adding JFrog's public GPG key to OpenTofu registry #909
Comments
|
@StephenWithPH Thanks for the head up. I've added this to our sprint. |
It occurred to me that my comment makes the assumption that JFrog uses the same signing key for all five of the providers. If that's not the case, you'll need to submit the signing key for each. |
|
Thank you for the quick turnaround! 🎉 |
|
@StephenWithPH I submitted an expired public key the first time. You may see this error message |
|
Got it. No worries! |
|
@StephenWithPH All fixed! 
|
|
@StephenWithPH Turns out we were using a separate (older) signing key for Artifactory provider, whereas the other providers use the same (newer) key. Terraform registry allows for multiple signing keys but OpenTofu doesn't. Thus once I uploaded the old key to OpenTofu registry, the other 4 providers were no longer installable. I've updated this provider to be signed with the newer key as well as updating OpenTofu registry with this key, so this problem is solved. Right now we are waiting for OpenTofu registry cache to be updated before 10.3.3 is installable in OpenTofu. |
|
Thank you for your continued work on this. Glad to hear that the bumps are getting smoothed out. I'll keep an eye on that linked issue. |
|
@StephenWithPH
|
Is your feature request related to a problem? Please describe.
When trying to use
terraform-provider-artifactoryvia OpenTofu, I receive the following error:Installed jfrog/artifactory v10.3.1. Signature validation was skipped due to the registry not containing GPG keys for this providerThis arises because OpenTofu needs a member of JFrog's GitHub org to validate the public key used to sign provider releases.
Describe the solution you'd like
A member of JFrog's GitHub org needs to open a PR to
opentofu/registryusing this PR form for signing keys.Describe alternatives you've considered
N/A
Additional context
I believe submitting the GPG will cover all of JFrog's providers.
The text was updated successfully, but these errors were encountered: