Modify language for reporting signing state

Be more explicit about the signing status of fetched plugins and provide documentation about the different signing options.

Author: paultyng

command/init.go

@@ -519,6 +519,18 @@ func (c *InitCommand) getProviders(earlyConfig *earlyconfig.Config, state *state
 
 			c.Ui.Info(fmt.Sprintf("- Installed %s v%s (%s)%s", provider.ForDisplay(), version, authResult, warning))
 		},
+		ProvidersFetched: func(authResults map[addrs.Provider]*getproviders.PackageAuthenticationResult) {
+			thirdPartySigned := false
+			for _, authResult := range authResults {
+				if authResult.ThirdPartySigned() {
+					thirdPartySigned = true
+					break
+				}
+			}
+			if thirdPartySigned {
+				c.Ui.Info(fmt.Sprintf("\nYou have initialized providers which are signed by third parties, you can read more about Terraform's signature verification: https://www.terraform.io/docs/signing.html"))
+			}
+		},
 	}
 
 	mode := providercache.InstallNewProvidersOnly

internal/getproviders/package_authentication.go

@@ -37,16 +37,29 @@ type PackageAuthenticationResult struct {
 
 func (t *PackageAuthenticationResult) String() string {
 	if t == nil {
-		return "unauthenticated"
+		return "unsigned"
 	}
 	return []string{
 		"verified checksum",
-		"official provider",
-		"partner provider",
-		"community provider",
+		"signed by HashiCorp",
+		"signed by trusted partner",
+		"self-signed",
 	}[t.result]
 }
 
+// ThirdPartySigned returns whether the package was authenticated as signed by a party
+// other than HashiCorp.
+func (t *PackageAuthenticationResult) ThirdPartySigned() bool {
+	if t == nil {
+		return false
+	}
+	if t.result == partnerProvider || t.result == communityProvider {
+		return true
+	}
+
+	return false
+}
+
 // SigningKey represents a key used to sign packages from a registry, along
 // with an optional trust signature from the registry operator. These are
 // both in ASCII armored OpenPGP format.

internal/providercache/installer.go

@@ -260,7 +260,8 @@ NeedProvider:
 
 	// Step 3: For each provider version we've decided we need to install,
 	// install its package into our target cache (possibly via the global cache).
-	targetPlatform := i.targetDir.targetPlatform // we inherit this to behave correctly in unit tests
+	authResults := map[addrs.Provider]*getproviders.PackageAuthenticationResult{} // record auth results for all successfully fetched providers
+	targetPlatform := i.targetDir.targetPlatform                                  // we inherit this to behave correctly in unit tests
 	for provider, version := range need {
 		if i.globalCacheDir != nil {
 			// Step 3a: If our global cache already has this version available then
@@ -399,12 +400,18 @@ NeedProvider:
 				continue
 			}
 		}
+		authResults[provider] = authResult
 		selected[provider] = version
 		if cb := evts.FetchPackageSuccess; cb != nil {
 			cb(provider, version, new.PackageDir, authResult)
 		}
 	}
 
+	// Emit final event for fetching if any were successfully fetched
+	if cb := evts.ProvidersFetched; cb != nil && len(authResults) > 0 {
+		cb(authResults)
+	}
+
 	// We'll remember our selections in a lock file inside the target directory,
 	// so callers can recover those exact selections later by calling
 	// SelectedPackages on the same installer.

internal/providercache/installer_events.go

@@ -107,6 +107,10 @@ type InstallerEvents struct {
 	FetchPackageRetry   func(provider addrs.Provider, version getproviders.Version, err error)
 	FetchPackageFailure func(provider addrs.Provider, version getproviders.Version, err error)
 
+	// The ProvidersFetched event is called after all fetch operations if at
+	// least one provider was fetched successfully.
+	ProvidersFetched func(authResults map[addrs.Provider]*getproviders.PackageAuthenticationResult)
+
 	// HashPackageFailure is called if the installer is unable to determine
 	// the hash of the contents of an installed package after installation.
 	// In that case, the selection will not be recorded in the target cache

website/docs/plugins/signing.html.md

@@ -0,0 +1,22 @@
+---
+layout: "registry"
+page_title: "Plugin Signing"
+sidebar_current: "docs-plugins-signing"
+description: |-
+  Terraform plugin signing trust levels
+---
+
+# Plugin Signing
+
+There are four levels of signing and programattic authentication for plugins in Terraform:
+
+* **Signed by HashiCorp** - are built, signed, and supported by HashiCorp. Official provider plugins can 
+typically be used without specifying provider source information in your Terraform configuration.
+* **Signed by Trusted Partners** - are built, signed, and supported by a third party. HashiCorp has 
+verified the ownership of the private key and we provide a chain of trust to the CLI to verify this
+programatically. To use partner providers in your Terraform configuration, you need to specify the
+provider source, typically this is the namespace and name to download from the registry.
+* **Self-signed** - are built, signed, and supported by a third party. HashiCorp does not provide a verification or chain of trust for the signing. You will want to obtain and validate fingerprints manually if you want to ensure you are using a binary you can trust.
+* **Unsigned** - Terraform does support fetching and using unsigned binaries, but you should take extreme care when doing so as no programatic authentication is performed on the downloaded binary.
+
+Usage of plugins from the registry is subject to the Registry's [Terms of Use](https://registry.terraform.io/terms).

website/docs/registry/providers/tiers.html.md

@@ -424,6 +424,10 @@
             <a href="/docs/plugins/basics.html">Basics</a>
           </li>
 
+          <li<%= sidebar_current("docs-plugins-signing") %>>
+            <a href="/docs/plugins/signing.html">Signing</a>
+          </li>
+
           <li<%= sidebar_current("docs-plugins-provider") %>>
             <a href="/docs/plugins/provider.html">Provider</a>
           </li>