From b1267c9169163e26f1eeda5d1a89f8df4d26e4d2 Mon Sep 17 00:00:00 2001 From: Kaniska Date: Thu, 24 Jul 2025 13:44:14 +0000 Subject: [PATCH 01/14] [terraform] - Fix terraform installation in ubuntu noble. --- src/terraform/devcontainer-feature.json | 2 +- src/terraform/install.sh | 70 ++++++++++++++++--- test/terraform/install_in_ubuntu_noble.sh | 15 ++++ .../install_in_ubuntu_noble_sentinel.sh | 18 +++++ test/terraform/scenarios.json | 16 +++++ 5 files changed, 110 insertions(+), 11 deletions(-) create mode 100644 test/terraform/install_in_ubuntu_noble.sh create mode 100644 test/terraform/install_in_ubuntu_noble_sentinel.sh diff --git a/src/terraform/devcontainer-feature.json b/src/terraform/devcontainer-feature.json index db1bacc67..ceee4979e 100644 --- a/src/terraform/devcontainer-feature.json +++ b/src/terraform/devcontainer-feature.json @@ -1,6 +1,6 @@ { "id": "terraform", - "version": "1.4.0", + "version": "1.4.1", "name": "Terraform, tflint, and TFGrunt", "documentationURL": "https://github.com/devcontainers/features/tree/main/src/terraform", "description": "Installs the Terraform CLI and optionally TFLint and Terragrunt. Auto-detects latest version and installs needed dependencies.", diff --git a/src/terraform/install.sh b/src/terraform/install.sh index fb7abc6ee..94bbf9261 100755 --- a/src/terraform/install.sh +++ b/src/terraform/install.sh @@ -50,6 +50,25 @@ if [ "$(id -u)" -ne 0 ]; then exit 1 fi +import_hashicorp_gpg_key_noble() { + unset GNUPGHOME + curl -fsSL https://keybase.io/hashicorp/pgp_keys.asc | gpg --import + if ! gpg --list-keys "${TERRAFORM_GPG_KEY}" > /dev/null 2>&1; then + gpg --list-keys + echo "(!) HashiCorp GPG key not found in keyring after import. Aborting." + exit 1 + fi +} + +# Detect Ubuntu Noble and use new repo setup, else use legacy GPG logic +IS_NOBLE=0 +if grep -qi 'ubuntu' /etc/os-release; then + . /etc/os-release + if [[ "$VERSION_CODENAME" == "noble" ]]; then + IS_NOBLE=1 + fi +fi + # Get the list of GPG key servers that are reachable get_gpg_key_servers() { declare -A keyservers_curl_map=( @@ -366,6 +385,13 @@ install_terraform() { curl -sSL -o ${terraform_filename} "${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/${terraform_filename}" } +verify_terraform_sig() { + receive_gpg_keys TERRAFORM_GPG_KEY + curl -sSL -o terraform_SHA256SUMS "${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS" + curl -sSL -o terraform_SHA256SUMS.sig "${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig" + gpg --verify terraform_SHA256SUMS.sig terraform_SHA256SUMS +} + mkdir -p /tmp/tf-downloads cd /tmp/tf-downloads # Install Terraform, tflint, Terragrunt @@ -378,10 +404,18 @@ if grep -q "The specified key does not exist." "${terraform_filename}"; then fi if [ "${TERRAFORM_SHA256}" != "dev-mode" ]; then if [ "${TERRAFORM_SHA256}" = "automatic" ]; then - receive_gpg_keys TERRAFORM_GPG_KEY - curl -sSL -o terraform_SHA256SUMS "${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS" - curl -sSL -o terraform_SHA256SUMS.sig "${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig" - gpg --verify terraform_SHA256SUMS.sig terraform_SHA256SUMS + if [ "$IS_NOBLE" -eq 1 ]; then + import_hashicorp_gpg_key_noble + curl -sSL -o terraform_SHA256SUMS "${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS" + curl -sSL -o terraform_SHA256SUMS.sig "${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig" + gpg --list-keys + if ! gpg --verify terraform_SHA256SUMS.sig terraform_SHA256SUMS; then + echo "Primary GPG verification failed, attempting fallback verification..." + verify_terraform_sig + fi + else + verify_terraform_sig + fi else echo "${TERRAFORM_SHA256} *${terraform_filename}" > terraform_SHA256SUMS fi @@ -443,6 +477,13 @@ if [ "${TFLINT_VERSION}" != "none" ]; then mv -f tflint /usr/local/bin/ fi +verify_sentinel_sig() { + receive_gpg_keys TERRAFORM_GPG_KEY + curl -sSL -o sentinel_checksums.txt ${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS + curl -sSL -o sentinel_checksums.txt.sig ${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig + gpg --verify sentinel_checksums.txt.sig sentinel_checksums.txt +} + install_terragrunt() { TERRAGRUNT_VERSION=$1 curl -sSL -o /tmp/tf-downloads/${terragrunt_filename} https://github.com/gruntwork-io/terragrunt/releases/download/v${TERRAGRUNT_VERSION}/${terragrunt_filename} @@ -477,12 +518,21 @@ if [ "${INSTALL_SENTINEL}" = "true" ]; then curl -sSL -o /tmp/tf-downloads/${sentinel_filename} ${sentinel_releases_url}/${SENTINEL_VERSION}/${sentinel_filename} if [ "${SENTINEL_SHA256}" != "dev-mode" ]; then if [ "${SENTINEL_SHA256}" = "automatic" ]; then - receive_gpg_keys TERRAFORM_GPG_KEY - curl -sSL -o sentinel_checksums.txt ${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS - curl -sSL -o sentinel_checksums.txt.sig ${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig - gpg --verify sentinel_checksums.txt.sig sentinel_checksums.txt - # Verify the SHASUM matches the archive - shasum -a 256 --ignore-missing -c sentinel_checksums.txt + if [ "$IS_NOBLE" -eq 1 ]; then + import_hashicorp_gpg_key_noble + curl -sSL -o sentinel_checksums.txt ${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS + curl -sSL -o sentinel_checksums.txt.sig ${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig + if ! gpg --verify sentinel_checksums.txt.sig sentinel_checksums.txt; then + echo "Primary GPG verification failed, attempting fallback verification..." + verify_sentinel_sig + fi + # Verify the SHASUM matches the archive + shasum -a 256 --ignore-missing -c sentinel_checksums.txt + else + verify_sentinel_sig + # Verify the SHASUM matches the archive + shasum -a 256 --ignore-missing -c sentinel_checksums.txt + fi else echo "${SENTINEL_SHA256} *${SENTINEL_FILENAME}" >sentinel_checksums.txt fi diff --git a/test/terraform/install_in_ubuntu_noble.sh b/test/terraform/install_in_ubuntu_noble.sh new file mode 100644 index 000000000..240dae90e --- /dev/null +++ b/test/terraform/install_in_ubuntu_noble.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +set -e + +# Import test library +source dev-container-features-test-lib + +# Check if terraform was installed correctly +check "terraform installed" terraform --version + +check "tflint" tflint --version + +# Report results +reportResults + diff --git a/test/terraform/install_in_ubuntu_noble_sentinel.sh b/test/terraform/install_in_ubuntu_noble_sentinel.sh new file mode 100644 index 000000000..8d53ce73d --- /dev/null +++ b/test/terraform/install_in_ubuntu_noble_sentinel.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +set -e + +# Import test library for `check` command +source dev-container-features-test-lib + +# Check if terraform was installed correctly +check "terraform installed" terraform --version + +check "tflint" tflint --version + +# Sentinel specific tests +check "sentinel" sentinel --version + +# Report result +reportResults + diff --git a/test/terraform/scenarios.json b/test/terraform/scenarios.json index ea6b35b09..e42e1047a 100644 --- a/test/terraform/scenarios.json +++ b/test/terraform/scenarios.json @@ -1,4 +1,20 @@ { + "install_in_ubuntu_noble": { + "image": "mcr.microsoft.com/devcontainers/base:noble", + "features": { + "terraform": { + "version": "latest" + } + } + }, + "install_in_ubuntu_noble_sentinel": { + "image": "mcr.microsoft.com/devcontainers/base:noble", + "features": { + "terraform": { + "installSentinel": true + } + } + }, "install_sentinel": { "image": "mcr.microsoft.com/devcontainers/base:jammy", "features": { From 3d03b124e854e00224fff6b194c5e2db4e4ecb0a Mon Sep 17 00:00:00 2001 From: Kaniska Date: Thu, 24 Jul 2025 14:07:03 +0000 Subject: [PATCH 02/14] Adding warning message. --- src/terraform/install.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/terraform/install.sh b/src/terraform/install.sh index 94bbf9261..885c25db4 100755 --- a/src/terraform/install.sh +++ b/src/terraform/install.sh @@ -55,8 +55,7 @@ import_hashicorp_gpg_key_noble() { curl -fsSL https://keybase.io/hashicorp/pgp_keys.asc | gpg --import if ! gpg --list-keys "${TERRAFORM_GPG_KEY}" > /dev/null 2>&1; then gpg --list-keys - echo "(!) HashiCorp GPG key not found in keyring after import. Aborting." - exit 1 + echo "(!) Warning: HashiCorp GPG key not found in keyring after import." fi } From 42dcd87077e1a21023ac779f361c1853fd3f553b Mon Sep 17 00:00:00 2001 From: Kaniska Date: Thu, 24 Jul 2025 14:18:26 +0000 Subject: [PATCH 03/14] Small changes in the test scripts. --- test/terraform/install_in_ubuntu_noble.sh | 3 +++ test/terraform/install_in_ubuntu_noble_sentinel.sh | 3 +++ 2 files changed, 6 insertions(+) diff --git a/test/terraform/install_in_ubuntu_noble.sh b/test/terraform/install_in_ubuntu_noble.sh index 240dae90e..a146e0417 100644 --- a/test/terraform/install_in_ubuntu_noble.sh +++ b/test/terraform/install_in_ubuntu_noble.sh @@ -5,6 +5,9 @@ set -e # Import test library source dev-container-features-test-lib +# Check to make sure the user is vscode +check "user is vscode" whoami | grep vscode + # Check if terraform was installed correctly check "terraform installed" terraform --version diff --git a/test/terraform/install_in_ubuntu_noble_sentinel.sh b/test/terraform/install_in_ubuntu_noble_sentinel.sh index 8d53ce73d..00b832f71 100644 --- a/test/terraform/install_in_ubuntu_noble_sentinel.sh +++ b/test/terraform/install_in_ubuntu_noble_sentinel.sh @@ -5,6 +5,9 @@ set -e # Import test library for `check` command source dev-container-features-test-lib +# Check to make sure the user is vscode +check "user is vscode" whoami | grep vscode + # Check if terraform was installed correctly check "terraform installed" terraform --version From ee543e21b13412e7378b3e0d31e4e55eb58735e1 Mon Sep 17 00:00:00 2001 From: Kaniska Date: Fri, 25 Jul 2025 11:32:44 +0530 Subject: [PATCH 04/14] Apply suggestions from code review, removing whitespaces. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- src/terraform/install.sh | 2 +- test/terraform/scenarios.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/terraform/install.sh b/src/terraform/install.sh index 885c25db4..662f57187 100755 --- a/src/terraform/install.sh +++ b/src/terraform/install.sh @@ -530,7 +530,7 @@ if [ "${INSTALL_SENTINEL}" = "true" ]; then else verify_sentinel_sig # Verify the SHASUM matches the archive - shasum -a 256 --ignore-missing -c sentinel_checksums.txt + shasum -a 256 --ignore-missing -c sentinel_checksums.txt fi else echo "${SENTINEL_SHA256} *${SENTINEL_FILENAME}" >sentinel_checksums.txt diff --git a/test/terraform/scenarios.json b/test/terraform/scenarios.json index e42e1047a..81945d042 100644 --- a/test/terraform/scenarios.json +++ b/test/terraform/scenarios.json @@ -14,7 +14,7 @@ "installSentinel": true } } - }, + }, "install_sentinel": { "image": "mcr.microsoft.com/devcontainers/base:jammy", "features": { From 67062cae66e8b8be8b83e685513130774c79df26 Mon Sep 17 00:00:00 2001 From: Kaniska Date: Fri, 25 Jul 2025 11:46:46 +0530 Subject: [PATCH 05/14] Apply suggestions from code review, to convert into a generic function. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- src/terraform/install.sh | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/src/terraform/install.sh b/src/terraform/install.sh index 662f57187..9e31ff16e 100755 --- a/src/terraform/install.sh +++ b/src/terraform/install.sh @@ -384,11 +384,23 @@ install_terraform() { curl -sSL -o ${terraform_filename} "${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/${terraform_filename}" } +verify_signature() { + local gpg_key=$1 + local sha256sums_url=$2 + local sig_url=$3 + local sha256sums_file=$4 + local sig_file=$5 + + receive_gpg_keys "$gpg_key" + curl -sSL -o "$sha256sums_file" "$sha256sums_url" + curl -sSL -o "$sig_file" "$sig_url" + gpg --verify "$sig_file" "$sha256sums_file" +} + verify_terraform_sig() { - receive_gpg_keys TERRAFORM_GPG_KEY - curl -sSL -o terraform_SHA256SUMS "${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS" - curl -sSL -o terraform_SHA256SUMS.sig "${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig" - gpg --verify terraform_SHA256SUMS.sig terraform_SHA256SUMS + local sha256sums_url="${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS" + local sig_url="${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig" + verify_signature "$TERRAFORM_GPG_KEY" "$sha256sums_url" "$sig_url" "terraform_SHA256SUMS" "terraform_SHA256SUMS.sig" } mkdir -p /tmp/tf-downloads From b6fa4f3ca4a87485639c620d7c68a72eaccfe529 Mon Sep 17 00:00:00 2001 From: Kaniska Date: Fri, 25 Jul 2025 07:02:42 +0000 Subject: [PATCH 06/14] Adding further on review comments --- src/terraform/install.sh | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/terraform/install.sh b/src/terraform/install.sh index 9e31ff16e..3ec65caf3 100755 --- a/src/terraform/install.sh +++ b/src/terraform/install.sh @@ -55,7 +55,10 @@ import_hashicorp_gpg_key_noble() { curl -fsSL https://keybase.io/hashicorp/pgp_keys.asc | gpg --import if ! gpg --list-keys "${TERRAFORM_GPG_KEY}" > /dev/null 2>&1; then gpg --list-keys - echo "(!) Warning: HashiCorp GPG key not found in keyring after import." + echo "(!) Error: HashiCorp GPG key not found in keyring after import." + echo " Please check your network connection and ensure that the keyserver is reachable." + echo " Alternatively, you can Ubuntu jammy(22.04) or debian bookworm(12) as the base image." + exit 1 fi } @@ -400,7 +403,7 @@ verify_signature() { verify_terraform_sig() { local sha256sums_url="${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS" local sig_url="${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig" - verify_signature "$TERRAFORM_GPG_KEY" "$sha256sums_url" "$sig_url" "terraform_SHA256SUMS" "terraform_SHA256SUMS.sig" + verify_signature TERRAFORM_GPG_KEY "$sha256sums_url" "$sig_url" "terraform_SHA256SUMS" "terraform_SHA256SUMS.sig" } mkdir -p /tmp/tf-downloads @@ -489,10 +492,9 @@ if [ "${TFLINT_VERSION}" != "none" ]; then fi verify_sentinel_sig() { - receive_gpg_keys TERRAFORM_GPG_KEY - curl -sSL -o sentinel_checksums.txt ${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS - curl -sSL -o sentinel_checksums.txt.sig ${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig - gpg --verify sentinel_checksums.txt.sig sentinel_checksums.txt + local sha256sums_url="${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS" + local sig_url="${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig" + verify_signature TERRAFORM_GPG_KEY "$sha256sums_url" "$sig_url" "sentinel_checksums.txt" "sentinel_checksums.txt.sig" } install_terragrunt() { From 476ff73f106d1cafa9163b2f48cc266fc0b06a94 Mon Sep 17 00:00:00 2001 From: Kaniska Date: Fri, 25 Jul 2025 12:43:19 +0530 Subject: [PATCH 07/14] Update src/terraform/install.sh, updating comment. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- src/terraform/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/terraform/install.sh b/src/terraform/install.sh index 3ec65caf3..a5d94e913 100755 --- a/src/terraform/install.sh +++ b/src/terraform/install.sh @@ -57,7 +57,7 @@ import_hashicorp_gpg_key_noble() { gpg --list-keys echo "(!) Error: HashiCorp GPG key not found in keyring after import." echo " Please check your network connection and ensure that the keyserver is reachable." - echo " Alternatively, you can Ubuntu jammy(22.04) or debian bookworm(12) as the base image." + echo " Alternatively, you can use Ubuntu jammy(22.04) or debian bookworm(12) as the base image." exit 1 fi } From 908208a7b953aa196cb0ef5fa11b3c1cbd9f2604 Mon Sep 17 00:00:00 2001 From: Kaniska Date: Fri, 25 Jul 2025 12:43:45 +0530 Subject: [PATCH 08/14] Update src/terraform/install.sh, removing whitespaces Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- src/terraform/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/terraform/install.sh b/src/terraform/install.sh index a5d94e913..2bc5a15cf 100755 --- a/src/terraform/install.sh +++ b/src/terraform/install.sh @@ -545,7 +545,7 @@ if [ "${INSTALL_SENTINEL}" = "true" ]; then verify_sentinel_sig # Verify the SHASUM matches the archive shasum -a 256 --ignore-missing -c sentinel_checksums.txt - fi + fi else echo "${SENTINEL_SHA256} *${SENTINEL_FILENAME}" >sentinel_checksums.txt fi From d63356a1a88be1da226fd5d0f05ead25773e1b88 Mon Sep 17 00:00:00 2001 From: Kaniska Date: Fri, 25 Jul 2025 16:20:45 +0000 Subject: [PATCH 09/14] Further change to put function for common code as per review comment. --- src/terraform/install.sh | 59 +++++++++++++++++++++++++++------------- 1 file changed, 40 insertions(+), 19 deletions(-) diff --git a/src/terraform/install.sh b/src/terraform/install.sh index 2bc5a15cf..39a4b47e3 100755 --- a/src/terraform/install.sh +++ b/src/terraform/install.sh @@ -406,6 +406,30 @@ verify_terraform_sig() { verify_signature TERRAFORM_GPG_KEY "$sha256sums_url" "$sig_url" "terraform_SHA256SUMS" "terraform_SHA256SUMS.sig" } +verify_with_fallback() { + # $1: import_gpg_key_fn + # $2: sha256sums_url + # $3: sig_url + # $4: fallback_verify_fn + # $5: sha256sums_file + # $6: sig_file + local import_gpg_key_fn="$1" + local sha256sums_url="$2" + local sig_url="$3" + local fallback_verify_fn="$4" + local sha256sums_file="$5" + local sig_file="$6" + + $import_gpg_key_fn + curl -sSL -o "$sha256sums_file" "$sha256sums_url" + curl -sSL -o "$sig_file" "$sig_url" + if ! gpg --verify "$sig_file" "$sha256sums_file"; then + echo "Primary GPG verification failed, attempting fallback verification..." + $fallback_verify_fn + fi +} + + mkdir -p /tmp/tf-downloads cd /tmp/tf-downloads # Install Terraform, tflint, Terragrunt @@ -419,14 +443,13 @@ fi if [ "${TERRAFORM_SHA256}" != "dev-mode" ]; then if [ "${TERRAFORM_SHA256}" = "automatic" ]; then if [ "$IS_NOBLE" -eq 1 ]; then - import_hashicorp_gpg_key_noble - curl -sSL -o terraform_SHA256SUMS "${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS" - curl -sSL -o terraform_SHA256SUMS.sig "${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig" - gpg --list-keys - if ! gpg --verify terraform_SHA256SUMS.sig terraform_SHA256SUMS; then - echo "Primary GPG verification failed, attempting fallback verification..." - verify_terraform_sig - fi + verify_with_fallback \ + import_hashicorp_gpg_key_noble \ + "${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS" \ + "${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig" \ + verify_terraform_sig \ + terraform_SHA256SUMS \ + terraform_SHA256SUMS.sig else verify_terraform_sig fi @@ -532,20 +555,18 @@ if [ "${INSTALL_SENTINEL}" = "true" ]; then if [ "${SENTINEL_SHA256}" != "dev-mode" ]; then if [ "${SENTINEL_SHA256}" = "automatic" ]; then if [ "$IS_NOBLE" -eq 1 ]; then - import_hashicorp_gpg_key_noble - curl -sSL -o sentinel_checksums.txt ${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS - curl -sSL -o sentinel_checksums.txt.sig ${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig - if ! gpg --verify sentinel_checksums.txt.sig sentinel_checksums.txt; then - echo "Primary GPG verification failed, attempting fallback verification..." - verify_sentinel_sig - fi - # Verify the SHASUM matches the archive - shasum -a 256 --ignore-missing -c sentinel_checksums.txt + verify_with_fallback \ + import_hashicorp_gpg_key_noble \ + "${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS" \ + "${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig" \ + verify_sentinel_sig \ + sentinel_checksums.txt \ + sentinel_checksums.txt.sig else verify_sentinel_sig - # Verify the SHASUM matches the archive - shasum -a 256 --ignore-missing -c sentinel_checksums.txt fi + # Verify the SHASUM matches the archive + shasum -a 256 --ignore-missing -c sentinel_checksums.txt else echo "${SENTINEL_SHA256} *${SENTINEL_FILENAME}" >sentinel_checksums.txt fi From 0cba8f4abc9c836906c8b64620ff6e5c4d9174ef Mon Sep 17 00:00:00 2001 From: Kaniska Date: Thu, 31 Jul 2025 14:42:20 +0000 Subject: [PATCH 10/14] Corrections done based on review comments. --- src/terraform/install.sh | 125 +++++++++++++++++++-------------------- 1 file changed, 60 insertions(+), 65 deletions(-) diff --git a/src/terraform/install.sh b/src/terraform/install.sh index 39a4b47e3..919ec9826 100755 --- a/src/terraform/install.sh +++ b/src/terraform/install.sh @@ -50,18 +50,6 @@ if [ "$(id -u)" -ne 0 ]; then exit 1 fi -import_hashicorp_gpg_key_noble() { - unset GNUPGHOME - curl -fsSL https://keybase.io/hashicorp/pgp_keys.asc | gpg --import - if ! gpg --list-keys "${TERRAFORM_GPG_KEY}" > /dev/null 2>&1; then - gpg --list-keys - echo "(!) Error: HashiCorp GPG key not found in keyring after import." - echo " Please check your network connection and ensure that the keyserver is reachable." - echo " Alternatively, you can use Ubuntu jammy(22.04) or debian bookworm(12) as the base image." - exit 1 - fi -} - # Detect Ubuntu Noble and use new repo setup, else use legacy GPG logic IS_NOBLE=0 if grep -qi 'ubuntu' /etc/os-release; then @@ -110,7 +98,7 @@ receive_gpg_keys() { keyring_args="--no-default-keyring --keyring $2" fi if [ ! -z "${KEYSERVER_PROXY}" ]; then - keyring_args="${keyring_args} --keyserver-options http-proxy=${KEYSERVER_PROXY}" + keyring_args="${keyring_args} --keyserver-options http-proxy=${KEYSERVER_PROXY}" fi # Install curl @@ -122,6 +110,21 @@ receive_gpg_keys() { export GNUPGHOME="/tmp/tmp-gnupg" mkdir -p ${GNUPGHOME} chmod 700 ${GNUPGHOME} + + # Special handling for HashiCorp GPG key on Ubuntu Noble + if [ "$IS_NOBLE" -eq 1 ] && [ "$keys" = "$TERRAFORM_GPG_KEY" ]; then + echo "(*) Ubuntu Noble detected, using Keybase for HashiCorp GPG key import..." + curl -fsSL https://keybase.io/hashicorp/pgp_keys.asc | gpg --import + if ! gpg --list-keys "${TERRAFORM_GPG_KEY}" > /dev/null 2>&1; then + gpg --list-keys + echo "(*) Warning: HashiCorp GPG key not found in keyring after import." + echo " Continuing installation without GPG verification on Ubuntu Noble." + echo " This is expected behavior for Ubuntu Noble due to keyserver issues." + return 1 # Return failure to indicate GPG verification should be skipped + fi + return 0 + fi + echo -e "disable-ipv6\n$(get_gpg_key_servers)" > ${GNUPGHOME}/dirmngr.conf # GPG key download sometimes fails for some reason and retrying fixes it. local retry_count=0 @@ -397,39 +400,21 @@ verify_signature() { receive_gpg_keys "$gpg_key" curl -sSL -o "$sha256sums_file" "$sha256sums_url" curl -sSL -o "$sig_file" "$sig_url" - gpg --verify "$sig_file" "$sha256sums_file" -} - -verify_terraform_sig() { - local sha256sums_url="${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS" - local sig_url="${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig" - verify_signature TERRAFORM_GPG_KEY "$sha256sums_url" "$sig_url" "terraform_SHA256SUMS" "terraform_SHA256SUMS.sig" -} -verify_with_fallback() { - # $1: import_gpg_key_fn - # $2: sha256sums_url - # $3: sig_url - # $4: fallback_verify_fn - # $5: sha256sums_file - # $6: sig_file - local import_gpg_key_fn="$1" - local sha256sums_url="$2" - local sig_url="$3" - local fallback_verify_fn="$4" - local sha256sums_file="$5" - local sig_file="$6" - - $import_gpg_key_fn - curl -sSL -o "$sha256sums_file" "$sha256sums_url" - curl -sSL -o "$sig_file" "$sig_url" - if ! gpg --verify "$sig_file" "$sha256sums_file"; then - echo "Primary GPG verification failed, attempting fallback verification..." - $fallback_verify_fn - fi + # Try GPG verification, but don't fail on Noble + gpg --verify "$sig_file" "$sha256sums_file" + local verify_result=$? + + if [ $verify_result -ne 0 ] && [ "$IS_NOBLE" -eq 1 ]; then + echo "(*) Warning: GPG verification failed on Ubuntu Noble. Continuing installation anyway." + echo " This is expected behavior due to known keyserver issues on Ubuntu Noble." + return 1 + elif [ $verify_result -ne 0 ]; then + echo "(!) GPG verification failed." + exit 1 + fi } - mkdir -p /tmp/tf-downloads cd /tmp/tf-downloads # Install Terraform, tflint, Terragrunt @@ -442,16 +427,24 @@ if grep -q "The specified key does not exist." "${terraform_filename}"; then fi if [ "${TERRAFORM_SHA256}" != "dev-mode" ]; then if [ "${TERRAFORM_SHA256}" = "automatic" ]; then + # For Ubuntu Noble, try GPG verification but continue if it fails if [ "$IS_NOBLE" -eq 1 ]; then - verify_with_fallback \ - import_hashicorp_gpg_key_noble \ - "${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS" \ - "${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig" \ - verify_terraform_sig \ - terraform_SHA256SUMS \ - terraform_SHA256SUMS.sig + echo "(*) Ubuntu Noble detected - attempting GPG verification with fallback..." + set +e + sha256sums_url="${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS" + sig_url="${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig" + verify_signature TERRAFORM_GPG_KEY "$sha256sums_url" "$sig_url" "terraform_SHA256SUMS" "terraform_SHA256SUMS.sig" + verify_result=$? + set -e + if [ $verify_result -ne 0 ]; then + echo "(*) GPG verification failed on Ubuntu Noble, but continuing installation." + echo " Downloading checksums for basic integrity check..." + curl -sSL -o terraform_SHA256SUMS "${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS" + fi else - verify_terraform_sig + sha256sums_url="${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS" + sig_url="${HASHICORP_RELEASES_URL}/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig" + verify_signature TERRAFORM_GPG_KEY "$sha256sums_url" "$sig_url" "terraform_SHA256SUMS" "terraform_SHA256SUMS.sig" fi else echo "${TERRAFORM_SHA256} *${terraform_filename}" > terraform_SHA256SUMS @@ -514,12 +507,6 @@ if [ "${TFLINT_VERSION}" != "none" ]; then mv -f tflint /usr/local/bin/ fi -verify_sentinel_sig() { - local sha256sums_url="${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS" - local sig_url="${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig" - verify_signature TERRAFORM_GPG_KEY "$sha256sums_url" "$sig_url" "sentinel_checksums.txt" "sentinel_checksums.txt.sig" -} - install_terragrunt() { TERRAGRUNT_VERSION=$1 curl -sSL -o /tmp/tf-downloads/${terragrunt_filename} https://github.com/gruntwork-io/terragrunt/releases/download/v${TERRAGRUNT_VERSION}/${terragrunt_filename} @@ -554,16 +541,24 @@ if [ "${INSTALL_SENTINEL}" = "true" ]; then curl -sSL -o /tmp/tf-downloads/${sentinel_filename} ${sentinel_releases_url}/${SENTINEL_VERSION}/${sentinel_filename} if [ "${SENTINEL_SHA256}" != "dev-mode" ]; then if [ "${SENTINEL_SHA256}" = "automatic" ]; then + # For Ubuntu Noble, try GPG verification but continue if it fails if [ "$IS_NOBLE" -eq 1 ]; then - verify_with_fallback \ - import_hashicorp_gpg_key_noble \ - "${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS" \ - "${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig" \ - verify_sentinel_sig \ - sentinel_checksums.txt \ - sentinel_checksums.txt.sig + echo "(*) Ubuntu Noble detected - attempting Sentinel GPG verification with fallback..." + set +e + sha256sums_url="${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS" + sig_url="${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig" + verify_signature TERRAFORM_GPG_KEY "$sha256sums_url" "$sig_url" "sentinel_checksums.txt" "sentinel_checksums.txt.sig" + verify_result=$? + set -e + if [ $verify_result -ne 0 ]; then + echo "(*) GPG verification failed on Ubuntu Noble, but continuing installation." + echo " Downloading checksums for basic integrity check..." + curl -sSL -o sentinel_checksums.txt "${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS" + fi else - verify_sentinel_sig + sha256sums_url="${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS" + sig_url="${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig" + verify_signature TERRAFORM_GPG_KEY "$sha256sums_url" "$sig_url" "sentinel_checksums.txt" "sentinel_checksums.txt.sig" fi # Verify the SHASUM matches the archive shasum -a 256 --ignore-missing -c sentinel_checksums.txt From f425e6baa789668847ae15dbf744965a21af605e Mon Sep 17 00:00:00 2001 From: Kaniska Date: Fri, 1 Aug 2025 07:05:57 +0000 Subject: [PATCH 11/14] Further corrections. --- src/terraform/install.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/terraform/install.sh b/src/terraform/install.sh index 919ec9826..549afcf92 100755 --- a/src/terraform/install.sh +++ b/src/terraform/install.sh @@ -396,15 +396,20 @@ verify_signature() { local sig_url=$3 local sha256sums_file=$4 local sig_file=$5 + local verify_result=0 receive_gpg_keys "$gpg_key" + verify_result=$? + if [ $verify_result -ne 0 ] && [ "$IS_NOBLE" -eq 1 ]; then + echo "Skipping the gpg key validation for ubuntu noble as unable to import the key." + return 1 + fi curl -sSL -o "$sha256sums_file" "$sha256sums_url" curl -sSL -o "$sig_file" "$sig_url" # Try GPG verification, but don't fail on Noble gpg --verify "$sig_file" "$sha256sums_file" - local verify_result=$? - + verify_result=$? if [ $verify_result -ne 0 ] && [ "$IS_NOBLE" -eq 1 ]; then echo "(*) Warning: GPG verification failed on Ubuntu Noble. Continuing installation anyway." echo " This is expected behavior due to known keyserver issues on Ubuntu Noble." From a19465994a0115d096a08a0189c701cdf1315311 Mon Sep 17 00:00:00 2001 From: Kaniska Date: Tue, 5 Aug 2025 13:36:04 +0530 Subject: [PATCH 12/14] Update src/terraform/install.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Álvaro Rausell Guiard <33221237+AlvaroRausell@users.noreply.github.com> --- src/terraform/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/terraform/install.sh b/src/terraform/install.sh index 549afcf92..f256629d3 100755 --- a/src/terraform/install.sh +++ b/src/terraform/install.sh @@ -98,7 +98,7 @@ receive_gpg_keys() { keyring_args="--no-default-keyring --keyring $2" fi if [ ! -z "${KEYSERVER_PROXY}" ]; then - keyring_args="${keyring_args} --keyserver-options http-proxy=${KEYSERVER_PROXY}" + keyring_args="${keyring_args} --keyserver-options http-proxy=${KEYSERVER_PROXY}" fi # Install curl From d0422937f1aea1c304f64fbe67c44713c7a3f464 Mon Sep 17 00:00:00 2001 From: Kaniska Date: Tue, 5 Aug 2025 15:33:36 +0000 Subject: [PATCH 13/14] Correction in error handling based on review comment. --- src/terraform/install.sh | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/src/terraform/install.sh b/src/terraform/install.sh index f256629d3..873265213 100755 --- a/src/terraform/install.sh +++ b/src/terraform/install.sh @@ -410,14 +410,10 @@ verify_signature() { # Try GPG verification, but don't fail on Noble gpg --verify "$sig_file" "$sha256sums_file" verify_result=$? - if [ $verify_result -ne 0 ] && [ "$IS_NOBLE" -eq 1 ]; then - echo "(*) Warning: GPG verification failed on Ubuntu Noble. Continuing installation anyway." - echo " This is expected behavior due to known keyserver issues on Ubuntu Noble." - return 1 - elif [ $verify_result -ne 0 ]; then + if [ $verify_result -ne 0 ]; then echo "(!) GPG verification failed." exit 1 - fi + fi } mkdir -p /tmp/tf-downloads From d1901e803fa78823f3a2d84e7a574e6169a9a775 Mon Sep 17 00:00:00 2001 From: Kaniska Date: Tue, 5 Aug 2025 16:14:00 +0000 Subject: [PATCH 14/14] To check if able start tests --- src/terraform/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/terraform/install.sh b/src/terraform/install.sh index 873265213..b1d64c27b 100755 --- a/src/terraform/install.sh +++ b/src/terraform/install.sh @@ -113,7 +113,7 @@ receive_gpg_keys() { # Special handling for HashiCorp GPG key on Ubuntu Noble if [ "$IS_NOBLE" -eq 1 ] && [ "$keys" = "$TERRAFORM_GPG_KEY" ]; then - echo "(*) Ubuntu Noble detected, using Keybase for HashiCorp GPG key import..." + echo "(*) Ubuntu Noble detected, using Keybase for HashiCorp GPG key import...." curl -fsSL https://keybase.io/hashicorp/pgp_keys.asc | gpg --import if ! gpg --list-keys "${TERRAFORM_GPG_KEY}" > /dev/null 2>&1; then gpg --list-keys