tfenv icon indicating copy to clipboard operation
tfenv copied to clipboard

Published 20 hours ago verified publisher icon tfutils

Support gpg (without keybase) for signature verification

Open adborden opened this issue 4 years ago • 5 comments

There might be cases where installing keybase is not available. In that case, tfenv installs terraform without any signature verification. It would be preferred to use gpg in that case.

Some reasons why keybase might not be available:

  • Corporate policy prevents installation of keybase
  • You don't want your personal keybase account on a work machine, nor to create a new keybase account just for verification

In this case it would be okay to require the user to manually install + trust the hashicorp key. As long as the key exists and is trusted, tfenv could use it for verification.

adborden avatar Aug 05 '21 22:08 adborden

AFAICT — and please correct me if I'm wrong! — there's no way to install Keybase as a just a command-line tool. It appears you need the full app installed and all of its background services persistently running. (I tried disabling the background daemons and that caused the cli to fail during the sig check). That's pretty heavyweight ask for just wanting to check Terraform's GPG signatures.

At any rate, I'd love to have GPG support.

brainsik avatar Aug 18 '21 20:08 brainsik

@brainsik then why not just use gpg? https://github.com/tfutils/tfenv/blob/459d15b63f55c2f507bfa6a18e9dec5937e45daf/libexec/tfenv-install#L188-L202

anthraxx avatar Aug 20 '21 21:08 anthraxx

I'm looking to build a package for tfenv on Alpine Linux. The tests trigger this warning, and given the above comments installing Keybase as a dependency won't be practical. I suggest:

  • making GPG the default as this is common and easily installable
  • updating the error message to say "no GPG, PGP or Keybase install found" to make clear keybase is not the only supported option, and perhaps some text to show how to configure which to use
  • (alternatively to the above) supporting a system-wide $TFENV_CONFIG_DIR so I can have the use-gnupg file systemwide by default

jtyers avatar Aug 21 '21 13:08 jtyers

+1 to this issue. I just used tfenv and got No keybase install found, skipping OpenPGP signature verification. This seems to indicate that the default fallback is doing something insecure. I agree with @jtyers that GPG should be the default as it's available on most systems.

schoppmp avatar Mar 10 '22 13:03 schoppmp

I've updated the error message. Given the options available to specify PGP, which can be defaulted to during packaging, and a warning message that includes reference to local PGP as well as keybase - is there anything more to be done here?

Zordrak avatar Jul 14 '22 13:07 Zordrak