Change in SHA256SUMs for terraform downloads

dagvl · April 10, 2023, 12:20pm

In our tooling, we download a specific version for terraform and then verify the SHA256SUM to ensure that the download is correct and has not been tampered with. The relevant SHA256SUM file is recorded in our tool when we start supporting a specific terraform version.

However, we recently started getting checksum errors on Terraform 1.3.9:

Error: error while verifying download https://releases.hashicorp.com/terraform/1.3.9/terraform_1.3.9_darwin_arm64.zip: wrong checksum, expected 9df6fc8a9264bba1058e6e9383f43af2ee816088e61925e5bc45128ad8b6e9ad but got d8a59a794a7f99b484a07a0ed2aa6520921d146ac5a7f4b1b806dcf5c4af0525

If we look at the current SHA256SUM file, this error is correct:

❯ curl -sq https://releases.hashicorp.com/terraform/1.3.9/terraform_1.3.9_SHA256SUMS | grep terraform_1.3.9_darwin_arm64.zip
d8a59a794a7f99b484a07a0ed2aa6520921d146ac5a7f4b1b806dcf5c4af0525  terraform_1.3.9_darwin_arm64.zip

However, since this used to work, I dug a bit further, and via the Internet Archive we can see that the SHA256 used to be different:

❯ curl -qs https://web.archive.org/web/20230226054746if_/https://releases.hashicorp.com/terraform/1.3.9/terraform_1.3.9_SHA256SUMS | grep terraform_1.3.9_darwin_arm64.zip
9df6fc8a9264bba1058e6e9383f43af2ee816088e61925e5bc45128ad8b6e9ad  terraform_1.3.9_darwin_arm64.zip

Is this legit? Was the SHA256SUMS actually changed after the release? It looks like the same happened for 1.3.8.

It is a bit disconcerting when important binaries change unexpectedly.

jbardin · April 10, 2023, 12:28pm

Hi @dagvl,

The darwin binaries were resigned with an updated key, which resulted in the checksum for the binaries changing. However the checksums alone don’t tell you anything without authentication, and the new signatures were updated concurrently.

See Security at HashiCorp for more information on the how the releases are signed.

Temporary · April 21, 2023, 12:24pm

Hi @jbardin ,
The case that @dagvl, myself and others are seeing is the following:

In our case, we specify a terraform version and also hardcode the SHA256SUM for verification (as specified in Release Archive Checksum Verification)
The binaries are updated, the SHA no longer matches and we need to confirm the change/update the code SHA256SUM

This flow is not what we would expect, ideally the binaries shouldn’t be changing.

2 weeks ago we had updated the SHA and we’ve had to do the same just now. Please take this as feedback to consider improving this in the future.

Thank you,