msuzoagu/dotfiles

Get `tfenv` to verify Terraform signature

Opened this issue · 0 comments

msuzoagu commented

Description

By default, Terraform signature isn't verified by tfenv.

Current Workaround/Patch

Manual creation of required trust-tfenv directive via:

touch /opt/homebrew/Cellar/tfenv/3.0.0/use-gnupg 
echo 'trust-tfenv: yes' > /opt/homebrew/Cellar/tfenv/3.0.0/use-gnupg

Where /opt/homebrew/Cellar/tfenv/3.0.0 == HOMEBRE_INSTALL_DIR_FOR_TFENV

Good To Know

The trust-tfenv directive means that verification uses a copy of the Hashicorp OpenPGP key found in the tfenv repository. Skipping that directive means that the Hashicorp key must be in the existing default trusted keys. Use the file ${TFENV_INSTALL_DIR}/use-gnupg to instead invoke the full gpg tool and see web-of-trust status; beware that a lack of trust path will not cause a validation failure.

Todo

On a high level, issue involves 2 steps:

  1. Is GnuPG present?
  2. Then handle tfenv

Basic level:

  • check for GnuPG string in brewfile
  • check if tfenv is listed in Brewfile
  • it true, then add function in script/bootstrap that:
  • get/set $HOMEBREW_INSTALL_DIR for tfenv
  • creates required trust-tfenv directive