Open wata727 opened 1 year ago
tflint --init
to fail.Also, with expiration working correctly, there is an issue where tflint --init
will stop working completely in older versions if the key expires. I'm concerned about the impact this will have on our users.
I think we need to think a little more about how key expiration should be managed.
Summary
When installing plugins with
tflint --init
, plugins under terraform-linters or plugins with explicitly setsigning_key
will have their signatures verified by PGP.https://github.com/terraform-linters/tflint/blob/c1aef408b425530cc0509b66c8f253283a163e96/plugin/signature.go#L55
However, the
golang.org/x/crypto/openpgp.CheckDetachedSignature
does not return an error even if the signing key has expired.I first noticed this issue when I made a mistake when extending the expiration date of a PGP key in https://github.com/terraform-linters/tflint/pull/1679. This PR updates the built-in key, but the process is not correct and the key expiration date is still on 2023-05-01.
However, TFLint v0.46.1 was able to successfully verify the signature of AWS ruleset v0.23.1 signed with a new key that was updated in a correct process, despite using an expired key. See also https://github.com/terraform-linters/tflint-ruleset-aws/issues/496.
Digging deeper into this issue, I came across the following PR on Terraform.
https://github.com/hashicorp/terraform/pull/32056
Indeed, looking at
golang.org/x/crypto/openpgp.CheckDetachedSignature
there is no key expiration date checked. This package is already deprecated and frozen, and we should switch to a community fork like ProtonMail/go-crypto as well to check the expiration date.After replacing with this fork and running
tflint --init
, the installation will indeed fail due to key expiry.While this is a security issue, the most used built-in key has never been compromised, and the expiration date has never been important, so currently the user impact is minimal.
Command
tflint --init
Terraform Configuration
TFLint Configuration
Output
Expected behavior:
Actual behavior:
TFLint Version
0.46.1
Terraform Version
No response
Operating System