OpenVoxProject · jeremie-pierson · Aug 21, 2025 · Aug 21, 2025 · Aug 21, 2025 · Aug 25, 2025
diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
@@ -1114,6 +1114,13 @@ def self.initialize_default_settings!(settings)
       # Sure would be nice to set the Puppet::Util::Log destination here in an :on_initialize_and_write hook,
       # unfortunately we have a large number of tests that rely on the logging not resetting itself when the
       # settings are initialized as they test what gets logged during settings initialization.
+    },
+    :use_checksum_in_file_content => {
+      :default => true,
+      :type    => :boolean,
+      :desc    => "Whether to allow specifying checksums in file content attributes; this is
+      deprecated, the checksum retrieval functionality is being replaced by the use of
+      static catalogs."
     }
   )
 

diff --git a/lib/puppet/type/file/content.rb b/lib/puppet/type/file/content.rb
@@ -48,23 +48,40 @@ module Puppet
       if value == :absent
         value
       elsif value.is_a?(String) && checksum?(value)
-        # XXX This is potentially dangerous because it means users can't write a file whose
-        # entire contents are a plain checksum unless it is a Binary content.
-        Puppet.puppet_deprecation_warning([
-          # TRANSLATORS "content" is an attribute and should not be translated
-          _('Using a checksum in a file\'s "content" property is deprecated.'),
-          # TRANSLATORS "filebucket" is a resource type and should not be translated. The quoted occurrence of "content" is an attribute and should not be translated.
-          _('The ability to use a checksum to retrieve content from the filebucket using the "content" property will be removed in a future release.'),
-          # TRANSLATORS "content" is an attribute and should not be translated.
-          _('The literal value of the "content" property will be written to the file.'),
-          # TRANSLATORS "static catalogs" should not be translated.
-          _('The checksum retrieval functionality is being replaced by the use of static catalogs.'),
-          _('See https://puppet.com/docs/puppet/latest/static_catalogs.html for more information.')
-        ].join(" "),
-                                          :file => @resource.file,
-                                          :line => @resource.line) if !@actual_content && !resource.parameter(:source)
-        value
+        # Our argument looks like a checksum. Is it the value of the content
+        # attribute in Puppet code, that happens to look like a checksum, or is
+        # it an actual checksum computed on the actual content?
+        if @actual_content || resource.parameter(:source)
+          # Actual content is already set, value contains it's checksum
+          value
+        elsif Puppet[:use_checksum_in_file_content]
+          # The value passed in the "content" attribute of this file looks like
+          # a checksum, and this is intended by the user.
+          # Display a warning as this behavior is deprecated.
+          Puppet.puppet_deprecation_warning([
+            # TRANSLATORS "content" is an attribute and should not be translated
+            _('Using a checksum in a file\'s "content" property is deprecated.'),
+            # TRANSLATORS "filebucket" is a resource type and should not be translated. The quoted occurrence of "content" is an attribute and should not be translated.
+            _('The ability to use a checksum to retrieve content from the filebucket using the "content" property will be removed in a future release.'),
+            # TRANSLATORS "content" is an attribute and should not be translated.
+            _('The literal value of the "content" property will be written to the file.'),
+            # TRANSLATORS "static catalogs" should not be translated.
+            _('The checksum retrieval functionality is being replaced by the use of static catalogs.'),
+            _('See https://puppet.com/docs/puppet/latest/static_catalogs.html for more information.')
+          ].join(" "),
+                                            :file => @resource.file,
+                                            :line => @resource.line) if !@actual_content && !resource.parameter(:source)
+          # We return the value assuming it really is the checksum of the
+          # actual content we want. It should be fetched from filebucket
+          # later on.
+          value
+        else
+          # The content only happens to look like a checksum by chance.
+          @actual_content = value.is_a?(Puppet::Pops::Types::PBinaryType::Binary) ? value.binary_buffer : value
+          resource.parameter(:checksum).sum(@actual_content)
+        end
       else
+        # Our argument is definitely not a checksum: set actual_value and return calculated checksum.
         @actual_content = value.is_a?(Puppet::Pops::Types::PBinaryType::Binary) ? value.binary_buffer : value
         resource.parameter(:checksum).sum(@actual_content)
       end
@@ -163,6 +180,8 @@ def each_chunk_from
     end
 
     def content_is_really_a_checksum?
+      return false unless Puppet[:use_checksum_in_file_content]
+
       checksum?(should)
     end
 

diff --git a/references/configuration.md b/references/configuration.md
@@ -1,14 +1,14 @@
 ---
 layout: default
-built_from_commit: 812d7420ea5d7e19e8003b26486a7c8847afdb25
+built_from_commit: 9ef8d3ec9d10d535a5c341464415dd55e44b5588
 title: Configuration Reference
 toc: columns
 canonical: "/puppet/latest/configuration.html"
 ---
 
 # Configuration Reference
 
-> **NOTE:** This page was generated from the Puppet source code on 2024-10-18 17:22:26 +0000
+> **NOTE:** This page was generated from the Puppet source code on 2025-08-21 17:25:10 +0200
 
 
 
@@ -2143,6 +2143,14 @@ the beginning of the Puppet run.
 
 - *Default*: `false`
 
+### use_checksum_in_file_content
+
+Whether to allow specifying checksums in file content attributes; this is
+deprecated, the checksum retrieval functionality is being replaced by the use of
+static catalogs.
+
+- *Default*: `true`
+
 ### use_last_environment
 
 Puppet saves both the initial and converged environment in the last_run_summary file.

diff --git a/spec/integration/type/file_spec.rb b/spec/integration/type/file_spec.rb
@@ -636,6 +636,15 @@ def get_aces_for_path_by_sid(path, sid)
       catalog.apply
     end
 
+    it "should not give a deprecation warning when checksum are disabled in content" do
+      Puppet[:use_checksum_in_file_content] = false
+      expect(Puppet).not_to receive(:puppet_deprecation_warning)
+      file = described_class.new(:path => path, :content => '{ABCD}X')
+      catalog.add_resource file
+      catalog.apply
+      expect(File.read(file[:path])).to eq('{ABCD}X')
+    end
+
     with_digest_algorithms do
       it_should_behave_like "files are backed up", {} do
         let(:filebucket_digest) { method(:digest) }