dflook · dflook · Jan 12, 2024 · Jan 5, 2024 · Jan 9, 2024 · Jan 12, 2024
diff --git a/.github/workflows/test-version.yaml b/.github/workflows/test-version.yaml
@@ -641,7 +641,7 @@ jobs:
 
   terraform_opentofu_version:
     runs-on: ubuntu-latest
-    name: OPENTOFU_VERSION pre-release with terraform action
+    name: OPENTOFU_VERSION with terraform action
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -650,7 +650,7 @@ jobs:
         uses: ./terraform-version
         id: terraform-version
         env:
-          OPENTOFU_VERSION: "1.6.0-alpha3"
+          OPENTOFU_VERSION: "1.6.0"
         with:
           path: tests/workflows/test-version/empty
 
@@ -659,17 +659,47 @@ jobs:
 
       - name: Check the version
         run: |
-          if [[ "${{ steps.terraform-version.outputs.terraform }}" != "1.6.0-alpha3" ]]; then
+          if [[ "${{ steps.terraform-version.outputs.terraform }}" != "1.6.0" ]]; then
             echo "::error:: Terraform version not set from OPENTOFU_VERSION"
             exit 1
           fi
 
-          if [[ "${{ steps.terraform-version.outputs.tofu }}" != "1.6.0-alpha3" ]]; then
+          if [[ "${{ steps.terraform-version.outputs.tofu }}" != "1.6.0" ]]; then
             echo "::error:: Terraform version not set from OPENTOFU_VERSION"
             exit 1
           fi
 
   opentofu_version:
+    runs-on: ubuntu-latest
+    name: OPENTOFU_VERSION with tofu action
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Test terraform-version
+        uses: ./tofu-version
+        id: tofu-version
+        env:
+          OPENTOFU_VERSION: "1.6.0"
+        with:
+          path: tests/workflows/test-version/empty
+
+      - name: Print the version
+        run: echo "The tofu version was ${{ steps.tofu-version.outputs.tofu }}"
+
+      - name: Check the version
+        run: |
+          if [[ "${{ steps.tofu-version.outputs.terraform }}" != "1.6.0" ]]; then
+            echo "::error:: Terraform version not set from OPENTOFU_VERSION"
+            exit 1
+          fi
+
+          if [[ "${{ steps.tofu-version.outputs.tofu }}" != "1.6.0" ]]; then
+            echo "::error:: Terraform version not set from OPENTOFU_VERSION"
+            exit 1
+          fi
+
+  opentofu_version_pre_release_nosig:
     runs-on: ubuntu-latest
     name: OPENTOFU_VERSION pre-release with tofu action
     steps:

diff --git a/image/Dockerfile b/image/Dockerfile
@@ -7,6 +7,10 @@ ARG VERSION=99.0.0
 
 RUN gpg --recv-keys C874011F0AB405110D02105534365D9472D7468F \
  && echo "C874011F0AB405110D02105534365D9472D7468F:6:" | gpg --import-ownertrust
+
+RUN curl https://get.opentofu.org/opentofu.gpg | gpg --import \
+ && echo "E3E6E43D84CB852EADB0051D0C0AF313E5FD9F80:6:" | gpg --import-ownertrust
+
 RUN gpg --check-trustdb
 
 COPY src/ /tmp/src/

diff --git a/image/src/opentofu/download.py b/image/src/opentofu/download.py
@@ -28,12 +28,26 @@ def get_checksums(version: Version, checksum_dir: Path) -> Path:
     """
 
     checksums_path = Path(checksum_dir, f'tofu_{version}_SHA256SUMS')
-
-    # No point verifying the signature as we'd have to get the key from the same place
-    signature_path = Path(checksum_dir, f'tofu_{version}_SHA256SUMS.sig')
+    signature_path = Path(checksum_dir, f'tofu_{version}_SHA256SUMS.gpgsig')
 
     os.makedirs(checksum_dir, exist_ok=True)
 
+    if not signature_path.exists():
+        signature_url = f'https://github.com/opentofu/opentofu/releases/download/v{version}/tofu_{version}_SHA256SUMS.gpgsig'
+        debug(f'Downloading signature from {signature_url}')
+
+        try:
+            urlretrieve(
+                signature_url,
+                signature_path
+            )
+        except HTTPError as http_error:
+            if http_error.code == 404:
+                if not version.pre_release:
+                    raise DownloadError(f'Could not download signature file for {version} - does this version exist?')
+            else:
+                raise
+
     if not checksums_path.exists():
         checksum_url = f'https://github.com/opentofu/opentofu/releases/download/v{version}/tofu_{version}_SHA256SUMS'
         debug(f'Downloading checksums from {checksum_url}')
@@ -48,6 +62,16 @@ def get_checksums(version: Version, checksum_dir: Path) -> Path:
                 raise DownloadError(f'Could not download checksums for {version} - does this version exist?')
             raise
 
+    if signature_path.exists():
+        try:
+            subprocess.run(
+                ['gpg', '--verify', signature_path, checksums_path],
+                check=True,
+                env={'GNUPGHOME': '/root/.gnupg'} | os.environ
+            )
+        except subprocess.CalledProcessError:
+            raise DownloadError(f'Could not verify checksums signature for {version}')
+
     return checksums_path