search

asdf-community / asdf-hashicorp

HashiCorp plugin for the asdf version manager
https://github.com/asdf-vm/asdf
MIT License
240 stars 54 forks source link

Revert gpg verification for now #28

Closed radditude closed 3 years ago

radditude commented 3 years ago

https://github.com/asdf-community/asdf-hashicorp/pull/24 added gpg verification to ensure that binaries downloaded by this plugin have not been compromised. Yay!

Unfortunately, in order to do that we needed to make some assumptions about the naming of the signature file (as noted in https://github.com/asdf-community/asdf-hashicorp/pull/27). Even more unfortunately, it turns out that those assumptions are not always accurate - specifically, in the latest version of Vault the signature file lacks the key suffix.

This reverts all gpg verification changes for now to unblock users while we figure out the correct implementation for this feature.

nathantypanski commented 3 years ago

I think the correct implementation, considering all the available signature file names, would be:

  1. Check for the presence of a key with the new format.
  2. If not present, then check for the key without the suffix.
smorimoto commented 3 years ago

Thanks @radditude :)