download-lambda does not protect against possible supply-chain attacks

[Bertg]

When defining download-lambda configurations we can specify a tag and name which will be used to build a url that will be used to download a zip file.

This architecture fundamentally assumes that github.com or the interface between the runner and github.com can or will not get compromised. Or that the project would not get compromised.

This is not ideal.

Using this configuration as an attack vector could be mitigated by adding the checksum to the lambda config:

module "lambdas" {
  # ...
  lambdas = [
    {
      name = "webhook"
      tag  = "v0.15.0"
      checksum = "sha256:f22c4b9b49dcaca119e0bb1b35efddea8b33fe2d7df7b33e703222e197d40c74"
    }.
    # ...
  ]
}

This checksum can then be used to validate if the file downloaded by curl is what it should be.

[npalm]

Yes that is certainly correct. Best way to protect is fully build the lambda's under own control, including checking third-party dependencies. Alternatively you can download the lambda and verify atterstation, and upload them to your own s3 bucket. The download lambda was only create as simple approach to setup your fleet, but when carring about supply chain security not the best approach.

Feel free to improve the download lambda via PR, see the release notes for guience on how to verify artifacts.