Hi! I was told this would be a good place to ask this because this is where the responders for the GPG exposure incident are monitoring?
I’m seeing that this PR is released for the version I’m using 0.12.31.
Unfortunately, even after reinstalling terraform, I’m still getting these errors intermittently, with it succeeding only ~10% of the time:
Upgrading modules...
Initializing the backend...
Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Checking for available provider plugins...
Error verifying GPG signature for provider "template"
Terraform was unable to verify the GPG signature of the downloaded provider
files using the keys downloaded from the Terraform Registry. This may mean that
the publisher of the provider removed the key it was signed with, or that the
distributed files were changed after this version was released.
Error verifying GPG signature for provider "kubernetes"
Terraform was unable to verify the GPG signature of the downloaded provider
files using the keys downloaded from the Terraform Registry. This may mean that
the publisher of the provider removed the key it was signed with, or that the
distributed files were changed after this version was released.
- Downloading plugin for provider "vault" (hashicorp/vault) 2.19.1...
- Downloading plugin for provider "aws" (hashicorp/aws) 3.37.0...
Error: unable to verify signature
Error: unable to verify signature
But is this Error: unable to verify signature error expected at this stage?
Or does more need to be done beyond the terraform core change - for example do the individual providers need to be resigned as well?
To provide an update for this - maybe disregard?
It appears that reverting to 0.12.29 works as of today - though it did not yesterday! 0.12.31 still does not work currently, but this temporary solve works for now
Since it’s successful only 10% of the time for 0.12.31, that’s a tiny bit suspicious - caching? But no pressure on resolving/responding now that we have this temporary fix in place!
The problems with 0.12.31 were mostly due to stale cached responses which did not successfully purge. We have tracked those down and have not seen any other reports since. Can you verify that it is working for you now?
We are also seeing this trying to verify google’s signature on 0.12.5
Initializing provider plugins…
Checking for available provider plugins…
Error verifying GPG signature for provider “google”
Terraform was unable to verify the GPG signature of the downloaded provider
files using the keys downloaded from the Terraform Registry. This may mean that
the publisher of the provider removed the key it was signed with, or that the
distributed files were changed after this version was released.
Downloading plugin for provider “template” (hashicorp/template) 2.2.0…
Error: unable to verify signature
Only the updated Terraform CLI versions van validate new provider releases. You must either pin the desired compatible provider version, update the cli version, or skip validation. See the main notice here: Terraform Updates for HCSEC-2021-12
Downloading plugin for provider “panos” (terraform-providers/panos) 1.8.2…
Warning:registry.terraform.io: For users on Terraform 0.13 or greater, this provider has moved to PaloAltoNetworks/panos. Please update your source in required_providers.
Hi! I was told this would be a good place to ask this because this is where the responders for the GPG exposure incident are monitoring?
