Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tflint --init does not check signing key expiration date #1768

Open
3 tasks done
wata727 opened this issue May 24, 2023 · 1 comment · May be fixed by #1769
Open
3 tasks done

tflint --init does not check signing key expiration date #1768

wata727 opened this issue May 24, 2023 · 1 comment · May be fixed by #1769
Labels
bug

Comments

@wata727
Copy link
Member

wata727 commented May 24, 2023
edited
Loading

Summary

When installing plugins with tflint --init, plugins under terraform-linters or plugins with explicitly set signing_key will have their signatures verified by PGP.

tflint/plugin/signature.go

Line 55 in c1aef40

_, err = openpgp.CheckDetachedSignature(keyring, target, signature)

However, the golang.org/x/crypto/openpgp.CheckDetachedSignature does not return an error even if the signing key has expired.

I first noticed this issue when I made a mistake when extending the expiration date of a PGP key in #1679. This PR updates the built-in key, but the process is not correct and the key expiration date is still on 2023-05-01.

However, TFLint v0.46.1 was able to successfully verify the signature of AWS ruleset v0.23.1 signed with a new key that was updated in a correct process, despite using an expired key. See also terraform-linters/tflint-ruleset-aws#496.

Digging deeper into this issue, I came across the following PR on Terraform.

hashicorp/terraform#32056

There is one change in the fork that's arguably backwards-incompatible: CheckDetachedSignature() will now return an error if the key used to sign the signature is expired (see ProtonMail/go-crypto#60).

Indeed, looking at golang.org/x/crypto/openpgp.CheckDetachedSignature there is no key expiration date checked. This package is already deprecated and frozen, and we should switch to a community fork like ProtonMail/go-crypto as well to check the expiration date.

After replacing with this fork and running tflint --init, the installation will indeed fail due to key expiry.

$ tflint --init
Installing `aws` plugin...
Failed to install a plugin; Failed to check checksums.txt signature: openpgp: key expired

While this is a security issue, the most used built-in key has never been compromised, and the expiration date has never been important, so currently the user impact is minimal.

Command

tflint --init

Terraform Configuration

# None

TFLint Configuration

plugin "aws" {
  enabled = true
  version = "0.23.1"
  source  = "github.com/terraform-linters/tflint-ruleset-aws"
}

Output

Expected behavior:

Installing `aws` plugin...
Failed to install a plugin; Failed to check checksums.txt signature: openpgp: key expired

Actual behavior:

Installing `aws` plugin...
Installed `aws` (source: github.com/terraform-linters/tflint-ruleset-aws, version: 0.23.1)

TFLint Version

0.46.1

Terraform Version

No response

Operating System

  • Linux
  • macOS
  • Windows
@wata727 wata727 added the bug label May 24, 2023
@wata727 wata727 linked a pull request May 24, 2023 that will close this issue
Draft
@wata727
Copy link
Member Author

wata727 commented May 24, 2023

#1769 solves this problem but at the cost of causing all tflint --init to fail.

Also, with expiration working correctly, there is an issue where tflint --init will stop working completely in older versions if the key expires. I'm concerned about the impact this will have on our users.

I think we need to think a little more about how key expiration should be managed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Switch from x/crypto/openpgp to ProtonMail/go-crypto terraform-linters/tflint
1 participant
@wata727