In our tooling, we download a specific version for terraform and then verify the SHA256SUM to ensure that the download is correct and has not been tampered with. The relevant SHA256SUM file is recorded in our tool when we start supporting a specific terraform version.
However, we recently started getting checksum errors on Terraform 1.3.9:
Error: error while verifying download https://releases.hashicorp.com/terraform/1.3.9/terraform_1.3.9_darwin_arm64.zip: wrong checksum, expected 9df6fc8a9264bba1058e6e9383f43af2ee816088e61925e5bc45128ad8b6e9ad but got d8a59a794a7f99b484a07a0ed2aa6520921d146ac5a7f4b1b806dcf5c4af0525
If we look at the current SHA256SUM file, this error is correct:
❯ curl -sq https://releases.hashicorp.com/terraform/1.3.9/terraform_1.3.9_SHA256SUMS | grep terraform_1.3.9_darwin_arm64.zip
d8a59a794a7f99b484a07a0ed2aa6520921d146ac5a7f4b1b806dcf5c4af0525 terraform_1.3.9_darwin_arm64.zip
However, since this used to work, I dug a bit further, and via the Internet Archive we can see that the SHA256 used to be different:
❯ curl -qs https://web.archive.org/web/20230226054746if_/https://releases.hashicorp.com/terraform/1.3.9/terraform_1.3.9_SHA256SUMS | grep terraform_1.3.9_darwin_arm64.zip
9df6fc8a9264bba1058e6e9383f43af2ee816088e61925e5bc45128ad8b6e9ad terraform_1.3.9_darwin_arm64.zip
Is this legit? Was the SHA256SUMS actually changed after the release? It looks like the same happened for 1.3.8.
It is a bit disconcerting when important binaries change unexpectedly.