mirror of
https://github.com/opentofu/opentofu.git
synced 2024-12-30 10:47:14 -06:00
ef64df950c
As we continue iterating towards saving valid hashes for a package in a depsfile lock file after installation and verifying them on future installation, this prepares getproviders for the possibility of having multiple valid hashes per package. This will arise in future commits for two reasons: - We will need to support both the legacy "zip hash" hashing scheme and the new-style content-based hashing scheme because currently the registry protocol is only able to produce the legacy scheme, but our other installation sources prefer the content-based scheme. Therefore packages will typically have a mixture of hashes of both types. - Installing from an upstream registry will save the hashes for the packages across all supported platforms, rather than just the current platform, and we'll consider all of those valid for future installation if we see both successful matching of the current platform checksum and a signature verification for the checksums file as a whole. This also includes some more preparation for the second case above in that signatureAuthentication now supports AcceptableHashes and returns all of the zip-based hashes it can find in the checksums file. This is a bit of an abstraction leak because previously that authenticator considered its "document" to just be opaque bytes, but we want to make sure that we can only end up trusting _all_ of the hashes if we've verified that the document is signed. Hopefully we'll make this better in a future commit with some refactoring, but that's deferred for now in order to minimize disruption to existing codepaths while we work towards a provider locking MVP. |
||
|---|---|---|
| .. | ||
| testdata | ||
| doc.go | ||
| errors.go | ||
| filesystem_mirror_source_test.go | ||
| filesystem_mirror_source.go | ||
| filesystem_search_test.go | ||
| filesystem_search.go | ||
| hash_test.go | ||
| hash.go | ||
| http_mirror_source_test.go | ||
| http_mirror_source.go | ||
| legacy_lookup_test.go | ||
| legacy_lookup.go | ||
| memoize_source_test.go | ||
| memoize_source.go | ||
| mock_source.go | ||
| multi_source_test.go | ||
| multi_source.go | ||
| package_authentication_test.go | ||
| package_authentication.go | ||
| public_keys.go | ||
| registry_client_test.go | ||
| registry_client.go | ||
| registry_source_test.go | ||
| registry_source.go | ||
| source.go | ||
| types.go | ||