Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Terraform Registry: Use signing keys provided from the Registry #19389

Merged
merged 4 commits into from
Nov 20, 2018

Conversation

justincampbell
Copy link
Contributor

When downloading providers from the Terraform Registry, the API response contains a list of ASCII-armor GPG public keys for the provider publisher.

https://registry.terraform.io/v1/providers/terraform-providers/aws/1.42.0/download/linux/amd64

This changes Terraform to use these returned keys, instead of the previously-hardcoded HashiCorp key, for verifying the signature of the shasums file.

Failure message with a hardcoded bad token:

Failure message with a hardcoded bad token

Success output (unchanged):

Success output (unchanged)

@justincampbell justincampbell force-pushed the f-registry-provider-signing-keys branch from 14c9dd8 to 40e5252 Compare November 16, 2018 21:48
@mildwonkey mildwonkey requested a review from a team November 16, 2018 22:08
plugin/discovery/get.go Outdated Show resolved Hide resolved
Copy link
Contributor

@mildwonkey mildwonkey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@justincampbell justincampbell force-pushed the f-registry-provider-signing-keys branch from 40e5252 to befad9a Compare November 19, 2018 21:29
@apparentlymart
Copy link
Contributor

Sorry for the test turbulence here, @justincampbell.

The Travis-CI tests are now back to green in master, so if you could rebase this to latest master before merging just so we can see it pass the tests that'd be great!

@justincampbell justincampbell force-pushed the f-registry-provider-signing-keys branch 2 times, most recently from 21ec7be to aa86b27 Compare November 20, 2018 14:37
When verifying the signature of the SHA256SUMS file, we have been
hardcoding HashiCorp's public GPG key and using it as the keyring.

Going forward, Terraform will get a list of valid public keys for a
provider from the Terraform Registry (registry.terraform.io), and use
them as the keyring for the openpgp verification func.
This is so that any errors output from the checksum/signature verification show up in the expected place in the output.
When GPG verification fails, display a helpful message to the user instead of the generic openpgp error.
@justincampbell justincampbell force-pushed the f-registry-provider-signing-keys branch from aa86b27 to c993e9b Compare November 20, 2018 19:09
@justincampbell justincampbell merged commit bf301d7 into master Nov 20, 2018
@justincampbell justincampbell deleted the f-registry-provider-signing-keys branch November 20, 2018 19:28
justincampbell added a commit that referenced this pull request Mar 1, 2019
#19389 introduced a change to
the provider GPG signature verification process, and removed the
hardcoded HashiCorp GPG key.

While the changes were intended and are still planned for a future
release, we should still be verifying all providers in the TF 0.12.0
release against the HashiCorp GPG key until a more robust key
verification procedure is in place.

Fixes #20527
@ghost
Copy link

ghost commented Mar 31, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Mar 31, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants