terraform/plugin/discovery/signature.go

package discovery

import (
	"bytes"
	"strings"

	"golang.org/x/crypto/openpgp"
)

// Verify the data using the provided openpgp detached signature and the
// embedded hashicorp public key.
func verifySig(data, sig []byte, armor string) (*openpgp.Entity, error) {
	el, err := openpgp.ReadArmoredKeyRing(strings.NewReader(armor))
	if err != nil {
		return nil, err
	}

	return openpgp.CheckDetachedSignature(el, bytes.NewReader(data), bytes.NewReader(sig))
}
add signature verification Fetch the SHA256SUMS file and verify it's signature before downloading any plugins. This embeds the hashicorp public key in the binary. If the publickey is replaced, new releases will need to be cut anyway. A --verify-plugin=false flag will be added to skip signature verification in these cases. 2017-06-17 16:52:30 +02:00			`package discovery`

			`import (`
			`"bytes"`
			`"strings"`

			`"golang.org/x/crypto/openpgp"`
			`)`

			`// Verify the data using the provided openpgp detached signature and the`
			`// embedded hashicorp public key.`
plugin/discovery: Use GPG keys from Registry When verifying the signature of the SHA256SUMS file, we have been hardcoding HashiCorp's public GPG key and using it as the keyring. Going forward, Terraform will get a list of valid public keys for a provider from the Terraform Registry (registry.terraform.io), and use them as the keyring for the openpgp verification func. 2018-11-14 20:52:46 +01:00			`func verifySig(data, sig []byte, armor string) (*openpgp.Entity, error) {`
			`el, err := openpgp.ReadArmoredKeyRing(strings.NewReader(armor))`
add signature verification Fetch the SHA256SUMS file and verify it's signature before downloading any plugins. This embeds the hashicorp public key in the binary. If the publickey is replaced, new releases will need to be cut anyway. A --verify-plugin=false flag will be added to skip signature verification in these cases. 2017-06-17 16:52:30 +02:00			`if err != nil {`
plugin/discovery: verify checksum matches Registry response 2019-03-21 17:17:15 +01:00			`return nil, err`
add signature verification Fetch the SHA256SUMS file and verify it's signature before downloading any plugins. This embeds the hashicorp public key in the binary. If the publickey is replaced, new releases will need to be cut anyway. A --verify-plugin=false flag will be added to skip signature verification in these cases. 2017-06-17 16:52:30 +02:00			`}`

plugin/discovery: Use GPG keys from Registry When verifying the signature of the SHA256SUMS file, we have been hardcoding HashiCorp's public GPG key and using it as the keyring. Going forward, Terraform will get a list of valid public keys for a provider from the Terraform Registry (registry.terraform.io), and use them as the keyring for the openpgp verification func. 2018-11-14 20:52:46 +01:00			`return openpgp.CheckDetachedSignature(el, bytes.NewReader(data), bytes.NewReader(sig))`
add signature verification Fetch the SHA256SUMS file and verify it's signature before downloading any plugins. This embeds the hashicorp public key in the binary. If the publickey is replaced, new releases will need to be cut anyway. A --verify-plugin=false flag will be added to skip signature verification in these cases. 2017-06-17 16:52:30 +02:00			`}`