Open reubenavery opened 2 weeks ago
The immediate problem has been addressed, the GPG key has been extended for 1 year.
As a longer term solution we need to investigate automatically rotating this key. The key points that we need to investigate are:
If the distribution point is simply standard key servers (ubuntu/keybase/gnupg), then the solution can be simply updating the key regularly in those systems (or opening a ticket to have a team member with the appropriate permissions handle it).
It appears the Terraform CLI doesn't validate the key when it downloads the provider, it only makes sure that the provider was signed by a reputable key. Terraform Cloud may also validate that the key is currently valid, rather than just valid when the binary was signed. This doesn't affect the solution, but it does affect how we validate.
If child keys can be validated against a parent key then we can sign provider releases with a short lived child key and the parent key can be long lived since no system will actually need access to the private key.
Beginning 6/18 the code signing key has expired and breaking things badly for our Terraform Cloud workspaces which depend on it.
│ Error: Failed to install provider │ │ Error while installing rancher/rancher2 v4.1.0: error checking signature: │ openpgp: key expired