[BUG] Expired OpenPGP Key

[reubenavery]

Beginning 6/18 the code signing key has expired and breaking things badly for our Terraform Cloud workspaces which depend on it.

│ Error: Failed to install provider │ │ Error while installing rancher/rancher2 v4.1.0: error checking signature: │ openpgp: key expired

[matttrach]

The immediate problem has been addressed, the GPG key has been extended for 1 year.

[matttrach]

As a longer term solution we need to investigate automatically rotating this key. The key points that we need to investigate are:

1. What is the important distribution point? (which key server or which Hashicorp system)
2. Why is this only affecting Terraform Cloud? (what system is responsible for validating the key)
3. Can child keys validate against a parent key? (we would like to prevent longer lasting keys from being exposed)

If the distribution point is simply standard key servers (ubuntu/keybase/gnupg), then the solution can be simply updating the key regularly in those systems (or opening a ticket to have a team member with the appropriate permissions handle it).

It appears the Terraform CLI doesn't validate the key when it downloads the provider, it only makes sure that the provider was signed by a reputable key. Terraform Cloud may also validate that the key is currently valid, rather than just valid when the binary was signed. This doesn't affect the solution, but it does affect how we validate.

If child keys can be validated against a parent key then we can sign provider releases with a short lived child key and the parent key can be long lived since no system will actually need access to the private key.