Terraform: Add cosign integrity check for TFLint (#586)feature_terraform_1.3.2

* add cosign integrity check for tflint * fallback to gpg verification
author: Josh Spicer <joshspicer@github.com> 2023-06-21 21:13:46 +0300
committer: GitHub <noreply@github.com> 2023-06-21 21:13:46 +0300
commit: d934503a050ba84e6b42a006aacd891c4088eb62 (patch)
tree: 44be975bd7ce4832c81ac93bc7ad4f15fc200b36 /src/terraform/install.sh
parent: 2258fcb040d74de01dbfc9df7d8800d90a13d56c (diff)
1 files changed, 53 insertions, 8 deletions
diff --git a/src/terraform/install.sh b/src/terraform/install.sh
index 75653c3..81682e8 100755
--- a/src/terraform/install.sh
+++ b/src/terraform/install.sh
@@ -158,6 +158,26 @@ check_packages() {
     fi
 }
 
+# Install 'cosign' for validating signatures
+# https://docs.sigstore.dev/cosign/overview/
+ensure_cosign() {
+    check_packages curl ca-certificates gnupg2
+
+    if ! type cosign > /dev/null 2>&1; then
+        echo "Installing cosign..."
+        local LATEST_COSIGN_VERSION=$(curl https://api.github.com/repos/sigstore/cosign/releases/latest | grep tag_name | cut -d : -f2 | tr -d "v\", ")
+        curl -L "https://github.com/sigstore/cosign/releases/latest/download/cosign_${LATEST_COSIGN_VERSION}_${architecture}.deb" -o /tmp/cosign_${LATEST_COSIGN_VERSION}_${architecture}.deb
+        
+        dpkg -i /tmp/cosign_${LATEST_COSIGN_VERSION}_${architecture}.deb
+        rm /tmp/cosign_${LATEST_COSIGN_VERSION}_${architecture}.deb
+    fi
+    if ! type cosign > /dev/null 2>&1; then
+        echo "(!) Failed to install cosign."
+        exit 1
+    fi
+    cosign version
+}
+
 # Ensure apt is in non-interactive to avoid prompts
 export DEBIAN_FRONTEND=noninteractive
 
@@ -198,17 +218,42 @@ if [ "${TFLINT_VERSION}" != "none" ]; then
     TFLINT_FILENAME="tflint_linux_${architecture}.zip"
     curl -sSL -o /tmp/tf-downloads/${TFLINT_FILENAME} https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/${TFLINT_FILENAME}
     if [ "${TFLINT_SHA256}" != "dev-mode" ]; then
-        if [ "${TFLINT_SHA256}" = "automatic" ]; then
-            curl -sSL -o tflint_key "${TFLINT_GPG_KEY_URI}"
-            gpg -q --import tflint_key
-            curl -sSL -o tflint_checksums.txt https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt
-            curl -sSL -o tflint_checksums.txt.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.sig
-            gpg --verify tflint_checksums.txt.sig tflint_checksums.txt
-        else
+
+        if [ "${TFLINT_SHA256}" != "automatic" ]; then
             echo "${TFLINT_SHA256} *${TFLINT_FILENAME}" > tflint_checksums.txt
+            sha256sum --ignore-missing -c tflint_checksums.txt
+        else
+            curl -sSL -o tflint_checksums.txt https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt
+
+            set +e
+            curl -sSL -o checksums.txt.keyless.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.keyless.sig
+            set -e
+
+            # Check that checksums.txt.keyless.sig exists and is not empty
+            if [ -s checksums.txt.keyless.sig ]; then
+                # Validate checksums with cosign
+                curl -sSL -o checksums.txt.pem https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.pem
+                ensure_cosign
+                cosign verify-blob \
+                    --certificate=/tmp/tf-downloads/checksums.txt.pem \
+                    --signature=/tmp/tf-downloads/checksums.txt.keyless.sig \
+                    --certificate-identity-regexp="^https://github.com/terraform-linters/tflint"  \
+                    --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+                    /tmp/tf-downloads/tflint_checksums.txt
+                # Ensure that checksums.txt has $TFLINT_FILENAME
+                grep ${TFLINT_FILENAME} /tmp/tf-downloads/tflint_checksums.txt
+                # Validate downloaded file
+                sha256sum --ignore-missing -c tflint_checksums.txt
+            else
+                # Fallback to older, GPG-based verification (pre-0.47.0 of tflint)
+                curl -sSL -o tflint_checksums.txt.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.sig
+                curl -sSL -o tflint_key "${TFLINT_GPG_KEY_URI}"
+                gpg -q --import tflint_key
+                gpg --verify tflint_checksums.txt.sig tflint_checksums.txt
+            fi
         fi
-        sha256sum --ignore-missing -c tflint_checksums.txt
     fi
+
     unzip /tmp/tf-downloads/${TFLINT_FILENAME}
     mv -f tflint /usr/local/bin/
 fi
author	Josh Spicer <joshspicer@github.com>	2023-06-21 21:13:46 +0300
committer	GitHub <noreply@github.com>	2023-06-21 21:13:46 +0300
commit	d934503a050ba84e6b42a006aacd891c4088eb62 (patch)
tree	44be975bd7ce4832c81ac93bc7ad4f15fc200b36 /src/terraform/install.sh
parent	2258fcb040d74de01dbfc9df7d8800d90a13d56c (diff)