Closed DT-NIKOLAR closed 2 months ago
My bad. Please try again, I have released a 1.0.1 version with an extended signing key
I tried running terraform init with version 1.0.1, but I am still getting:
│ Error: Failed to install provider
│
│ Error while installing ischluff/keepass v1.0.1: error checking signature:
│ openpgp: key expired
Ok this hole was deeper than I expected. Apparently the checking of signing key expirations was an unintended change by the terraform developers. See https://github.com/hashicorp/terraform/issues/33984
You are probably using an affected terraform version and may fix this by upgrading to atleast terraform-1.6.1 or downgrading to 1.5.7
Concerning the expired key, I have published an updated version to the ubuntu key servers. Apparently this check is run against the gpg public key provided by the terraform registry. I have no way to actually update the key used by the registry, I just hope that they eventually refresh the keys they use there.
As of now the registry is still serving an expired key
$ curl https://registry.terraform.io/v1/providers/iSchluff/keepass/1.0.1/download/linux/amd64 | jq -r '.signing_keys.gpg_public_keys[0].ascii_armor' | gpg --show-keys -
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4772 0 4772 0 0 11644 0 --:--:-- --:--:-- --:--:-- 11667
pub rsa4096 2022-03-21 [SCEA] [expired: 2024-03-20]
3BEAB2B6E0E60F385691AA9B0F736313A5B8A1C8
uid Anton Schubert (Github Actions) <github@cookiefactory.org>
sub rsa4096 2022-03-21 [SEA] [expired: 2024-03-20]
Thank you for the research and help. I managed to download the new 1.0.1 version with terraform 1.6.1.
In our case, we made the decision to transition to locally installed providers. For those encountering challenges with locally installed providers and Terraform/Terragrunt, here are some key points to consider:
Terraform writes provider information in the state file. Even if you remove any registry references to a particular provider from your configuration files, you will still need to do a terraform state replace-provider.
You will have to run terragrunt init first to install the local provider, before failing on the PGP Key check for the remote provider. The state replace-provider cmd needs both providers to be initialized for the specific module.
Since terragrunt supports inter-module dependencies, running terragrunt init within a dependent module failed to initialize the dependency module's local providers. The solution was to run a terragrunt run-all init --terragrunt-include-external-dependencies for it to be able to install the local providers.
Hope the above helps someone ;)
Description:
I encountered an error while running terraform init with the ischluff/keepass provider v1.0.0. The error message indicates that the installation failed due to an expired OpenPGP key.
Steps to Reproduce:
terraform init
with the following configurationTerraform Version: v1.6.0 Operating System: Linux Provider Version: ischluff/keepass v1.0.0
Could you please update the OpenPGP key or provide guidance on how to resolve this issue?