Several of our customers that use Windows require that all executables are signed and verified using Windows SignTool (SignTool - Win32 apps | Microsoft Learn). The Terraform Registry requires that all executables are signed with a GPG key, including Windows-specific binaries. Is there any guidance for Terraform users who want to use plugins from the Terraform registry that are also signed using Windows SignTool?
Are you suggesting that some providers listed in the registry are currently signed in the way your customers expect? Or just that your customers wish for it?
If the SignTool signatures are embedded in the binaries, I suppose that some providers might already be signed, and you might be able to persuade some provider developers to jump through those hoops, but I wouldn’t expect a general solution to emerge.
I’m not a domain expert by any means, but this sounds to me like a problem for an allowlist. See also: “it hurts when I do this” 
I don’t know if other providers have faced this problem before. I only know that it’s something my customers are curious about. I can take a deeper look there.
I probably don’t understand well enough how binary signing works. I was assuming that by signing the binary with a GPG key, I would be adding the signature to the file, modifying it and thus potentially invalidating the SignTool-based signature.
A general solution would be nice but isn’t necessary for my case. The answer might even be that we simply can’t use the Terraform registry to host SignTool-signed plugins and that we need to host our own custom registry. I’m mainly trying to fish out if any other provider developers have faced a problem like this before.
The built-in signing works something like this:
- developer compiles provider for each architecture
- developer computes checksums of each architecture-specific build, stores 'em all in a file.
- developer uses their private key to generate a signature for the checksum file, stores it in yet another file
- terraform (running on user machine) consults registry
- registry tells terraform:
- where to find the appropriate architecture-specific build
- where to find the checksum summary file
- where to find the checksum signature file
- the developer’s public signing key
- terraform downloads all 3 files
- terraform computes the checksum, compares against checksum file, validates checksum file signature
I don’t see any reason why there couldn’t also be windows-specific signatures baked-into the provider binaries, but my windows builds don’t have that.
Ah OK, makes sense. The signatures are not actually included in the plugin binaries. Sounds like it’s simply a step I can take before computing checksums for the (signed) binaries. Thanks for the clarification.
Ah… I didn’t understand that you are the developer for the only provider(s) relevant to the question.
The request is much more reasonable with that in mind!
I thought we were talking about the whole universe of possible provider binaries
1 Like
I realize I formulated my question exceptionally poorly… should have been “Any guidance for Terraform provider maintainers who need to publish binaries signed with SignTool to the Terraform registry?” Thanks @hQnVyLRx for your help!
1 Like
Right on. As you’ve concluded, the GPG signature for Registry is an “external signature.”
It does not modify the provider binary at all, so i see no conflict between SignTool and the GPG external signature.
The “Manually Preparing a Release” documentation may be the most useful reference for this scenario.
Always happy to chat further if more questions arise.
-Baraa, Terraform Developer Experience