Skip to content

tflint --init does not check signing key expiration date #1768

New issue
New issue
Open
#1769
Open
tflint --init does not check signing key expiration date#1768
#1769
Labels
bug
@wata727

Description

@wata727
wata727
opened on May 24, 2023

Summary

When installing plugins with tflint --init, plugins under terraform-linters or plugins with explicitly set signing_key will have their signatures verified by PGP.

tflint/plugin/signature.go

Line 55 in c1aef40

_, err = openpgp.CheckDetachedSignature(keyring, target, signature)

However, the golang.org/x/crypto/openpgp.CheckDetachedSignature does not return an error even if the signing key has expired.

I first noticed this issue when I made a mistake when extending the expiration date of a PGP key in #1679. This PR updates the built-in key, but the process is not correct and the key expiration date is still on 2023-05-01.

However, TFLint v0.46.1 was able to successfully verify the signature of AWS ruleset v0.23.1 signed with a new key that was updated in a correct process, despite using an expired key. See also terraform-linters/tflint-ruleset-aws#496.

Digging deeper into this issue, I came across the following PR on Terraform.

hashicorp/terraform#32056

There is one change in the fork that's arguably backwards-incompatible: CheckDetachedSignature() will now return an error if the key used to sign the signature is expired (see ProtonMail/go-crypto#60).

Indeed, looking at golang.org/x/crypto/openpgp.CheckDetachedSignature there is no key expiration date checked. This package is already deprecated and frozen, and we should switch to a community fork like ProtonMail/go-crypto as well to check the expiration date.

After replacing with this fork and running tflint --init, the installation will indeed fail due to key expiry.

$ tflint --init
Installing `aws` plugin...
Failed to install a plugin; Failed to check checksums.txt signature: openpgp: key expired

While this is a security issue, the most used built-in key has never been compromised, and the expiration date has never been important, so currently the user impact is minimal.

Command

tflint --init

Terraform Configuration

# None

TFLint Configuration

plugin "aws" {
  enabled = true
  version = "0.23.1"
  source  = "github.com/terraform-linters/tflint-ruleset-aws"
}

Output

Expected behavior:

Installing `aws` plugin...
Failed to install a plugin; Failed to check checksums.txt signature: openpgp: key expired

Actual behavior:

Installing `aws` plugin...
Installed `aws` (source: github.com/terraform-linters/tflint-ruleset-aws, version: 0.23.1)

TFLint Version

0.46.1

Terraform Version

No response

Operating System

  • Linux
  • macOS
  • Windows

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions