Commit Graph

3 Commits

Author SHA1 Message Date
findkim
1a32617d5e plugin/discovery: verify checksum matches Registry response 2019-03-21 12:31:31 -05:00
Justin Campbell
495826444b plugin/discovery: Use GPG keys from Registry
When verifying the signature of the SHA256SUMS file, we have been
hardcoding HashiCorp's public GPG key and using it as the keyring.

Going forward, Terraform will get a list of valid public keys for a
provider from the Terraform Registry (registry.terraform.io), and use
them as the keyring for the openpgp verification func.
2018-11-20 14:09:16 -05:00
James Bardin
415d562d36 add signature verification
Fetch the SHA256SUMS file and verify it's signature before downloading
any plugins.

This embeds the hashicorp public key in the binary. If the publickey is
replaced, new releases will need to be cut anyway. A
--verify-plugin=false flag will be added to skip signature verification
in these cases.
2017-06-20 13:14:30 -04:00