Provider plugin signing process

[loafoe]

Terraform providers installed from the Registry are cryptographically signed, and the signature is verified at time of installation. There are three types of provider signatures, each with different trust implications:

• Signed by HashiCorp - are built, signed, and supported by HashiCorp.

• Signed by Trusted Partners - are built, signed, and supported by a third party. HashiCorp has verified the ownership of the private key and we provide a chain of trust to the CLI to verify this programatically.

• Self-signed - are built, signed, and supported by a third party. HashiCorp does not provide a verification or chain of trust for the signature. You may obtain and validate fingerprints manually if you want to ensure you are using a binary you can trust.

The Cloud foundry provider plugin falls in the third category. The provider binaries are build, signed and published from the project maintainers secured local system, no Github workflows or online secrets are used. The signing key is encrypted on-disk and protected with a passphrase. The release process is kicked off manually after tagging a reviewed git commit on the main branch of the repository. The goreleaser tool is used for building, signing and pushing the release packages to Github.

Releases from 2020-07-03 onwards are all signed with signing key bearing the follow Key ID:

C0E4EB79E9E6A23D

Owner: Andy Lo-A-Foe [email protected]

Security best practices

To leverage the Terraform plugin signing process as part of your supply chain validation we recommend the following steps in your deploy process/pipelines:

1. Check provider signatures

When updating your provider plugin versions, always check the signature. See the below output for an example:

terraform init

Initializing the backend...

Initializing provider plugins...
- Reusing previous version of philips-software/hsdp from the dependency lock file
- Reusing previous version of cloudfoundry-community/cloudfoundry from the dependency lock file
- Installing philips-software/hsdp v0.47.1...
- Installed philips-software/hsdp v0.47.1 (self-signed, key ID C0E4EB79E9E6A23D)
- Installing philips-labs/cloudfoundry v1.0.0...
- Installed philips-labs/cloudfoundry v1.0.0 (self-signed, key ID C0E4EB79E9E6A23D)

Partner and community providers are signed by their developers.
If you'd like to know more about provider signing, you can read about it here:
https://www.terraform.io/docs/cli/plugins/signing.html

2. Pin provider versions

By pinning the provider version to a fixed version you won't get automatic updates of newer versions. This allows you to control the upgrade process, but also means you'll probably want to include Dependabot or other tooling to notify you of any updates, which may include security related fixes.

An example versions.tf of a pinned dependeny:

terraform {
  required_providers {
    cloudfoundry = {
      source  = "philips-labs/cloudfoundry"
      version = "= 1.0.0"
    }
  }
}

3. Verify Terraform binaries

Pinning and verification of provider plugins are only trustworthy if your Terraform binary is also trusted. Therefore always make sure the binary you use is built and signed by Hashicorp. See Verify Terraform binary archives for details on this process.