From c221807f268e7513dd7fecad80fa8b94d9cafddd Mon Sep 17 00:00:00 2001
From: Daniel Flook <daniel@flook.org>
Date: Fri, 5 Jan 2024 13:44:43 +0000
Subject: [PATCH 1/3] Verify checksums signature

---
 image/Dockerfile               |  4 ++++
 image/src/opentofu/download.py | 27 ++++++++++++++++++++++++---
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/image/Dockerfile b/image/Dockerfile
index 273c942e..224d2c38 100644
--- a/image/Dockerfile
+++ b/image/Dockerfile
@@ -7,6 +7,10 @@ ARG VERSION=99.0.0
 
 RUN gpg --recv-keys C874011F0AB405110D02105534365D9472D7468F \
  && echo "C874011F0AB405110D02105534365D9472D7468F:6:" | gpg --import-ownertrust
+
+RUN curl https://get.opentofu.org/opentofu.gpg | gpg --import \
+ && echo "E3E6E43D84CB852EADB0051D0C0AF313E5FD9F80:6:" | gpg --import-ownertrust
+
 RUN gpg --check-trustdb
 
 COPY src/ /tmp/src/
diff --git a/image/src/opentofu/download.py b/image/src/opentofu/download.py
index b44f5288..d3b96cca 100644
--- a/image/src/opentofu/download.py
+++ b/image/src/opentofu/download.py
@@ -28,12 +28,24 @@ def get_checksums(version: Version, checksum_dir: Path) -> Path:
     """
 
     checksums_path = Path(checksum_dir, f'tofu_{version}_SHA256SUMS')
-
-    # No point verifying the signature as we'd have to get the key from the same place
-    signature_path = Path(checksum_dir, f'tofu_{version}_SHA256SUMS.sig')
+    signature_path = Path(checksum_dir, f'tofu_{version}_SHA256SUMS.gpgsig')
 
     os.makedirs(checksum_dir, exist_ok=True)
 
+    if not signature_path.exists():
+        signature_url = f'https://github.com/opentofu/opentofu/releases/download/v{version}/tofu_{version}_SHA256SUMS.gpgsig'
+        debug(f'Downloading signature from {signature_url}')
+
+        try:
+            urlretrieve(
+                signature_url,
+                signature_path
+            )
+        except HTTPError as http_error:
+            if http_error.code == 404:
+                raise DownloadError(f'Could not download signature file for {version} - does this version exist?')
+            raise
+
     if not checksums_path.exists():
         checksum_url = f'https://github.com/opentofu/opentofu/releases/download/v{version}/tofu_{version}_SHA256SUMS'
         debug(f'Downloading checksums from {checksum_url}')
@@ -48,6 +60,15 @@ def get_checksums(version: Version, checksum_dir: Path) -> Path:
                 raise DownloadError(f'Could not download checksums for {version} - does this version exist?')
             raise
 
+    try:
+        subprocess.run(
+            ['gpg', '--verify', signature_path, checksums_path],
+            check=True,
+            env={'GNUPGHOME': '/root/.gnupg'} | os.environ
+        )
+    except subprocess.CalledProcessError:
+        raise DownloadError(f'Could not verify checksums signature for {version}')
+
     return checksums_path
 
 

From f30df9739e29e72f2a1163a0822d5c636c77fe2a Mon Sep 17 00:00:00 2001
From: Daniel Flook <daniel@flook.org>
Date: Tue, 9 Jan 2024 12:11:24 +0000
Subject: [PATCH 2/3] Don't require verified signature for pre-releases

---
 image/src/opentofu/download.py | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/image/src/opentofu/download.py b/image/src/opentofu/download.py
index d3b96cca..0fc0bec0 100644
--- a/image/src/opentofu/download.py
+++ b/image/src/opentofu/download.py
@@ -43,8 +43,10 @@ def get_checksums(version: Version, checksum_dir: Path) -> Path:
             )
         except HTTPError as http_error:
             if http_error.code == 404:
-                raise DownloadError(f'Could not download signature file for {version} - does this version exist?')
-            raise
+                if not version.pre_release:
+                    raise DownloadError(f'Could not download signature file for {version} - does this version exist?')
+            else:
+                raise
 
     if not checksums_path.exists():
         checksum_url = f'https://github.com/opentofu/opentofu/releases/download/v{version}/tofu_{version}_SHA256SUMS'
@@ -60,14 +62,15 @@ def get_checksums(version: Version, checksum_dir: Path) -> Path:
                 raise DownloadError(f'Could not download checksums for {version} - does this version exist?')
             raise
 
-    try:
-        subprocess.run(
-            ['gpg', '--verify', signature_path, checksums_path],
-            check=True,
-            env={'GNUPGHOME': '/root/.gnupg'} | os.environ
-        )
-    except subprocess.CalledProcessError:
-        raise DownloadError(f'Could not verify checksums signature for {version}')
+    if signature_path.exists():
+        try:
+            subprocess.run(
+                ['gpg', '--verify', signature_path, checksums_path],
+                check=True,
+                env={'GNUPGHOME': '/root/.gnupg'} | os.environ
+            )
+        except subprocess.CalledProcessError:
+            raise DownloadError(f'Could not verify checksums signature for {version}')
 
     return checksums_path
 

From 74877201623d3864c27e1ca4f25cc631b9585bc4 Mon Sep 17 00:00:00 2001
From: Daniel Flook <daniel@flook.org>
Date: Fri, 12 Jan 2024 14:33:23 +0000
Subject: [PATCH 3/3] Test gpg verify

---
 .github/workflows/test-version.yaml | 38 ++++++++++++++++++++++++++---
 1 file changed, 34 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/test-version.yaml b/.github/workflows/test-version.yaml
index 55ffb29a..1c67b758 100644
--- a/.github/workflows/test-version.yaml
+++ b/.github/workflows/test-version.yaml
@@ -641,7 +641,7 @@ jobs:
 
   terraform_opentofu_version:
     runs-on: ubuntu-latest
-    name: OPENTOFU_VERSION pre-release with terraform action
+    name: OPENTOFU_VERSION with terraform action
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -650,7 +650,7 @@ jobs:
         uses: ./terraform-version
         id: terraform-version
         env:
-          OPENTOFU_VERSION: "1.6.0-alpha3"
+          OPENTOFU_VERSION: "1.6.0"
         with:
           path: tests/workflows/test-version/empty
 
@@ -659,17 +659,47 @@ jobs:
 
       - name: Check the version
         run: |
-          if [[ "${{ steps.terraform-version.outputs.terraform }}" != "1.6.0-alpha3" ]]; then
+          if [[ "${{ steps.terraform-version.outputs.terraform }}" != "1.6.0" ]]; then
             echo "::error:: Terraform version not set from OPENTOFU_VERSION"
             exit 1
           fi
 
-          if [[ "${{ steps.terraform-version.outputs.tofu }}" != "1.6.0-alpha3" ]]; then
+          if [[ "${{ steps.terraform-version.outputs.tofu }}" != "1.6.0" ]]; then
             echo "::error:: Terraform version not set from OPENTOFU_VERSION"
             exit 1
           fi
 
   opentofu_version:
+    runs-on: ubuntu-latest
+    name: OPENTOFU_VERSION with tofu action
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Test terraform-version
+        uses: ./tofu-version
+        id: tofu-version
+        env:
+          OPENTOFU_VERSION: "1.6.0"
+        with:
+          path: tests/workflows/test-version/empty
+
+      - name: Print the version
+        run: echo "The tofu version was ${{ steps.tofu-version.outputs.tofu }}"
+
+      - name: Check the version
+        run: |
+          if [[ "${{ steps.tofu-version.outputs.terraform }}" != "1.6.0" ]]; then
+            echo "::error:: Terraform version not set from OPENTOFU_VERSION"
+            exit 1
+          fi
+          
+          if [[ "${{ steps.tofu-version.outputs.tofu }}" != "1.6.0" ]]; then
+            echo "::error:: Terraform version not set from OPENTOFU_VERSION"
+            exit 1
+          fi
+
+  opentofu_version_pre_release_nosig:
     runs-on: ubuntu-latest
     name: OPENTOFU_VERSION pre-release with tofu action
     steps: