Error: Failed to install provider - authentication signature from unknown issuer

Avatar
Daniela Lavric
  • Updated

Introduction

Problem

Initializing Terraform code with a private provider from the Terraform Enterprise (TFE) Private Registry throws the following error

│ Error: Failed to install provider

│ Error while installing terraform.instance-test.com/test-org/oci v5.29.0: authentication signature from unknown issuer

Prerequisites 

  • The provider should be in the Private Registry of TFE

Cause

  • The signature file of the provider has been signed with a different GPG key than the GPG key that has been uploaded to the private registry of TFE.
    • This can happen when you have multiple GPG keys on your computer/VM
    • To check the list of your GPG keys you can use the following command:
#list gpg keys
$ gpg -k
    • See the output below:
[keyboxd]
---------
pub   rsa3072 2024-02-20 [SC]
      558E414E5FF6F144027905D4EB71BE6B68B95EDB
uid           [ultimate] daniela (daniela-key) <name@gmail.com>
sub   rsa3072 2024-02-20 [E]

pub   rsa3072 2024-02-23 [SC]
      83D111902A5D5051C8AC37C11472E022D7760B02
uid           [ultimate] test-key (testing-key) <test@key.com>
sub   rsa3072 2024-02-23 [E]
    • To verify which key is currently used and uploaded to your TFE Private Registry, you can use this API from here 
curl \
  --header "Authorization: Bearer $TOKEN" \
  --header "Content-Type: application/vnd.api+json" \
  --request GET \
  "https://daniela.hashicorpdemo.com/api/registry/private/v2/gpg-keys?filter%5Bnamespace%5D=daniela-org" | jq '.'
    • See in the JSON response below, the value of the key-id = 1472E022D7760B02 
{
  "data": [
    {
      "type": "gpg-keys",
      "id": "4",
      "attributes": {
        "ascii-armor": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nmQGNBGXYYVsBDACmgAKY8nKsYQK9MKVcteLgTD2o1wfjRSqZEupoQTYRmSgMKu5G\nO8pnHcKeqtoj7Nplc+it07iUJVyGOgTH1PWEXFY70MvjXdThQA6rf+3XyWRztO/B\nyaFRDn3g3kWWEUm4HTTL+AKOTRmL21Yp4SnBcj+1J3eg3/hZHbwlZawh7a4VSRYW\ntMf+vmcl0RGY0L9Br/m4wUoeRHr6HW3OIzCQhb5ZKPOuB/igyGZTeVFcQCWGk3pb\nC1gtzznlTZ908MdY0jlb7RRcv9njjIsWFB+PHcIEqJ/xnVnmBDp+LLuCbMdqTj5u\nsDVGswp43/nFmUlzKfXq8uzTHrCvrM8IZaehvFAugG9zrr/+KtEKSDo68ll5Uef0\nRkbZ1R5ZrRRr+TxiFpv2bYY85JPBp5RBvbY3DRgh/pouLa8qVcmMLc2ntIyCWyQB\nCMgoWWF26F6pNUUuj115UI5ALMU6jm2dAV0J7kv5CVUAXlfCQhf75h00hP2oi48Z\nRP2zc9PRy17ZLY0AEQEAAbQldGVzdC1rZXkgKHRlc3Rpbmcta2V5KSA8dGVzdEBr\nZXkuY29tPokB0QQTAQgAOxYhBIPREZAqXVBRyKw3wRRy4CLXdgsCBQJl2GFbAhsD\nBQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEBRy4CLXdgsCG6kL/31Rm00b\nQp8qwYizK1lZ+3ZYbxu0Hd41VQUn9CAX/PmYWqQaSj/WdrjDtRMNOoN7n2v9RBFU\n9HU5k37mF+4AYc5L0PtksCiyRqD+eyPVlG3x5U37+Dgbd6qcp7Mol6jJvV42A1R5\ngVLHM5TR6e+QmBrPclMey2Op7VlGOB9dd/X9ePfJEc54ohyMAl4i3dzDnc3bCDag\nffcY7y5W8KBe3AUq07Mb66CpkFyE4TZV6ELKv4zr9h/uU/xpYE4PtHGKaMZxsgOd\nlxeJMTV6mVIWWs66e2HKi4XLCeJ3qcqgKYaymXhseev7378GlWYmdWK1MXu7tj4M\n0GKepLqQbYkR6/p8l8+lioFhajxPrZIy0tLeNFkM08tg/4Yz76+/Vzgfq++ckpRB\n4yejebzPuuxDbtZ3w9TAfRewn9SZ71DrNO2zxBSwCd1wh3kZHH0Y8hnJO04s1aNW\nd5zrPySatrJoKyFvTvQmTbf5t2Xnts1aI9+qtCPVCzxfB9FA1ukYamTjCrkBjQRl\n2GFbAQwAmO2ixHGxKwh/1umqhW0W5l9rzTAQp6T/HDAQhIv5NDxJ6HZebmIipY5u\nEB8bnirC5Tb7k2muJVmxAhG22IPtu+EegRFVAMeeo34Spe/vkneU/jJmsGx19EYs\nFkePdORhsH9F6733xy82B4XUi+/ndiDQ7/bDjXWwmJZw1k7jOqFznB2cx1vQPbAh\nBqNkgg3QnPP7Qb9t0yf8y5M3U8m+xRoHCJJfFhX52zb6Wm3cWA40yMyOWUAhL4Vc\ncJmTA92sqNeYAZEPAJdRM3lzBiZwiJTFOdRI5fTpYILNswPcEvXLdk2XEmDZwZ8U\n0lzbqB4U6IMXm/wLa9NjzOxUpDgGlgZC09FgkpchCA/XQKDFAH5g2nqWMaR0/7MF\nbJz3omq+OEZ20jBlGFgTkZ6vzmDDxP97Hmx4RZw0A4E6pYg0WTGJx3UZaaRu0iio\n5Z0qKpxyFef8Vn4Tb/RE0Y8IFlJQDaicb4ZwcOmvsgNuwdJkBKcP0Ajmsa9XNxNQ\niEngIk+dABEBAAGJAbYEGAEIACAWIQSD0RGQKl1QUcisN8EUcuAi13YLAgUCZdhh\nWwIbDAAKCRAUcuAi13YLApp3DACAPDljzDnND+sQ863ov+k14fNjmAsJh6iZXuAh\nwcopgv5pDDBl0ltFlMKEWaE/PT5wYPSmyxW27YP2Fi+Y1NxqkSfYE5mVFYc72lZL\nrzOqinpF7dHYsV6xUHEezfjBfkMUSws3qjlTOZnUk34+l2/EyRTaJ04kjbP1ZNQH\nvNT5AD93/RA0Fog1dHs3ayT8y0f7t+KvwViWYk6gt24zDsFTbLfXcsPrWFCx6lhK\nX4MojgBQYFcJRnevYp6sJTcj50UfAyTAmHR6FIc1qYjEhKxQ2WAdlczMQDIobtDL\nsnx5SwYBwTBPkyWBfGGRFlW2fy/LmmIqw0PP+0vnOPdNEK+BJ09Ax4X5lRbiSSlw\nywNyeJ3w8Nr2K0dl1oEKY3Qp+h4XMvPq/3ypayQ4s+g928J1TOo1AEF10E3og6a+\ntBIeDSJ7iJW4lV2ZKNyPdCFIee+KTb5LSzqfQNu1JbImmVl72Evp7QqHsUZ9yF17\njYw5yAwgaIz1LrikSaRW7DdVjBU=\n=uA87\n-----END PGP PUBLIC KEY BLOCK-----\n",
        "created-at": "2024-02-23T09:59:36Z",
        "key-id": "1472E022D7760B02",
        "namespace": "daniela-org",
        "source": "",
        "source-url": null,
        "trust-signature": "",
        "updated-at": "2024-02-23T09:59:36Z"
      },
      "links": {
        "self": "/v2/gpg-keys/4"
      }
    }
  ],
  "links": {
    "first": "/v2/gpg-keys?filter%5Bnamespace%5D=daniela-org&page%5Bnumber%5D=1&page%5Bsize%5D=15",
    "last": "/v2/gpg-keys?filter%5Bnamespace%5D=daniela-org&page%5Bnumber%5D=1&page%5Bsize%5D=15",
    "next": null,
    "prev": null
  },
  "meta": {
    "pagination": {
      "page-size": 15,
      "current-page": 1,
      "next-page": null,
      "prev-page": null,
      "total-pages": 1,
      "total-count": 1
    }
  }
}
    • The value of the key-id previously retrieved 1472E022D7760B02 is matching the last 16 characters of the second key from this example, therefore this is the key that has been uploaded and is used in Terraform Enterprise in the Private Registry for your private provider:
pub   rsa3072 2024-02-23 [SC]
     83D111902A5D5051C8AC37C11472E022D7760B02
uid           [ultimate] test-key (testing-key) <test@key.com>
sub   rsa3072 2024-02-23 [E]

Solutions:

  • Append the correct GPG key and sign the provider's files again with the updated GPG key:

gpg --default-key <gpg-key-id> --detach-sign terraform-provider-oci_5.29.0_SHA256SUMS
  • Upload again the newly generated SHA256SUMS.sig file to your Private Registry and redo all the steps that involve the signature file from the official documentation.

Outcome

Issue should be fixed and Terraform should be able to initialize the private provider successfully.

Additional Information

Articles in this section

See more

Related articles