Error: Failed to install provider - authentication signature from unknown issuer

Avatar
Daniela Lavric
  • Updated

Introduction

This article provides troubleshooting steps for the error Error: Failed to install provider... authentication signature from unknown issuer when initializing Terraform with a private provider from a Terraform Enterprise (TFE) Private Registry.

Problem

When running terraform init with a configuration that uses a private provider from a TFE Private Registry, the operation fails with the following error message.

│ Error: Failed to install provider
│
│ Error while installing terraform.tfe.example.com/example-org/oci
│ v5.29.0: authentication signature from unknown issuer

Prerequisites

  • A private provider has been published to the TFE Private Registry.

Cause

The error occurs because the provider's signature file (SHA256SUMS.sig) was signed with a GPG key that does not match the GPG key uploaded to the TFE Private Registry for that provider's namespace. This mismatch can happen if multiple GPG keys exist on the machine used for signing.

To identify the GPG keys available on your local machine, use the gpg -k command.

$ gpg -k

The output lists all available GPG keys.

[keyboxd]
---------
pub   rsa3072 2024-02-20 [SC]
      558E414E5FF6F144027905D4EB71BE6B68B95EDB
uid           [ultimate] user-one (key-one) <user-one@example.com>
sub   rsa3072 2024-02-20 [E]

pub   rsa3072 2024-02-23 [SC]
      83D111902A5D5051C8AC37C11472E022D7760B02
uid           [ultimate] user-two (key-two) <user-two@example.com>
sub   rsa3072 2024-02-23 [E]

To verify which GPG key is registered in your TFE instance, you can query the TFE API using the List GPG keys API documentation.

$ curl \
  --header "Authorization: Bearer $TOKEN" \
  --header "Content-Type: application/vnd.api+json" \
  --request GET \
  "https://tfe.example.com/api/registry/private/v2/gpg-keys?filter%5Bnamespace%5D=example-org" | jq '.'

In the JSON response, inspect the key-id attribute. In this example, the key-id is 1472E022D7760B02.

{
  "data": [
    {
      "type": "gpg-keys",
      "id": "4",
      "attributes": {
        "ascii-armor": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n##...",
        "created-at": "2024-02-23T09:59:36Z",
        "key-id": "1472E022D7760B02",
        "namespace": "example-org",
        "source": "",
        "source-url": null,
        "trust-signature": "",
        "updated-at": "2024-02-23T09:59:36Z"
      },
      "links": {
        "self": "/v2/gpg-keys/4"
      }
    }
  ],
  "links": {
##...
  },
  "meta": {
##...
  }
}

The key-id from the API response (1472E022D7760B02) corresponds to the last 16 characters of the second GPG key's fingerprint (...1472E022D7760B02). This confirms which key TFE expects for signature verification.

pub   rsa3072 2024-02-23 [SC]       83D111902A5D5051C8AC37C11472E022D7760B02
uid           [ultimate] user-two (key-two) <user-two@example.com>
sub   rsa3072 2024-02-23 [E]

Solutions

Solution 1: Re-sign the Provider with the Correct GPG Key

To resolve this issue, you must re-sign the provider's checksum file using the same GPG key that is registered in your Terraform Enterprise instance.

  1. Re-sign the provider's SHA256SUMS file using the correct GPG key ID.

    $ gpg --default-key <correct-gpg-key-id> --detach-sign terraform-provider-oci_5.29.0_SHA256SUMS
  2. Follow the steps in the Publishing a provider documentation to upload the newly generated SHA256SUMS.sig file to your Private Registry.

Outcome

After re-signing the provider with the correct key and uploading the new signature file, terraform init should successfully initialize the private provider without errors.

Additional Information

Articles in this section

See more

Related articles