citizen icon indicating copy to clipboard operation
citizen copied to clipboard

Published 20 hours ago verified publisher icon outsideris

Citizen no longer supports storing of publisher public keys

Open sponte opened this issue 4 years ago • 5 comments

Hi

I noticed the endpoints and import functionality for publishers has been removed in the c21a466d3bbc8c2602ee4305790d813b66267bb7 commit. Can you provide some insight as to why this has been pulled out of citizen?

Terraform requires terraform provider registry, to publish "trusted" providers when serving providers back to clients - without that, terraform will refuse to download providers, and deployments will fail.

sponte avatar Mar 31 '21 10:03 sponte

Terraform requires terraform provider registry, to publish "trusted" providers when serving providers back to clients - without that, terraform will refuse to download providers, and deployments will fail.

@sponte Did you mean it will fail with citizen or terraform cloud?

I think HashiCorp uses the GPG key to verify the author of a provider.

In this step, HashiCorp will verify the source and authenticity of the namespace being used to publish the provider by signing your GPG key with a trust signature.

Citizen is not a public registry and it doesn't have any step for accepted trusted providers. So, I think it is not necessary in this project.

Did I missing something?

outsideris avatar Apr 03 '21 11:04 outsideris

Hey @outsideris

Based on my limited understanding and testing I've done while updating citizen to support provider registry, terraform requires to see a public key as part of provider rest api call – if key is not there, terraform cli will return an error and will not download provider at all.

Hence as part of my MR, I have added an endpoint and CLI option to publish "trusted" GPG keys that would then be served for all providers hosted in citizen. I think terraform uses that to validate downloaded signature file against these.

sponte avatar Apr 03 '21 11:04 sponte

For provider, there are no enough documents, especially for signing. In the integration test, terraform CLI can download providers without /v1/publishers API.

outsideris avatar Apr 03 '21 11:04 outsideris

The test does not use terraform cli which would fail. I guess we'd need to add terraform-cli based test to confirm this - I won't have time in the coming weeks for this though...

sponte avatar Apr 03 '21 11:04 sponte

The test use terraform CLI with v0.12, v0.13 and v0.14.

outsideris avatar Apr 04 '21 10:04 outsideris