You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
When using tenv <tool> detect, tenv is only reading through path and filenames to determine if a version of the tool is already installed, without checking its integrity as it does during installation. I think it might be a good security measure.
Describe the solution you'd like
The tenv <tool> detect checks the integrity of the tool if already installed. Examples:
Already installed and has integrity
$ tenv tg detect
Found compatible version installed locally : 0.66.9
Checking integrity...
Downloading https://github.com/gruntwork-io/terragrunt/releases/download/v0.66.9/SHA256SUMS
Checksum OK!
Terragrunt 0.66.9 will be run from this directory.
Already installed but has an incorrect checksum
$ tenv tg detect
Found compatible version installed locally : 0.66.9
Checking integrity...
Downloading https://github.com/gruntwork-io/terragrunt/releases/download/v0.66.9/SHA256SUMS
Checksum failed! Warning: this could be a malicious binary.
Describe alternatives you've considered
Add a CLI flag to enable/disable this behavior (e.g. --checksum/--no-checksum)
Add a separate command to tenv to do the checksum (e.g. tenv <tool> check)
Additional context
When using containers in CI pipelines for example, one could pre-load binaries during the image build to save time and bandwidth, but still using tenv during runtime to check for their integrity. Since IaC tools are particularly sensitive and generally have high privileges, they can be a target of attacks with malicious binaries.
The text was updated successfully, but these errors were encountered:
One question regarding "one could pre-load binaries ". Does it mean, that during the build these binaries will be installed by tenv? If so, it's possible to implement your request, otherwise, we have to detect PATHs for Terraform/Terragrunt/Atmos/Tofu somehow.
Yes, when I mean "pre-load binaries" it would be with tenv to preserve consistency. Using tenv for installation would imply using tenv later for integrity checking.
OpenTofu checksums are linked to archive, which is not convenient, and if we compute a specific checksum for the binary, where do we store it to ensure it will not be corrupted too?
Is your feature request related to a problem? Please describe.
When using
tenv <tool> detect
,tenv
is only reading through path and filenames to determine if a version of the tool is already installed, without checking its integrity as it does during installation. I think it might be a good security measure.Describe the solution you'd like
The
tenv <tool> detect
checks the integrity of the tool if already installed. Examples:Describe alternatives you've considered
--checksum
/--no-checksum
)tenv
to do the checksum (e.g.tenv <tool> check
)Additional context
When using containers in CI pipelines for example, one could pre-load binaries during the image build to save time and bandwidth, but still using
tenv
during runtime to check for their integrity. Since IaC tools are particularly sensitive and generally have high privileges, they can be a target of attacks with malicious binaries.The text was updated successfully, but these errors were encountered: