-
Notifications
You must be signed in to change notification settings - Fork 697
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG]: OpenTofu registry is missing GPG keys for this provider #2183
Comments
I believe the fix is that GitHub needs to just submit their provider GPG key to opentofu: |
OpenTofu Technical Lead here - Just a note @kfcampbell, as you've marked this as up for grabs - the public gpg key needs to be submitted by a member of this organization, for the registry to accept it. |
Hmm...our private key is stored as an Actions secret, which is great because the actual content of it isn't stored anywhere else to my knowledge. I unfortunately have no idea where our public key exists as a file. This could be a bit of a hassle. |
@kfcampbell you’ve probably added it to the HashiCorp registry, and should be able to get it out of there. |
If you can't get the your public key from any other source, you can get it via: curl 'https://registry.terraform.io/v1/providers/integrations/github/6.0.1/download/linux/amd64' | jq --raw-output '.signing_keys | .gpg_public_keys | .[0] | .ascii_armor' > github_registry_key.pub Note that the I attached the key for reference. You can get its fingerprint:
... which should return
matches your build logs: ... since that env var is used by goreleaser to sign: https://github.com/goreleaser/goreleaser-action?tab=readme-ov-file#signing |
@kfcampbell ... are you able to use the instructions above to get the key? Once you have that key, the PR to Open Tofu should be very easy: https://github.com/opentofu/registry/issues/new?assignees=&labels=provider-key%2Csubmission&projects=&template=provider_key.yml&title=Provider+Key%3A+ Only you (or someone else from GitHub) can take care of this. Once you do so, it will allow users of GitHub and OpenTofu to securely use this provider to manage their GitHub resources. |
Bumping, trying to migrate our workflows to OpenTofu and cannot pull in the Github provider because of the missing GPG keys. |
@kfcampbell Any update on this? After several months in the "terraform vs. opentofu" limbo and being stuck on terraform 1.5 my organisation now also decided to switch to OpenTofu. It would be great to be able to properly install the GitHub provider. |
We had similar experience with support. For those of us using GitHub Enterprise, I suggest reaching out via sales channels to see if we can get traction. |
@nickfloyd Can you maybe help with that? Thanks in advance! |
Anyone here spending a decent amount on GitHub enterprise that could help push this forward via their sales rep? |
Expected Behavior
I wasn't expecting this notification when using opentofu:
Actual Behavior
I am being warned that signature validation was skipped
Terraform Version
opentofu 1.6.2
Affected Resource(s)
Initialization of the provider
Terraform Configuration Files
No response
Steps to Reproduce
Use opentofu and initalize with the github provider
Debug Output
No response
Panic Output
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: