-
Notifications
You must be signed in to change notification settings - Fork 353
-
Notifications
You must be signed in to change notification settings - Fork 353
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tflint --init
does not check signing key expiration date
#1768
Labels
Comments
#1769 solves this problem but at the cost of causing all Also, with expiration working correctly, there is an issue where I think we need to think a little more about how key expiration should be managed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
When installing plugins with
tflint --init
, plugins under terraform-linters or plugins with explicitly setsigning_key
will have their signatures verified by PGP.tflint/plugin/signature.go
Line 55 in c1aef40
However, the
golang.org/x/crypto/openpgp.CheckDetachedSignature
does not return an error even if the signing key has expired.I first noticed this issue when I made a mistake when extending the expiration date of a PGP key in #1679. This PR updates the built-in key, but the process is not correct and the key expiration date is still on 2023-05-01.
However, TFLint v0.46.1 was able to successfully verify the signature of AWS ruleset v0.23.1 signed with a new key that was updated in a correct process, despite using an expired key. See also terraform-linters/tflint-ruleset-aws#496.
Digging deeper into this issue, I came across the following PR on Terraform.
hashicorp/terraform#32056
Indeed, looking at
golang.org/x/crypto/openpgp.CheckDetachedSignature
there is no key expiration date checked. This package is already deprecated and frozen, and we should switch to a community fork like ProtonMail/go-crypto as well to check the expiration date.After replacing with this fork and running
tflint --init
, the installation will indeed fail due to key expiry.While this is a security issue, the most used built-in key has never been compromised, and the expiration date has never been important, so currently the user impact is minimal.
Command
tflint --init
Terraform Configuration
# None
TFLint Configuration
Output
Expected behavior:
Actual behavior:
TFLint Version
0.46.1
Terraform Version
No response
Operating System
The text was updated successfully, but these errors were encountered: