Hash of downloaded binary never verified

[centromere]

When installing from a URL, the hash of the file is never verified. This would be a really nice feature to have.

[solarkennedy]

Hmmm. Are you looking for security or just integrity?

[centromere]

Both.

[solarkennedy]

I think that would be best served in a non-consul specific way inside the module we use to download and unzip the thing:
https://github.com/nanliu/puppet-staging

It could take some sort of verification url?

staging::deploy { 'the zip':
  source => download_url,
  target => target_dir,
  creates => consul,
  verfication_url => "https://dl.bintray.com/mitchellh/consul/${version}_SHA256SUMS?direct",
  verification_method => "sha256sum",
}

[centromere]

There's a module called puppet-archive which has checksum verification built in.

[solarkennedy]

Ooo!!

[solarkennedy]

We now use puppet-archive, so I would accept a PR that enables verification.

[solarkennedy]

We are now officially using the latest version of puppet-archive, so this is actually possible if someone wants to try.

https://github.com/voxpupuli/puppet-archive#archive

With checksum_verify and related options for pointing the module at the right checksum url.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.