Modify language for reporting signing state

[paultyng]

Be more explicit about the signing status of fetched plugins and provide documentation about the different signing options.

[paultyng]

I'm not sure if this is true, just wanted to cover all the states I saw in code.

[justincampbell]

It might, but not from the Registry, which this doc currently lives in the nav hierarchy. Maybe we could clarify that or group them somehow.

[paultyng]

I moved the doc, this is top level now under plugins.

[alisdair]

We don't support fetching unsigned providers. The only non-local sources follow the Registry protocol, and signatures are mandatory.

[paultyng]

I modified it to say this, let me know your thoughts. I wanted to keep it in there, as we will run unsigned, if not fetch them.

[pkolyvas]

I've left a comment on the warning.

[justincampbell]

It might, but not from the Registry, which this doc currently lives in the nav hierarchy. Maybe we could clarify that or group them somehow.

[alisdair]

The structure of the code makes sense to me. I left some comments inline, mostly about the documentation.

[alisdair]

This document describes plugins in general, but Terraform's tiered signature verification only applies to providers specifically.

[paultyng]

Yeah, in this case i was hedging a little on the future, as this is a URL hard coded in to a shipped binary, was making it a bit more future proof. I can add some language though that currently only provider plugins are authenticated.

[alisdair]

You will want to obtain and validate fingerprints manually if you want to ensure you are using a binary you can trust.

It's not clear to me how a user could take action on this recommendation, unless we give some more detail about how to obtain the key fingerprint, and how to usefully validate it. As I understand it that is the subject of some unspecified future work. Until we have something more concrete to offer here, I think it's better to omit this sentence.

[paultyng]

Until we offer an ability to authenticate, perhaps we should print a fingerprint for this self-signed category to the output for manual verification?

[mildwonkey]

@paultyng we need to limit scope creep, but we will definitely consider that suggestion for a future enhancement. We don't have concrete plans yet, but a number of ideas to extend the community provider trust process in later releases.

[paultyng]

I added in this PR to output KeyID when its third party signed, maybe that will be sufficient?

[codecov]

Codecov Report

Merging #24932 into master will decrease coverage by 0.01%.
The diff coverage is 52.38%.

Impacted Files	Coverage Δ
internal/providercache/installer_events.go	42.85% <ø> (ø)
command/init.go	67.07% <31.25%> (-1.20%)	⬇️
internal/providercache/installer.go	20.57% <40.00%> (+0.08%)	⬆️
internal/getproviders/package_authentication.go	88.33% <71.42%> (-4.46%)	⬇️
dag/walk.go	92.54% <0.00%> (-0.63%)	⬇️

[alisdair]

👍 from me once the remaining minor issues are addressed. Thanks!

[paultyng]

The warning was removed after discussions with @alisdair as it was not longer used.

[justincampbell]

Language and docs look good to me!

[mildwonkey]

Thank you!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.