From 6f3169052a95107468411dc4b6af5209d76c0051 Mon Sep 17 00:00:00 2001 From: Denis Vaumoron Date: Mon, 15 Jul 2024 22:19:45 +0200 Subject: [PATCH] fix cosign check in tofu install #206 (#208) Signed-off-by: Denis Vaumoron --- versionmanager/retriever/tofu/tofuretriever.go | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/versionmanager/retriever/tofu/tofuretriever.go b/versionmanager/retriever/tofu/tofuretriever.go index 17ee6de6..e1691bc5 100644 --- a/versionmanager/retriever/tofu/tofuretriever.go +++ b/versionmanager/retriever/tofu/tofuretriever.go @@ -44,9 +44,11 @@ import ( const ( publicKeyURL = "https://get.opentofu.org/opentofu.asc" - baseIdentity = "https://github.com/opentofu/opentofu/.github/workflows/release.yml@refs/heads/v" + baseIdentity = "https://github.com/opentofu/opentofu/.github/workflows/release.yml@refs/heads/v" + issuer = "https://token.actions.githubusercontent.com" + unstableIdentity = "https://github.com/opentofu/opentofu/.github/workflows/release.yml@refs/heads/main" + baseFileName = "tofu_" - issuer = "https://token.actions.githubusercontent.com" opentofu = "opentofu" ) @@ -170,7 +172,7 @@ func (r TofuRetriever) checkSumAndSig(version *version.Version, stable bool, dat return err } - identity := buildIdentity(version) + identity := buildIdentity(version, stable) err = cosigncheck.Check(dataSums, dataSumsSig, dataSumsCert, identity, issuer, r.conf.Displayer) if err == nil || err != cosigncheck.ErrNotInstalled { return err @@ -222,7 +224,11 @@ func buildAssetNames(version string, arch string, stable bool) []string { return []string{nameBuilder.String(), sumsAssetName, sumsAssetName + ".pem", sumsAssetName + ".sig"} } -func buildIdentity(v *version.Version) string { +func buildIdentity(v *version.Version, stable bool) string { + if !stable { + return unstableIdentity + } + cleanedVersion := v.String() indexDot := strings.LastIndexByte(cleanedVersion, '.') // cleaned, so indexDot can not be -1