aboutsummaryrefslogtreecommitdiff
path: root/src/terraform/install.sh
diff options
context:
space:
mode:
Diffstat (limited to 'src/terraform/install.sh')
-rwxr-xr-xsrc/terraform/install.sh61
1 files changed, 53 insertions, 8 deletions
diff --git a/src/terraform/install.sh b/src/terraform/install.sh
index 75653c3..81682e8 100755
--- a/src/terraform/install.sh
+++ b/src/terraform/install.sh
@@ -158,6 +158,26 @@ check_packages() {
fi
}
+# Install 'cosign' for validating signatures
+# https://docs.sigstore.dev/cosign/overview/
+ensure_cosign() {
+ check_packages curl ca-certificates gnupg2
+
+ if ! type cosign > /dev/null 2>&1; then
+ echo "Installing cosign..."
+ local LATEST_COSIGN_VERSION=$(curl https://api.github.com/repos/sigstore/cosign/releases/latest | grep tag_name | cut -d : -f2 | tr -d "v\", ")
+ curl -L "https://github.com/sigstore/cosign/releases/latest/download/cosign_${LATEST_COSIGN_VERSION}_${architecture}.deb" -o /tmp/cosign_${LATEST_COSIGN_VERSION}_${architecture}.deb
+
+ dpkg -i /tmp/cosign_${LATEST_COSIGN_VERSION}_${architecture}.deb
+ rm /tmp/cosign_${LATEST_COSIGN_VERSION}_${architecture}.deb
+ fi
+ if ! type cosign > /dev/null 2>&1; then
+ echo "(!) Failed to install cosign."
+ exit 1
+ fi
+ cosign version
+}
+
# Ensure apt is in non-interactive to avoid prompts
export DEBIAN_FRONTEND=noninteractive
@@ -198,17 +218,42 @@ if [ "${TFLINT_VERSION}" != "none" ]; then
TFLINT_FILENAME="tflint_linux_${architecture}.zip"
curl -sSL -o /tmp/tf-downloads/${TFLINT_FILENAME} https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/${TFLINT_FILENAME}
if [ "${TFLINT_SHA256}" != "dev-mode" ]; then
- if [ "${TFLINT_SHA256}" = "automatic" ]; then
- curl -sSL -o tflint_key "${TFLINT_GPG_KEY_URI}"
- gpg -q --import tflint_key
- curl -sSL -o tflint_checksums.txt https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt
- curl -sSL -o tflint_checksums.txt.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.sig
- gpg --verify tflint_checksums.txt.sig tflint_checksums.txt
- else
+
+ if [ "${TFLINT_SHA256}" != "automatic" ]; then
echo "${TFLINT_SHA256} *${TFLINT_FILENAME}" > tflint_checksums.txt
+ sha256sum --ignore-missing -c tflint_checksums.txt
+ else
+ curl -sSL -o tflint_checksums.txt https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt
+
+ set +e
+ curl -sSL -o checksums.txt.keyless.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.keyless.sig
+ set -e
+
+ # Check that checksums.txt.keyless.sig exists and is not empty
+ if [ -s checksums.txt.keyless.sig ]; then
+ # Validate checksums with cosign
+ curl -sSL -o checksums.txt.pem https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.pem
+ ensure_cosign
+ cosign verify-blob \
+ --certificate=/tmp/tf-downloads/checksums.txt.pem \
+ --signature=/tmp/tf-downloads/checksums.txt.keyless.sig \
+ --certificate-identity-regexp="^https://github.com/terraform-linters/tflint" \
+ --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+ /tmp/tf-downloads/tflint_checksums.txt
+ # Ensure that checksums.txt has $TFLINT_FILENAME
+ grep ${TFLINT_FILENAME} /tmp/tf-downloads/tflint_checksums.txt
+ # Validate downloaded file
+ sha256sum --ignore-missing -c tflint_checksums.txt
+ else
+ # Fallback to older, GPG-based verification (pre-0.47.0 of tflint)
+ curl -sSL -o tflint_checksums.txt.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.sig
+ curl -sSL -o tflint_key "${TFLINT_GPG_KEY_URI}"
+ gpg -q --import tflint_key
+ gpg --verify tflint_checksums.txt.sig tflint_checksums.txt
+ fi
fi
- sha256sum --ignore-missing -c tflint_checksums.txt
fi
+
unzip /tmp/tf-downloads/${TFLINT_FILENAME}
mv -f tflint /usr/local/bin/
fi
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-18 22:28:02 +0300