Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-9909

Use file_sha256 to verify module tarballs

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 6.8.0
    • Component/s: None
    • Template:
    • Epic Link:
    • Team:
      Coremunity
    • Sprint:
      Platform Core KANBAN
    • Release Notes:
      Enhancement
    • Release Notes Summary:
      The `puppet module install` command will prefer SHA-256 when verifying the downloaded module tarball, but fallback to MD5 if necessary.
    • QA Risk Assessment:
      Needs Assessment

      Description

      The forge api recently added file_sha256 for module downloads, see FORGE-360. The PMT should prefer that digest always. If the digest is missing and fips is enabled, it should raise like it does now. If fips is not enabled, then it should fall back to md5.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              josh Josh Cooper
              Reporter:
              josh Josh Cooper
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support