request to https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/assets/46654142
16:17:02 install.go:194: [DEBUG] Downloaded to /var/folders/sj/7kjnx3r961vfw9_2qmqp9c040000gp/T/tflint-download-temp-file-574295485
16:17:02 install.go:116: [DEBUG] Verified signature successfully
16:17:02 install.go:119: [DEBUG] Download tflint-ruleset-aws_darwin_amd64.zip
16:17:02 install.go:176: [DEBUG] Request to https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/assets/46653920
16:17:04 install.go:194: [DEBUG] Downloaded to /var/folders/sj/7kjnx3r961vfw9_2qmqp9c040000gp/T/tflint-download-temp-file-1782996149
Failed to install a plugin. An error occurred:

Error: Failed to verify checksums: Failed to match checksums: expected=d77dfae9e706f2193738fab1f78be7699c566b076241dfd69801aa8b2fd35c1f, actual=608ea4ef91a41bf621fd9f7e1f79254dd784dede5b21e21f3aa97bb42b825a94

Checksums don't match with manual fetch:

➜ curl -L https://github.com/terraform-linters/tflint-ruleset-aws/releases/download/v0.8.0/checksums.txt -s -o checksums.txt
➜ curl -L https://github.com/terraform-linters/tflint-ruleset-aws/releases/download/v0.8.0/tflint-ruleset-aws_darwin_amd64.zip -s -o tflint-ruleset-aws_darwin_amd64.zip
➜ grep darwin_amd checksums.txt 
d77dfae9e706f2193738fab1f78be7699c566b076241dfd69801aa8b2fd35c1f  tflint-ruleset-aws_darwin_amd64.zip
➜ shasum -a 256 tflint-ruleset-aws_darwin_amd64.zip
608ea4ef91a41bf621fd9f7e1f79254dd784dede5b21e21f3aa97bb42b825a94  tflint-ruleset-aws_darwin_amd64.zip

OS: MacOS Big Sur 11.6 (20G165) Model Identifier: MacBookPro16,1

Failed to verify checksums error also occurs when .tflint.hcl is set to version = "0.7.0" as OP, and version = "0.7.2"

bgshacklett commented 2 years ago

I'm still trying to narrow things down, but in my case, I believe it's related to security software installed on my machine. I've seen this with a few other packages now, as well.

Edit: I seem to be getting a unique checksum compared to your example:

❯ curl -L https://github.com/terraform-linters/tflint-ruleset-aws/releases/download/v0.8.0/checksums.txt -s -o checksums.txt
curl -L https://github.com/terraform-linters/tflint-ruleset-aws/releases/download/v0.8.0/tflint-ruleset-aws_darwin_amd64.zip -s -o tflint-ruleset-aws_darwin_amd64.zip
grep darwin_amd checksums.txt
shasum -a 256 tflint-ruleset-aws_darwin_amd64.zip

d77dfae9e706f2193738fab1f78be7699c566b076241dfd69801aa8b2fd35c1f  tflint-ruleset-aws_darwin_amd64.zip
c19009917db156253f0a3d0a20fb4da32cea4b9c26c9dbdcefc21852e4bd2abc  tflint-ruleset-aws_darwin_amd64.zip
scottelundgren commented 2 years ago

This error is on my corporate machine that does have security software installed. I'll try on my home machine with no security software installed to see if there are different results.

scottelundgren commented 2 years ago

My home machine (OS: MacOS Big Sur 11.6, Model Identifier: 12,1) didn't have this problem so it's definitely security software.

Reached out to corporate security (for anyone else that hits this thread as a search result), who confirmed the problem is caused by Netskope. Basically, it's unpacking the zips to inspect them, and then rezipping over the top of the archive so you end up with a slightly different compression ratio and so the hash fails. 😞

The solution is to ask your security team to allow your machine to not inspect the tflint ruleset packages.

bgshacklett commented 2 years ago

Yes. It’s Netskope in my case, as well. Thank you for the update!

BroodingMawlek commented 4 months ago

Netskope here, same error, may thanks for reporting this.