Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not fail initialization if signing key has expired #822

Closed
RLRabinowitz opened this issue Nov 5, 2023 · 1 comment · Fixed by #848
Closed

Do not fail initialization if signing key has expired #822

RLRabinowitz opened this issue Nov 5, 2023 · 1 comment · Fixed by #848
Assignees
@cam72cam @kislerdm
Labels
accepted This issue has been accepted for implementation. bug Something isn't working
Milestone
First Stable Rele...

Comments

@RLRabinowitz
Copy link
Collaborator

RLRabinowitz commented Nov 5, 2023
edited

OpenTofu Version

1.6.0-alpha3

OpenTofu Configuration Files

...tofu config...

Debug Output

.

Expected Behavior

Running tofu init should not fail if one of the providers' signing keys are expired

Actual Behavior

Running tofu init does fails if one of the providers' signing keys are expired

Steps to Reproduce

tofu init on a configuration that includes a provider that has been signed by expired signing keys

Additional Context

go-crypto is making the GPG key expiry validation for tofu. We'd need to either pick a different package, or to somehow skip this validation / display a warning instead of an error.
An expired key should not fail tofu init

References
@RLRabinowitz RLRabinowitz added bug Something isn't working pending-decision This issue has not been accepted for implementation nor rejected. It's still open to discussion. labels Nov 5, 2023
@RLRabinowitz RLRabinowitz self-assigned this Nov 5, 2023
@RLRabinowitz RLRabinowitz added accepted This issue has been accepted for implementation. and removed pending-decision This issue has not been accepted for implementation nor rejected. It's still open to discussion. labels Nov 5, 2023
@Yantrio Yantrio mentioned this issue Nov 6, 2023
Open
@Yantrio
Copy link
Member

Yantrio commented Nov 6, 2023
edited

We had a discussion around this one here: #673 . And In my opinion whilst the conversation didn't carry on much, I think there was a general concensus: Overtime we should get stricter.

I'd love to propose that we do the following (instead of just allowing it):

For the stable release (this issue)
Allow expired gpg keys for now, but display a warning.

For the next release
Add an opt-in variable that forces a stricter mode of verification (allow by default, disallow expired keys if the var is true)

For a future release
Look into asserting validation of provider signings by combining both the expiry of the key along with other factors (Generation of sig file, time of provider artifacts being generated, etc etc)

For reference, here's some comments/ideas on this:

WDYT @cube2222 @RLRabinowitz

@opentofu opentofu deleted a comment Nov 6, 2023
@cube2222 cube2222 assigned cam72cam and kislerdm and unassigned RLRabinowitz Nov 6, 2023
@cam72cam cam72cam mentioned this issue Nov 9, 2023
Merged
@cam72cam cam72cam mentioned this issue Nov 14, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cam72cam cam72cam

@kislerdm kislerdm

Labels
accepted This issue has been accepted for implementation. bug Something isn't working
Projects
None yet
Milestone
First Stable Release (1.6.0)
Development

Successfully merging a pull request may close this issue.

Allow expired provider pgp keys, with warning opentofu/opentofu
4 participants
@Yantrio @cam72cam @kislerdm @RLRabinowitz