https://pulumi.com logo
#general
Title
# general
d

delightful-monkey-90700

04/27/2022, 3:42 PM
When installing Pulumi Plugins using "`pulumi plugin install`", how is the executable code verified ? Through a signature, or a checksum somewhere ?
Looking through the source code I don't see either one ???
e

echoing-dinner-19531

04/27/2022, 3:58 PM
It isn't, we mostly download releases from github, which is also where we would get the checksums from so there's no security benefit to verify using those.
d

delightful-monkey-90700

04/27/2022, 3:59 PM
Ideally if you were using checksums they would be signed or included in the binary (whose checksum was verified as part of download/build)
Signatures are, of course, more flexible.
e

echoing-dinner-19531

04/27/2022, 4:00 PM
I know there were plans to look at binary signing for macos. I don't think anything else is planned, feel free to raise an issue about it.
d

delightful-monkey-90700

04/27/2022, 4:07 PM
The current situation is really unsafe and I wouldn't recommend using it.