Packer’s checksum post-processor doesn’t just generate checksums; it actively uses them to prove your artifact is exactly what it’s supposed to be, preventing silent corruption during transfer or storage.
Let’s see it in action. Imagine we’re building an AWS AMI.
packer {
required_plugins {
amazon = {
version = ">= 1.0.0"
source = "github.com/hashicorp/amazon"
}
}
}
source "amazon-ebs" "example" {
ami_name = "packer-checksum-example-{{timestamp}}"
instance_type = "t2.micro"
region = "us-east-1"
source_ami = "ami-0c55b159cbfafe1f0" # An Ubuntu 20.04 AMI
ssh_username = "ubuntu"
}
build {
sources = ["source.amazon-ebs.example"]
post-processors {
type = "checksum"
}
}
When Packer runs this, it will build the AMI, and then, before it declares success, it will:
- Download the generated artifact (in this case, the AMI’s
.vmdkor equivalent representation). - Calculate a checksum (SHA256 by default) of that downloaded artifact.
- Compare this calculated checksum against a checksum it generated and stored during the build process itself.
If they match, the build succeeds. If they don’t, Packer fails the build, telling you the artifact you just downloaded is not the one it originally created.
The core problem the checksum post-processor solves is data integrity assurance for your built artifacts. When you build an image, especially for distributed environments or cloud deployments, there’s a non-zero chance of corruption happening during the upload, download, or even storage phases. Network glitches, disk errors on your build server, or issues with object storage can silently alter your binary image data. Without a verification step, you might deploy a corrupted image, leading to non-booting systems or mysterious application failures that are incredibly hard to debug. The checksum post-processor acts as a final, automated gatekeeper, ensuring that the artifact you intend to deploy is identical to the artifact that successfully passed Packer’s build process.
Internally, Packer leverages the go-packer/checksum plugin. When the checksum post-processor is invoked, Packer triggers the download of the artifact created by the builder. It then uses a cryptographically secure hashing algorithm (SHA256 by default) to compute the hash of this downloaded file. This computed hash is then compared against a reference hash that was generated during the build itself and stored as part of the build’s metadata. This reference hash is essentially a digital fingerprint of the artifact as it was finalized by the builder. If the hashes match, it’s extremely probable that the artifact has not been altered since it was created.
You control the hashing algorithm by passing the algorithm parameter. For example, to use MD5 (though SHA256 is strongly recommended for security):
post-processors {
type = "checksum"
algorithm = "md5"
}
You can also specify where the checksum file should be written using the output parameter. By default, it’s written alongside the artifact, often named something like ami-xxxx.sha256.
post-processors {
type = "checksum"
output = "my-custom-checksums.txt"
}
This is particularly useful if you have multiple artifacts and want a single file containing all their checksums for easier verification later.
The most surprising mechanical detail is that Packer generates and stores its own checksum during the build, before the post-processor even runs. The post-processor’s job isn’t to generate a new checksum for you to manually verify later; it’s to download the artifact again and generate a checksum to compare against the one Packer already made. This ensures that the artifact can be reliably retrieved and hasn’t been corrupted in transit from the builder’s temporary storage to where the post-processor can access it, or if the artifact itself is being moved/copied to its final destination by the builder.
The next step after ensuring your artifacts are pristine is understanding how to manage their lifecycle, perhaps using artifact versioning or cleanup strategies.