Failed to install provider due to expired OpenPGP key

[DT-NIKOLAR]

Description:

I encountered an error while running terraform init with the ischluff/keepass provider v1.0.0. The error message indicates that the installation failed due to an expired OpenPGP key.

╷
│ Error: Failed to install provider
│
│ Error while installing ischluff/keepass v1.0.0: error checking signature:
│ openpgp: key expired
╵

Steps to Reproduce:

1. Run terraform init with the following configuration

   provider "keepass" {
   database = "***"
   password = ***
   }

Terraform Version: v1.6.0 Operating System: Linux Provider Version: ischluff/keepass v1.0.0

Could you please update the OpenPGP key or provide guidance on how to resolve this issue?

[iSchluff]

My bad. Please try again, I have released a 1.0.1 version with an extended signing key

[DT-NIKOLAR]

I tried running terraform init with version 1.0.1, but I am still getting:

│ Error: Failed to install provider
│
│ Error while installing ischluff/keepass v1.0.1: error checking signature:
│ openpgp: key expired

[iSchluff]

Ok this hole was deeper than I expected. Apparently the checking of signing key expirations was an unintended change by the terraform developers. See https://github.com/hashicorp/terraform/issues/33984

You are probably using an affected terraform version and may fix this by upgrading to atleast terraform-1.6.1 or downgrading to 1.5.7

Concerning the expired key, I have published an updated version to the ubuntu key servers. Apparently this check is run against the gpg public key provided by the terraform registry. I have no way to actually update the key used by the registry, I just hope that they eventually refresh the keys they use there.

As of now the registry is still serving an expired key

$ curl https://registry.terraform.io/v1/providers/iSchluff/keepass/1.0.1/download/linux/amd64 | jq -r '.signing_keys.gpg_public_keys[0].ascii_armor' | gpg --show-keys -
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  4772    0  4772    0     0  11644      0 --:--:-- --:--:-- --:--:-- 11667
pub   rsa4096 2022-03-21 [SCEA] [expired: 2024-03-20]
      3BEAB2B6E0E60F385691AA9B0F736313A5B8A1C8
uid                      Anton Schubert (Github Actions) <github@cookiefactory.org>
sub   rsa4096 2022-03-21 [SEA] [expired: 2024-03-20]

[DT-NIKOLAR]

Thank you for the research and help. I managed to download the new 1.0.1 version with terraform 1.6.1.

In our case, we made the decision to transition to locally installed providers. For those encountering challenges with locally installed providers and Terraform/Terragrunt, here are some key points to consider:

• Terraform writes provider information in the state file. Even if you remove any registry references to a particular provider from your configuration files, you will still need to do a terraform state replace-provider.

• You will have to run terragrunt init first to install the local provider, before failing on the PGP Key check for the remote provider. The state replace-provider cmd needs both providers to be initialized for the specific module.

• Since terragrunt supports inter-module dependencies, running terragrunt init within a dependent module failed to initialize the dependency module's local providers. The solution was to run a terragrunt run-all init --terragrunt-include-external-dependencies for it to be able to install the local providers.

Hope the above helps someone ;)