improve signature skipping (#447)

dvaumoron · web-flow · commit a2cf4989c162 · 2025-09-14T15:05:24.000+02:00
* improve signature skipping #445 * update README for #445 * avoid unnecessary download #445 * fix linter : use CommandContext Signed-off-by: Denis Vaumoron <dvaumoron@gmail.com>
diff --git a/README.md b/README.md
@@ -787,6 +787,15 @@ If set to true **tenv** disable tracking of last use date for installed versions
 </details>
 
 
+<details markdown="1"><summary><b>TENV_VALIDATION</b></summary><br>
+
+String (Default: signature)
+
+Set **tenv** validation, known values are "signature" (check SHA256 and its signature, see [signature support](#signature-support)), "sha" (only check SHA256), "none" (no validation).
+
+</details>
+
+
 <details markdown="1"><summary><b>GITHUB_ACTIONS</b></summary><br>
 
 String (Default: false)
diff --git a/cmd/tenv/subcmd.go b/cmd/tenv/subcmd.go
@@ -76,6 +76,7 @@ func newDetectCmd(versionManager versionmanager.VersionManager, params subCmdPar
 	descBuilder.WriteString(versionManager.FolderName)
 	descBuilder.WriteString(" current version.")
 
+	skipSum, skipSign := false, false
 	forceInstall, forceNoInstall := false, false
 
 	detectCmd := &cobra.Command{
@@ -102,7 +103,7 @@ func newDetectCmd(versionManager versionmanager.VersionManager, params subCmdPar
 	}
 
 	flags := detectCmd.Flags()
-	addInstallationFlags(flags, conf, params)
+	addInstallationFlags(flags, conf, params, &skipSum, &skipSign)
 	addOptionalInstallationFlags(flags, conf, params, &forceInstall, &forceNoInstall)
 	addRemoteFlags(flags, conf, params)
 
@@ -133,6 +134,8 @@ If a parameter is passed, available options:
 	descBuilder.WriteString(versionManager.FolderName)
 	descBuilder.WriteString(" files to detect which version is maximally allowed or minimally required")
 
+	skipSum, skipSign := false, false
+
 	installCmd := &cobra.Command{
 		Use:          "install [version]",
 		Short:        loghelper.Concat("Install a specific version of ", versionManager.FolderName, "."),
@@ -157,7 +160,7 @@ If a parameter is passed, available options:
 	}
 
 	flags := installCmd.Flags()
-	addInstallationFlags(flags, conf, params)
+	addInstallationFlags(flags, conf, params, &skipSum, &skipSign)
 	addRemoteFlags(flags, conf, params)
 
 	return installCmd
@@ -364,6 +367,7 @@ Available parameter options:
 	descBuilder.WriteString(versionManager.FolderName)
 	descBuilder.WriteString(" files to detect which version is maximally allowed or minimally required")
 
+	skipSum, skipSign := false, false
 	forceInstall, forceNoInstall, workingDir := false, false, false
 
 	useCmd := &cobra.Command{
@@ -381,7 +385,7 @@ Available parameter options:
 	}
 
 	flags := useCmd.Flags()
-	addInstallationFlags(flags, conf, params)
+	addInstallationFlags(flags, conf, params, &skipSum, &skipSign)
 	addOptionalInstallationFlags(flags, conf, params, &forceInstall, &forceNoInstall)
 	addRemoteFlags(flags, conf, params)
 	flags.BoolVarP(&workingDir, "working-dir", "w", false, loghelper.Concat("create ", versionManager.VersionFiles[0].Name, " file in working directory"))
@@ -393,11 +397,12 @@ func addDescendingFlag(flags *pflag.FlagSet, pReverseOrder *bool) {
 	flags.BoolVarP(pReverseOrder, "descending", "d", false, "display list in descending version order")
 }
 
-func addInstallationFlags(flags *pflag.FlagSet, conf *config.Config, params subCmdParams) {
+func addInstallationFlags(flags *pflag.FlagSet, conf *config.Config, params subCmdParams, pSkipSum *bool, pSkipSign *bool) {
 	flags.StringVarP(&conf.Arch, "arch", "a", conf.Arch, "specify arch for binaries downloading")
 	if params.pPublicKeyPath != nil {
 		flags.StringVarP(params.pPublicKeyPath, "key-file", "k", *params.pPublicKeyPath, "local path to PGP public key file (replace check against remote one)")
-		flags.BoolVarP(&conf.SkipSignature, "skip-signature", "s", false, "skip signature checking")
+		flags.BoolVar(pSkipSum, "skip-sha", false, "skip SHA256 checksum checking")
+		flags.BoolVarP(pSkipSign, "skip-signature", "s", false, "skip signature checking")
 	}
 }
 
diff --git a/config/config.go b/config/config.go
@@ -45,6 +45,25 @@ const (
 	defaultDirName = ".tenv"
 )
 
+const (
+	SignValidation ValidationMode = iota
+	ShaValidation
+	NoValidation
+)
+
+type ValidationMode uint8
+
+func ParseValidationMode(mode string) ValidationMode {
+	switch mode {
+	case "none":
+		return NoValidation
+	case "sha":
+		return ShaValidation
+	default:
+		return SignValidation
+	}
+}
+
 type Config struct {
 	Arch             string
 	Atmos            RemoteConfig
@@ -59,14 +78,14 @@ type Config struct {
 	RemoteConfPath   string
 	RootPath         string
 	SkipInstall      bool
-	SkipSignature    bool
 	Tf               RemoteConfig
 	TfKeyPathOrURL   string
 	Tg               RemoteConfig
 	Tm               RemoteConfig
 	Tofu             RemoteConfig
 	TofuKeyPathOrURL string
 	UserPath         string
+	Validation       ValidationMode
 	WorkPath         string
 }
 
@@ -89,6 +108,7 @@ func DefaultConfig() (Config, error) {
 		Tofu:             makeDefaultRemoteConfig(tofuurl.Github, githuburl.Base),
 		UserPath:         userPath,
 		WorkPath:         ".",
+		Validation:       SignValidation,
 		TfKeyPathOrURL:   terraformurl.PublicKey,
 		TofuKeyPathOrURL: tofuurl.PublicKey,
 	}, nil
@@ -145,6 +165,7 @@ func InitConfigFromEnv() (Config, error) {
 		Tofu:             makeRemoteConfig(getenv, envname.TofuRemoteURL, envname.TofuListURL, envname.TofuInstallMode, envname.TofuListMode, tofuurl.Github, githuburl.Base),
 		TofuKeyPathOrURL: getenv.WithDefault(tofuurl.PublicKey, envname.TofuOpenTofuPGPKey),
 		UserPath:         userPath,
+		Validation:       ParseValidationMode(getenv(envname.TenvValidation)),
 		WorkPath:         ".",
 	}, nil
 }
@@ -174,6 +195,15 @@ func (conf *Config) InitDisplayer(proxyCall bool) {
 	}
 }
 
+func (conf *Config) InitValidation(skipSum bool, skipSign bool) {
+	switch {
+	case skipSum: // higher priority to --skip-sha
+		conf.Validation = NoValidation
+	case skipSign && conf.Validation != NoValidation:
+		conf.Validation = ShaValidation
+	}
+}
+
 func (conf *Config) InitInstall(forceInstall bool, forceNoInstall bool) {
 	switch {
 	case forceNoInstall: // higher priority to --no-install
diff --git a/config/envname/env.go b/config/envname/env.go
@@ -59,6 +59,7 @@ const (
 	TenvRootPath    = tenvPrefix + rootPath
 	TenvSkipLastUse = tenvPrefix + "SKIP_LAST_USE"
 	TenvToken       = tenvPrefix + token
+	TenvValidation  = tenvPrefix + "VALIDATION"
 
 	TfenvPrefix          = "TFENV_"
 	TfenvTerraformPrefix = TfenvPrefix + "TERRAFORM_"
diff --git a/go.mod b/go.mod
@@ -17,7 +17,7 @@ require (
 	github.com/hashicorp/hcl/v2 v2.24.0
 	github.com/spf13/cobra v1.10.1
 	github.com/spf13/pflag v1.0.10
-	github.com/stretchr/testify v1.11.1
+	github.com/stretchr/testify v1.10.0
 	github.com/zclconf/go-cty v1.17.0
 	gopkg.in/yaml.v3 v3.0.1
 )
@@ -30,7 +30,7 @@ require (
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
-	github.com/charmbracelet/colorprofile v0.3.1 // indirect
+	github.com/charmbracelet/colorprofile v0.3.2 // indirect
 	github.com/charmbracelet/x/ansi v0.10.1 // indirect
 	github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
 	github.com/charmbracelet/x/term v0.2.1 // indirect
@@ -40,7 +40,7 @@ require (
 	github.com/go-test/deep v1.1.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/kr/pretty v0.2.1 // indirect
-	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
+	github.com/lucasb-eyer/go-colorful v1.3.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-localereader v0.0.1 // indirect
@@ -54,12 +54,12 @@ require (
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/sahilm/fuzzy v0.1.1 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
-	golang.org/x/crypto v0.39.0 // indirect
-	golang.org/x/mod v0.25.0 // indirect
-	golang.org/x/net v0.41.0 // indirect
-	golang.org/x/sync v0.15.0 // indirect
+	golang.org/x/crypto v0.42.0 // indirect
+	golang.org/x/mod v0.28.0 // indirect
+	golang.org/x/net v0.44.0 // indirect
+	golang.org/x/sync v0.17.0 // indirect
 	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/text v0.26.0 // indirect
-	golang.org/x/tools v0.34.0 // indirect
+	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/tools v0.37.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -24,8 +24,8 @@ github.com/charmbracelet/bubbles v0.21.0 h1:9TdC97SdRVg/1aaXNVWfFH3nnLAwOXr8Fn6u
 github.com/charmbracelet/bubbles v0.21.0/go.mod h1:HF+v6QUR4HkEpz62dx7ym2xc71/KBHg+zKwJtMw+qtg=
 github.com/charmbracelet/bubbletea v1.3.9 h1:OBYdfRo6QnlIcXNmcoI2n1NNS65Nk6kI2L2FO1puS/4=
 github.com/charmbracelet/bubbletea v1.3.9/go.mod h1:ORQfo0fk8U+po9VaNvnV95UPWA1BitP1E0N6xJPlHr4=
-github.com/charmbracelet/colorprofile v0.3.1 h1:k8dTHMd7fgw4bnFd7jXTLZrSU/CQrKnL3m+AxCzDz40=
-github.com/charmbracelet/colorprofile v0.3.1/go.mod h1:/GkGusxNs8VB/RSOh3fu0TJmQ4ICMMPApIIVn0KszZ0=
+github.com/charmbracelet/colorprofile v0.3.2 h1:9J27WdztfJQVAQKX2WOlSSRB+5gaKqqITmrvb1uTIiI=
+github.com/charmbracelet/colorprofile v0.3.2/go.mod h1:mTD5XzNeWHj8oqHb+S1bssQb7vIHbepiebQ2kPKVKbI=
 github.com/charmbracelet/lipgloss v1.1.0 h1:vYXsiLHVkK7fp74RkV7b2kq9+zDLoEU4MZoFqR/noCY=
 github.com/charmbracelet/lipgloss v1.1.0/go.mod h1:/6Q8FR2o+kj8rz4Dq0zQc3vYf7X+B0binUUBwA0aL30=
 github.com/charmbracelet/x/ansi v0.10.1 h1:rL3Koar5XvX0pHGfovN03f5cxLbCF2YvLeyz7D2jVDQ=
@@ -67,8 +67,8 @@ github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
-github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
-github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
+github.com/lucasb-eyer/go-colorful v1.3.0 h1:2/yBRLdWBZKrf7gB40FoiKfAWYQ0lqNcbuQwVHXptag=
+github.com/lucasb-eyer/go-colorful v1.3.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
 github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
@@ -107,8 +107,8 @@ github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
 github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
-github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
-github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
@@ -122,17 +122,17 @@ golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliY
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
-golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
+golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI=
+golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
 golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561 h1:MDc5xs78ZrZr3HMQugiXOAkSZtfTpbJLDr/lwfgO53E=
 golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
-golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/mod v0.28.0 h1:gQBtGhjxykdjY9YhZpSlZIsbnaE2+PgjfLWUQTnoZ1U=
+golang.org/x/mod v0.28.0/go.mod h1:yfB/L0NOf/kmEbXjzCPOx1iK1fRutOydrCMsqRhEBxI=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
@@ -142,17 +142,17 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
-golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
+golang.org/x/net v0.44.0 h1:evd8IRDyfNBMBTTY5XRF1vaZlD+EmWx6x8PkhR04H/I=
+golang.org/x/net v0.44.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
-golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -192,16 +192,16 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
-golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
+golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
+golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
-golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=
+golang.org/x/tools v0.37.0 h1:DVSRzp7FwePZW356yEAChSdNcQo6Nsp+fex1SUW09lE=
+golang.org/x/tools v0.37.0/go.mod h1:MBN5QPQtLMHVdvsbtarmTNukZDdgwdwlO5qGacAzF0w=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
diff --git a/pkg/check/cosign/check.go b/pkg/check/cosign/check.go
@@ -19,6 +19,7 @@
 package cosigncheck
 
 import (
+	"context"
 	"errors"
 	"os"
 	"os/exec"
@@ -40,7 +41,7 @@ var (
 	ErrNotInstalled = errors.New("cosign executable not found")
 )
 
-func Check(data []byte, dataSig []byte, dataCert []byte, certIdentity string, certOidcIssuer string, displayer loghelper.Displayer) error {
+func Check(ctx context.Context, data []byte, dataSig []byte, dataCert []byte, certIdentity string, certOidcIssuer string, displayer loghelper.Displayer) error {
 	_, err := exec.LookPath(cosignExecName)
 	if err != nil {
 		return ErrNotInstalled
@@ -70,7 +71,7 @@ func Check(data []byte, dataSig []byte, dataCert []byte, certIdentity string, ce
 	}
 
 	var outBuffer, errBuffer strings.Builder
-	cmd := exec.Command(cosignExecName, cmdArgs...)
+	cmd := exec.CommandContext(ctx, cosignExecName, cmdArgs...)
 	cmd.Stdout = &outBuffer
 	cmd.Stderr = &errBuffer
 
diff --git a/pkg/check/cosign/check_test.go b/pkg/check/cosign/check_test.go
@@ -46,35 +46,35 @@ var dataCert []byte
 
 func TestCosignCheckCorrect(t *testing.T) { //nolint
 	t.SkipNow()
-	if err := cosigncheck.Check(data, dataSig, dataCert, identity, issuer, loghelper.InertDisplayer); err != nil {
+	if err := cosigncheck.Check(t.Context(), data, dataSig, dataCert, identity, issuer, loghelper.InertDisplayer); err != nil {
 		t.Error("Unexpected error :", err)
 	}
 }
 
 func TestCosignCheckErrorCert(t *testing.T) { //nolint
 	t.SkipNow()
-	if cosigncheck.Check(data, dataSig, dataCert[1:], identity, issuer, loghelper.InertDisplayer) == nil {
+	if cosigncheck.Check(t.Context(), data, dataSig, dataCert[1:], identity, issuer, loghelper.InertDisplayer) == nil {
 		t.Error("Should fail on erroneous certificate")
 	}
 }
 
 func TestCosignCheckErrorIdentity(t *testing.T) { //nolint
 	t.SkipNow()
-	if cosigncheck.Check(data, dataSig, dataCert, "me", issuer, loghelper.InertDisplayer) == nil {
+	if cosigncheck.Check(t.Context(), data, dataSig, dataCert, "me", issuer, loghelper.InertDisplayer) == nil {
 		t.Error("Should fail on erroneous issuer")
 	}
 }
 
 func TestCosignCheckErrorIssuer(t *testing.T) { //nolint
 	t.SkipNow()
-	if cosigncheck.Check(data, dataSig, dataCert, identity, "http://myself.com", loghelper.InertDisplayer) == nil {
+	if cosigncheck.Check(t.Context(), data, dataSig, dataCert, identity, "http://myself.com", loghelper.InertDisplayer) == nil {
 		t.Error("Should fail on erroneous issuer")
 	}
 }
 
 func TestCosignCheckErrorSig(t *testing.T) { //nolint
 	t.SkipNow()
-	if cosigncheck.Check(data, dataSig[1:], dataCert, identity, issuer, loghelper.InertDisplayer) == nil {
+	if cosigncheck.Check(t.Context(), data, dataSig[1:], dataCert, identity, issuer, loghelper.InertDisplayer) == nil {
 		t.Error("Should fail on erroneous signature")
 	}
 }
diff --git a/versionmanager/retriever/atmos/atmosretriever.go b/versionmanager/retriever/atmos/atmosretriever.go
@@ -103,13 +103,15 @@ func (r AtmosRetriever) Install(ctx context.Context, versionStr string, targetPa
 		return err
 	}
 
-	dataSums, err := download.Bytes(ctx, assetURLs[1], r.conf.Displayer.Display, download.NoCheck, requestOptions...)
-	if err != nil {
-		return err
-	}
+	if r.conf.Validation != config.NoValidation {
+		dataSums, err := download.Bytes(ctx, assetURLs[1], r.conf.Displayer.Display, download.NoCheck, requestOptions...)
+		if err != nil {
+			return err
+		}
 
-	if err = sha256check.Check(data, dataSums, fileName); err != nil {
-		return err
+		if err = sha256check.Check(data, dataSums, fileName); err != nil {
+			return err
+		}
 	}
 
 	err = os.MkdirAll(targetPath, rwePerm)
diff --git a/versionmanager/retriever/terraform/terraformretriever.go b/versionmanager/retriever/terraform/terraformretriever.go
diff --git a/versionmanager/retriever/terragrunt/terragruntretriever.go b/versionmanager/retriever/terragrunt/terragruntretriever.go
diff --git a/versionmanager/retriever/terramate/terramateretriever.go b/versionmanager/retriever/terramate/terramateretriever.go
diff --git a/versionmanager/retriever/tofu/tofuretriever.go b/versionmanager/retriever/tofu/tofuretriever.go

Original file line number	Diff line number	Diff line change
`@@ -46,35 +46,35 @@ var dataCert []byte`
`46`	`46`
`47`	`47`	`func TestCosignCheckCorrect(t *testing.T) { //nolint`
`48`	`48`	`t.SkipNow()`
`49`		`- if err := cosigncheck.Check(data, dataSig, dataCert, identity, issuer, loghelper.InertDisplayer); err != nil {`
	`49`	`+ if err := cosigncheck.Check(t.Context(), data, dataSig, dataCert, identity, issuer, loghelper.InertDisplayer); err != nil {`
`50`	`50`	`t.Error("Unexpected error :", err)`
`51`	`51`	`}`
`52`	`52`	`}`
`53`	`53`
`54`	`54`	`func TestCosignCheckErrorCert(t *testing.T) { //nolint`
`55`	`55`	`t.SkipNow()`
`56`		`- if cosigncheck.Check(data, dataSig, dataCert[1:], identity, issuer, loghelper.InertDisplayer) == nil {`
	`56`	`+ if cosigncheck.Check(t.Context(), data, dataSig, dataCert[1:], identity, issuer, loghelper.InertDisplayer) == nil {`
`57`	`57`	`t.Error("Should fail on erroneous certificate")`
`58`	`58`	`}`
`59`	`59`	`}`
`60`	`60`
`61`	`61`	`func TestCosignCheckErrorIdentity(t *testing.T) { //nolint`
`62`	`62`	`t.SkipNow()`
`63`		`- if cosigncheck.Check(data, dataSig, dataCert, "me", issuer, loghelper.InertDisplayer) == nil {`
	`63`	`+ if cosigncheck.Check(t.Context(), data, dataSig, dataCert, "me", issuer, loghelper.InertDisplayer) == nil {`
`64`	`64`	`t.Error("Should fail on erroneous issuer")`
`65`	`65`	`}`
`66`	`66`	`}`
`67`	`67`
`68`	`68`	`func TestCosignCheckErrorIssuer(t *testing.T) { //nolint`
`69`	`69`	`t.SkipNow()`
`70`		`- if cosigncheck.Check(data, dataSig, dataCert, identity, "http://myself.com", loghelper.InertDisplayer) == nil {`
	`70`	`+ if cosigncheck.Check(t.Context(), data, dataSig, dataCert, identity, "http://myself.com", loghelper.InertDisplayer) == nil {`
`71`	`71`	`t.Error("Should fail on erroneous issuer")`
`72`	`72`	`}`
`73`	`73`	`}`
`74`	`74`
`75`	`75`	`func TestCosignCheckErrorSig(t *testing.T) { //nolint`
`76`	`76`	`t.SkipNow()`
`77`		`- if cosigncheck.Check(data, dataSig[1:], dataCert, identity, issuer, loghelper.InertDisplayer) == nil {`
	`77`	`+ if cosigncheck.Check(t.Context(), data, dataSig[1:], dataCert, identity, issuer, loghelper.InertDisplayer) == nil {`
`78`	`78`	`t.Error("Should fail on erroneous signature")`
`79`	`79`	`}`
`80`	`80`	`}`