Terraform Registry: Use signing keys provided from the Registry #19389
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
justincampbell
force-pushed
the
f-registry-provider-signing-keys
branch
from
14c9dd8
to
40e5252
Compare
mildwonkey
reviewed
Nov 16, 2018
findkim
reviewed
Nov 16, 2018
justincampbell
force-pushed
the
f-registry-provider-signing-keys
branch
from
40e5252
to
befad9a
Compare
|
Sorry for the test turbulence here, @justincampbell. The Travis-CI tests are now back to green in |
justincampbell
force-pushed
the
f-registry-provider-signing-keys
branch
2 times, most recently
from
21ec7be
to
aa86b27
Compare
When verifying the signature of the SHA256SUMS file, we have been hardcoding HashiCorp's public GPG key and using it as the keyring. Going forward, Terraform will get a list of valid public keys for a provider from the Terraform Registry (registry.terraform.io), and use them as the keyring for the openpgp verification func.
This is so that any errors output from the checksum/signature verification show up in the expected place in the output.
When GPG verification fails, display a helpful message to the user instead of the generic openpgp error.
justincampbell
force-pushed
the
f-registry-provider-signing-keys
branch
from
aa86b27
to
c993e9b
Compare
justincampbell
added a commit
that referenced
this pull request
Mar 1, 2019
#19389 introduced a change to the provider GPG signature verification process, and removed the hardcoded HashiCorp GPG key. While the changes were intended and are still planned for a future release, we should still be verifying all providers in the TF 0.12.0 release against the HashiCorp GPG key until a more robust key verification procedure is in place. Fixes #20527
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When downloading providers from the Terraform Registry, the API response contains a list of ASCII-armor GPG public keys for the provider publisher.
https://registry.terraform.io/v1/providers/terraform-providers/aws/1.42.0/download/linux/amd64
This changes Terraform to use these returned keys, instead of the previously-hardcoded HashiCorp key, for verifying the signature of the shasums file.
Failure message with a hardcoded bad token:
Success output (unchanged):