Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to verify third-party plugin signature in private repositories #2209

Open
1 of 3 tasks
nikhithabyreddy opened this issue Jan 15, 2025 · 8 comments · May be fixed by #2223
Open
1 of 3 tasks

Failed to verify third-party plugin signature in private repositories #2209

nikhithabyreddy opened this issue Jan 15, 2025 · 8 comments · May be fixed by #2223
Labels
bug

Comments

@nikhithabyreddy
Copy link

Summary

We have a in house plugin created to check for tags in resources so that is being installed as part of tflint init while performing the tflint --init we are getting the below error
14:28:05 signature.go:135: [DEBUG] Failed to verify signature: failed to verify log inclusion: not enough verified log entries from transparency log: 0 < 1
Failed to install a plugin; Failed to check checksums.txt signature: failed to verify log inclusion: not enough verified log entries from transparency log: 0 < 1

Command

tflint --init

Terraform Configuration

terraform {
  required_version = "1.9.3"

TFLint Configuration

plugin "xxxx" {
  enabled = true
  version = "0.1.0"
  source  = "github.com/xxxx/tflint-ruleset-xxxx"
}

Output

14:28:05 signature.go:135: [DEBUG] Failed to verify signature: failed to verify log inclusion: not enough verified log entries from transparency log: 0 < 1
Failed to install a plugin; Failed to check checksums.txt signature: failed to verify log inclusion: not enough verified log entries from transparency log: 0 < 1

TFLint Version

0.55.0

Terraform Version

1.9.3

Operating System

  • Linux
  • macOS
  • Windows
@wata727
Copy link
Member

wata727 commented Jan 15, 2025

Thank you for reporting this. This is due to plugin keyless verification introduced in v0.55.
From the error, it looks like the transparency logs aren't included in the artifact attestation, but I'm not sure what cases that would happen.

Can you share the artifact attestation of the plugin you have installed?
You can see them in https://github.com/xxxx/tflint-ruleset-xxxx/attestations

@nikhithabyreddy
Copy link
Author

@wata727 Here is the artifact attestation
attestation-sigstore (2).json

@nikhithabyreddy
Copy link
Author

@wata727 Any update on the above issue ?

@wata727
Copy link
Member

wata727 commented Jan 25, 2025

After some research, it appears that attestations built in private repositories do not include transparency logs.
https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds#about-using-sigstore-for-artifact-attestations

Just like with GitHub CLI, we'll need to switch verification policies.
https://github.com/cli/cli/blob/v2.65.0/pkg/cmd/attestation/verification/sigstore.go#L282
https://github.com/terraform-linters/tflint/blob/v0.55.0/plugin/signature.go#L98-L103

@wata727 wata727 changed the title Failed to verify signature Failed to verify third-party plugin signature in private repositories Jan 26, 2025
@wata727
Copy link
Member

wata727 commented Jan 26, 2025

It seems that we need GitHub Enterprise Cloud plan to test Artifact Attestations in private repositories.
https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds

Supporting artifact attestations in private repositories can be difficult as we don't have sufficient funding to test the feature.
Plugins built in private repositories are likely secure enough, so skipping verification here might be a good start.

@wata727 wata727 linked a pull request Jan 28, 2025 that will close this issue
Draft
@bendrucker
Copy link
Member

It seems like it should be possible to verify them as long as the transparency log option is off in the verifier. This does make sense, it's a private repository, it can't be identified in transparency logs.

I'm a GitHub Enterprise member so I can do one-time testing. We wouldn't have automated integration testing but it seems like the API difference is explicit enough that it won't be too hard to support. I would tend to agree that in practice external open source orgs are probably higher risk than internal compromises. But the sort of organization that wants to keep their plugins private is also more generally risk-averse and would want to defend against both.

@wata727
Copy link
Member

wata727 commented Jan 29, 2025

@bendrucker Thank you for your suggestion!

Initially, I had a vision of forcing artifact attestations on all plugins, but given the plan limitations, I feel we need to have some kind of workaround for private plugins. If private plugins are always not verified, the verification behavior is always consistent without introducing an option like verify = true. However, If we provide an option to verify artifact attestations for private plugins, we will need to introduce verify = true|false option, which may seem dangerous at first glance.

This side effect requires some thought, but I agree with you that providing the option to verify could certainly be beneficial for risk-averse organizations. How about releasing v0.55.1 with #2223 to always skip verification, and then in next versions (0.56+) supporting artifact attestation for private plugins?

@bendrucker
Copy link
Member

Yeah for sure, definitely patch it for the short term until we can test verification on a private repo.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

plugin: Skip keyless verification for private third-party plugins terraform-linters/tflint
3 participants
@bendrucker @wata727 @nikhithabyreddy