You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Running tofu init should not fail if one of the providers' signing keys are expired
Actual Behavior
Running tofu init does fails if one of the providers' signing keys are expired
Steps to Reproduce
tofu init on a configuration that includes a provider that has been signed by expired signing keys
Additional Context
go-crypto is making the GPG key expiry validation for tofu. We'd need to either pick a different package, or to somehow skip this validation / display a warning instead of an error.
An expired key should not fail tofu init
RLRabinowitz
added
accepted
This issue has been accepted for implementation.
and removed
pending-decision
This issue has not been accepted for implementation nor rejected. It's still open to discussion.
labels
Nov 5, 2023
We had a discussion around this one here: #673 . And In my opinion whilst the conversation didn't carry on much, I think there was a general concensus: Overtime we should get stricter.
I'd love to propose that we do the following (instead of just allowing it):
For the stable release (this issue)
Allow expired gpg keys for now, but display a warning.
For the next release
Add an opt-in variable that forces a stricter mode of verification (allow by default, disallow expired keys if the var is true)
For a future release
Look into asserting validation of provider signings by combining both the expiry of the key along with other factors (Generation of sig file, time of provider artifacts being generated, etc etc)
For reference, here's some comments/ideas on this:
OpenTofu Version
OpenTofu Configuration Files
Debug Output
.
Expected Behavior
Running
tofu init
should not fail if one of the providers' signing keys are expiredActual Behavior
Running
tofu init
does fails if one of the providers' signing keys are expiredSteps to Reproduce
tofu init
on a configuration that includes a provider that has been signed by expired signing keysAdditional Context
go-crypto
is making the GPG key expiry validation fortofu
. We'd need to either pick a different package, or to somehow skip this validation / display a warning instead of an error.An expired key should not fail
tofu init
References
The text was updated successfully, but these errors were encountered: