internal: Verify provider signatures on install #24617
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alisdair
force-pushed
the
alisdair/provider-installer-signature-verification
branch
2 times, most recently
from
d6a5225
to
2eb234b
Compare
Codecov Report
|
mildwonkey
reviewed
Apr 10, 2020
mildwonkey
reviewed
Apr 10, 2020
| @@ -224,6 +224,7 @@ func (m PackageMeta) UnpackedDirectoryPath(baseDir string) string { | |||
| // concrete types: PackageLocalArchive, PackageLocalDir, or PackageHTTPURL. | |||
| type PackageLocation interface { | |||
| packageLocation() | |||
| String() string | |||
There was a problem hiding this comment.
This is a nice change! I like how this change looks in dir_modify.go
alisdair
force-pushed
the
alisdair/provider-installer-signature-verification
branch
from
b5a9ab3
to
a78890d
Compare
apparentlymart
approved these changes
Apr 16, 2020
Providers installed from the registry are accompanied by a list of checksums (the "SHA256SUMS" file), which is cryptographically signed to allow package authentication. The process of verifying this has multiple steps: - First we must verify that the SHA256 hash of the package archive matches the expected hash. This could be done for local installations too, in the future. - Next we ensure that the expected hash returned as part of the registry API response matches an entry in the checksum list. - Finally we verify the cryptographic signature of the checksum list, using the public keys provided by the registry. Each of these steps is implemented as a separate PackageAuthentication type. The local archive installation mechanism uses only the archive checksum authenticator, and the HTTP installation uses all three in the order given. The package authentication system now also returns a result value, which is used by command/init to display the result of the authentication process. There are three tiers of signature, each of which is presented differently to the user: - Signatures from the embedded HashiCorp public key indicate that the provider is officially supported by HashiCorp; - If the signing key is not from HashiCorp, it may have an associated trust signature, which indicates that the provider is from one of HashiCorp's trusted partners; - Otherwise, if the signature is valid, this is a community provider.
alisdair
force-pushed
the
alisdair/provider-installer-signature-verification
branch
from
a78890d
to
a5b3d49
Compare
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Providers installed from the registry are accompanied by a list of checksums (the "SHA256SUMS" file), which is cryptographically signed to allow package authentication. The process of verifying this has multiple steps:
Each of these steps is implemented as a separate
PackageAuthenticationtype. The local archive installation mechanism uses only the archive checksum authenticator, and the HTTP installation uses all three in the order given.The package authentication system now also returns a result value, which is used by command/init to display the result of the authentication process.
There are three tiers of signature, each of which is presented differently to the user:
Screenshots
Official, partner, and community providers: