From f899f5aa42337af51a9285fff0d1bdcccdc9ca9d Mon Sep 17 00:00:00 2001 From: Martin Atkins Date: Fri, 21 Feb 2020 17:03:26 -0800 Subject: [PATCH] command/init: new error message for signature verification failure Our initial Terraform 0.13.0 release will continue to support only the hard-coded official HashiCorp signing key, with support for other keys to follow in a later release once the trust infrastructure is in place to support that. This change is intended to (marginally) improve the UX for a possible future situation where a HashiCorp-distributed provider makes a released signed with a new key and a prior version of Terraform ends up trying to install it due to incorrect version constraints. With this new text we hope to give the user a better prompt for onward troubleshooting, but in a sort of hedging way because we have not yet finalized the details of how new keys might roll out in practice. Hopefully a user seeing this message would consult the release notes for Terraform itself and for the provider in question and find some as-yet-undetermined information about how to proceed. If the decentralized trust model design comes together before the v0.13.0 release then we may make further amendments here to prepare for that, but that work should not block the v0.13.0 release if other work concludes first. --- command/init.go | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/command/init.go b/command/init.go index 3dd6f59c7d..3db440f107 100644 --- a/command/init.go +++ b/command/init.go @@ -25,6 +25,7 @@ import ( "github.com/hashicorp/terraform/states" "github.com/hashicorp/terraform/terraform" "github.com/hashicorp/terraform/tfdiags" + "github.com/hashicorp/terraform/version" ) // InitCommand is a Command implementation that takes a Terraform @@ -568,7 +569,7 @@ func (c *InitCommand) getProviders(earlyConfig *earlyconfig.Config, state *state // Generic version incompatible msg c.Ui.Error(fmt.Sprintf(errProviderIncompatible, provider, constraint)) case err == discovery.ErrorSignatureVerification: - c.Ui.Error(fmt.Sprintf(errSignatureVerification, provider)) + c.Ui.Error(fmt.Sprintf(errSignatureVerification, provider, version.SemVer)) case err == discovery.ErrorChecksumVerification, err == discovery.ErrorMissingChecksumVerification: c.Ui.Error(fmt.Sprintf(errChecksumVerification, provider)) @@ -1020,9 +1021,12 @@ were changed after this version was released to the Registry. ` const errSignatureVerification = ` -[reset][bold][red]Error verifying GPG signature for provider %[1]q[reset][red] -Terraform was unable to verify the GPG signature of the downloaded provider -files using the keys downloaded from the Terraform Registry. This may mean that -the publisher of the provider removed the key it was signed with, or that the -distributed files were changed after this version was released. +[reset][bold][red]Error:[reset][bold] Untrusted signing key for provider %[1]q[reset] + +This provider package is not signed with the HashiCorp signing key, and is +therefore incompatible with Terraform v%[2]s. + +A later version of Terraform may have introduced other signing keys that would +accept this provider. Alternatively, an earlier version of this provider may +be compatible with Terraform v%[2]s. `