Skip to content

plugin: Skip keyless verification for private third-party plugins #2292

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 3, 2025
Merged

plugin: Skip keyless verification for private third-party plugins #2292

merged 3 commits into from
May 3, 2025

Conversation

ricardo-kh
Copy link
Contributor

Comparable to #2223, which became ineffective in #2224.

#2209 (comment)

@ricardo-kh ricardo-kh marked this pull request as ready for review April 28, 2025 13:35
@ricardo-kh ricardo-kh mentioned this pull request Apr 28, 2025
Closed
3 tasks
wata727
wata727 reviewed Apr 29, 2025
View reviewed changes
plugin/install.go Outdated
if repo.Private != nil && *repo.Private {
return false, nil
log.Printf("[DEBUG] Bypassing verification of artifact attestations for private repository")
return true, nil
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is correct that tryKeylessVerifyChecksumsSignature returns false because the verification is being skipped.
From what I understand, returning false here will still work fine.

  • Install returns a installed path and ErrPluginNotVerified
  • The caller init will ignore this error.

    • tflint/cmd/init.go

      Lines 53 to 60 in e599327

      _, err = installCfg.Install()
      if err != nil {
      if errors.Is(err, plugin.ErrPluginNotVerified) {
      _, _ = color.New(color.FgYellow).Fprintln(cli.outStream, `No signing key configured. Set "signing_key" to verify that the release is signed by the plugin developer`)
      } else {
      return fmt.Errorf("Failed to install a plugin; %w", err)
      }
      }

Maybe the reason is that we didn't set the err to nil here...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Setting the err to nil would also do the trick indeed.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I reverted my previous suggestion and now trying your suggestion: 08f3cde

wata727
wata727 approved these changes May 3, 2025
View reviewed changes
Copy link
Member

@wata727 wata727 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@wata727 wata727 merged commit 2e67d14 into terraform-linters:master May 3, 2025
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wata727 wata727 wata727 approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ricardo-kh @wata727