When installing Pulumi Plugins using "`pulumi plugin install`", how is the executable code verified ? Through a signature, or a checksum somewhere ?
Looking through the source code I don't see either one ???
e
echoing-dinner-19531
04/27/2022, 3:58 PM
It isn't, we mostly download releases from github, which is also where we would get the checksums from so there's no security benefit to verify using those.
d
delightful-monkey-90700
04/27/2022, 3:59 PM
Ideally if you were using checksums they would be signed or included in the binary (whose checksum was verified as part of download/build)
Signatures are, of course, more flexible.
e
echoing-dinner-19531
04/27/2022, 4:00 PM
I know there were plans to look at binary signing for macos. I don't think anything else is planned, feel free to raise an issue about it.