Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-9909

Use file_sha256 to verify module tarballs

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 6.8.0
    • Component/s: None
    • Template:
    • Epic Link:
    • Team:
      Coremunity
    • Sprint:
      Platform Core KANBAN
    • Release Notes:
      Enhancement
    • Release Notes Summary:
      The `puppet module install` command will prefer SHA-256 when verifying the downloaded module tarball, but fallback to MD5 if necessary.
    • QA Risk Assessment:
      Needs Assessment

      Description

      The forge api recently added file_sha256 for module downloads, see FORGE-360. The PMT should prefer that digest always. If the digest is missing and fips is enabled, it should raise like it does now. If fips is not enabled, then it should fall back to md5.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                josh Josh Cooper
                Reporter:
                josh Josh Cooper
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support