adding JFrog's public GPG key to OpenTofu registry

Question

adding JFrog's public GPG key to OpenTofu registry

Closed this issue 4 months ago · 10 comments

Is your feature request related to a problem? Please describe.
When trying to use terraform-provider-artifactory via OpenTofu, I receive the following error:

Installed jfrog/artifactory v10.3.1. Signature validation was skipped due to the registry not containing GPG keys for this provider

This arises because OpenTofu needs a member of JFrog's GitHub org to validate the public key used to sign provider releases.

Describe the solution you'd like
A member of JFrog's GitHub org needs to open a PR to opentofu/registry using this PR form for signing keys.

Describe alternatives you've considered
N/A

Additional context
I believe submitting the GPG will cover all of JFrog's providers.

Answer 1 · 2024-03-14T16:07:05.000Z

@StephenWithPH Thanks for the head up. I've added this to our sprint.

Answer 2 · 2024-03-14T16:49:15.000Z

I believe submitting the GPG will cover all of JFrog's providers.

It occurred to me that my comment makes the assumption that JFrog uses the same signing key for all five of the providers. If that's not the case, you'll need to submit the signing key for each.

Answer 3 · 2024-03-15T16:29:23.000Z

@StephenWithPH See opentofu/registry#315

Answer 4 · 2024-03-15T17:15:24.000Z

Thank you for the quick turnaround! 🎉

Answer 5 · 2024-03-15T17:37:08.000Z

@StephenWithPH I submitted an expired public key the first time. You may see this error message Error while installing jfrog/artifactory v10.1.4: authentication signature from unknown issuer until my new PR is merged and synced at next cron job run (at top of the hour).

Answer 6 · 2024-03-15T17:38:00.000Z

Got it. No worries!

Answer 7 · 2024-03-15T18:30:32.000Z

@StephenWithPH All fixed!

Answer 8 · 2024-03-18T17:58:21.000Z

@StephenWithPH Turns out we were using a separate (older) signing key for Artifactory provider, whereas the other providers use the same (newer) key. Terraform registry allows for multiple signing keys but OpenTofu doesn't. Thus once I uploaded the old key to OpenTofu registry, the other 4 providers were no longer installable.

I've updated this provider to be signed with the newer key as well as updating OpenTofu registry with this key, so this problem is solved. Right now we are waiting for OpenTofu registry cache to be updated before 10.3.3 is installable in OpenTofu.

Answer 9 · 2024-03-18T18:02:49.000Z

Thank you for your continued work on this. Glad to hear that the bumps are getting smoothed out. I'll keep an eye on that linked issue.

Answer 10 · 2024-03-18T18:39:50.000Z

@StephenWithPH tofu init just now runs successfully with new key ID.