DustinChaloupka
commented
3 years ago LGTM, if we can get the lint and format failures fixed (test was fixed on master).
Closed nathantypanski closed 3 years ago
DustinChaloupka
commented
3 years ago LGTM, if we can get the lint and format failures fixed (test was fixed on master).
nathantypanski
commented
3 years ago Cool, I'll format this and get the tests passing, and also test this on Macos while I'm at it. Thanks for kicking off the build.
nathantypanski
commented
3 years ago @DustinChaloupka this is now blocked on workflow approval.
smorimoto
commented
3 years ago OK I triggered that, assuming this passes CI - please merge this if it seems good to you.
smorimoto
commented
3 years ago Thanks @nathantypanski and @DustinChaloupka!
oeuftete
commented
3 years ago Heads up that this pretty severely limits the versions installable with this plugin. I get the rationale, but if you do something like asdf list-all terraform or asdf install terraform <tab>, the vast majority of the versions there are now uninstallable. Maybe those should be suppressed? Or add an env var to skip verification? 🤷
smorimoto
commented
3 years ago Maybe those should be suppressed? Or add an env var to skip verification? 🤷
That sounds good. Alternatively, you can do conditional branching in such a way: https://github.com/asdf-community/asdf-elm/blob/eaffc2fbbcd0b9e1e6d3667c09ba010aa82802be/bin/install#L36-L41
DustinChaloupka
commented
3 years ago I think adding an override to skip verification would be the way to go. Also now realizing that this breaks things that happen to not have gpg installed. Let me get something added.
DustinChaloupka
commented
3 years ago nathantypanski
commented
3 years ago @smorimoto I didn't realize this, but older Terraform versions have been backfilled with signatures using a different filename, which isn't what I expected. I'll see if I can figure out how to properly work around those cases. All files appear to be signed by the new key, we just have to get the signature filenames right.
nathantypanski
commented
3 years ago
This plugin did not check GPG signatures or checksums. So when the CodeCov breach affected Hashicorp, leading to
https://discuss.hashicorp.com/t/hcsec-2021-12-codecov-security-event-and-hashicorp-gpg-key-exposure/23512
and a GPG key update announcement on
https://www.hashicorp.com/security
the first thing I checked was whether my asdf plugin for Hashicorp Vault had been updated to support the new key.
Alas, it hadn't! In fact, asdf wasn't verifying GPG signatures at all, meaning that supply chain compromises of Hashicorp infrastructure could trivially deliver compromised Vault, Terraform, and Consul binaries to users.
To fix this, I've added signature and checksum verification to asdf-hashicorp. The GPG key is static, included in this repo, because in modeling a future attack where the adversary has control of HashiCorp's webservers (but not their GPG notary server), we would remain at risk if we simply fetched the latest key each time. Instead, maintainers of this repository will need to update the GPG key in this repo when it expires or is revoked because of a security incident.