terraform

Commit Graph

Author	SHA1	Message	Date
findkim	1a32617d5e	plugin/discovery: verify checksum matches Registry response	2019-03-21 12:31:31 -05:00
Justin Campbell	495826444b	plugin/discovery: Use GPG keys from Registry When verifying the signature of the SHA256SUMS file, we have been hardcoding HashiCorp's public GPG key and using it as the keyring. Going forward, Terraform will get a list of valid public keys for a provider from the Terraform Registry (registry.terraform.io), and use them as the keyring for the openpgp verification func.	2018-11-20 14:09:16 -05:00
James Bardin	415d562d36	add signature verification Fetch the SHA256SUMS file and verify it's signature before downloading any plugins. This embeds the hashicorp public key in the binary. If the publickey is replaced, new releases will need to be cut anyway. A --verify-plugin=false flag will be added to skip signature verification in these cases.	2017-06-20 13:14:30 -04:00

Author

SHA1

Message

Date

findkim

1a32617d5e

plugin/discovery: verify checksum matches Registry response

2019-03-21 12:31:31 -05:00

Justin Campbell

495826444b

plugin/discovery: Use GPG keys from Registry

When verifying the signature of the SHA256SUMS file, we have been
hardcoding HashiCorp's public GPG key and using it as the keyring.

Going forward, Terraform will get a list of valid public keys for a
provider from the Terraform Registry (registry.terraform.io), and use
them as the keyring for the openpgp verification func.

2018-11-20 14:09:16 -05:00

James Bardin

415d562d36

add signature verification

Fetch the SHA256SUMS file and verify it's signature before downloading
any plugins.

This embeds the hashicorp public key in the binary. If the publickey is
replaced, new releases will need to be cut anyway. A
--verify-plugin=false flag will be added to skip signature verification
in these cases.

2017-06-20 13:14:30 -04:00

3 Commits