Summary
When Splunk packages are downloaded (via download_and_unarchive.yml), the role should also download the corresponding .sha512 checksum file and verify the package integrity. This should happen in all scenarios:
- Package is freshly downloaded (local or remote)
- Package already exists on the filesystem (pre-downloaded)
Current behavior
download_and_unarchive.yml uses ansible.builtin.get_url to download the package and immediately unarchives it. No checksum verification is performed.
Desired behavior
- Download the
.sha512 checksum file alongside the package (Splunk publishes these at the same URL with .sha512 appended)
- Verify the package against the checksum using
sha512sum (if available on the host)
- Verification should run every time, even if the package file already exists on disk - not just on fresh downloads
- Should work for both local (
splunk_download_local: true) and remote download modes
- Fail the play with a clear error message if the checksum does not match
- Optionally,
ansible.builtin.get_url supports a checksum parameter (e.g., checksum: "sha512:{{ url }}.sha512") which could be used for the download step itself
Implementation notes
- Splunk publishes SHA-512 checksums at
{{ splunk_package_url }}.sha512
- The
ansible.builtin.get_url module has a checksum parameter that accepts sha512:https://... format, but this only validates during download, not for pre-existing files
- For pre-existing files, a separate
ansible.builtin.stat (with checksum_algorithm: sha512) or sha512sum shell command is needed
- Both
delegate_to: localhost and remote execution paths need coverage
Summary
When Splunk packages are downloaded (via
download_and_unarchive.yml), the role should also download the corresponding.sha512checksum file and verify the package integrity. This should happen in all scenarios:Current behavior
download_and_unarchive.ymlusesansible.builtin.get_urlto download the package and immediately unarchives it. No checksum verification is performed.Desired behavior
.sha512checksum file alongside the package (Splunk publishes these at the same URL with.sha512appended)sha512sum(if available on the host)splunk_download_local: true) and remote download modesansible.builtin.get_urlsupports achecksumparameter (e.g.,checksum: "sha512:{{ url }}.sha512") which could be used for the download step itselfImplementation notes
{{ splunk_package_url }}.sha512ansible.builtin.get_urlmodule has achecksumparameter that acceptssha512:https://...format, but this only validates during download, not for pre-existing filesansible.builtin.stat(withchecksum_algorithm: sha512) orsha512sumshell command is neededdelegate_to: localhostand remote execution paths need coverage