[FEATURE] Submit GPG public key to the OpenTofu registry

[tthompson-figma]

We would like to migrate to OpenTofu with all providers' GPG signatures validated. However, OpenTofu skips validation for this provider because the OpenTofu registry does not have this provider's GPG key.

You can follow this link to submit it: Submit new Provider Signing Key

If you don't have access to the public key anymore, you can retrieve it from the Terraform registry:

curl 'https://registry.terraform.io/v1/providers/opensearch-project/opensearch/2.3.1/download/linux/amd64' | jq --raw-output '.signing_keys | .gpg_public_keys | .[0] | .ascii_armor'

Note: For security reasons, it has to be submitted by the provider author for the OpenTofu registry to accept it.

Alternatives considered
Out-of-band GPG validation for providers missing keys in the OpenTofu registry. This is a pain :)

Additional context
OpenTofu is a fork of Terraform that is open-source, community-driven, and managed by the Linux Foundation.
Hashicorp opentofu/roadmap#24 (comment) for the terraform provider registry to disallow usage with things other than terraform, so OpenTofu had to build its own registry.

Potential impact
Allows OpenTofu users to use this provider with the same security guarantees they would using Terraform.

[prudhvigodithi]

[Triage]
Thanks @tthompson-figma, I will take a stab at this issue. Similar related issue #208.
Adding @peterzhuamazon

[prudhvigodithi]

Hey @tthompson-figma after reading some license and OpenTofu documentation I dont see a problem in creating Submit new Provider Signing Key request, this will also improve the OpenSearch provider footprint in OpenTofu community.

So after adding the key should I be able to find the OpenSearch in https://opentofu.org/registry/ ? Also does it take care of backfilling all the previous releases https://github.com/opensearch-project/terraform-provider-opensearch/releases ?

Thank you
@getsaurabh02 @dblock @bxn-ts @rblcoder

[tthompson-figma]

That's right! Note that you might not see the provider in https://search.opentofu.org/ but it'll still be present in the registry API!

[prudhvigodithi]

Thanks @tthompson-figma so the OpenSearch terraform provider will be present on https://search.opentofu.org/ once the Submit new Provider Signing Key request is completed?

[tthompson-figma]

The provider is already present in the registry, just without its GPG key submitted. You can see the existing metadata for the provider here:

curl 'https://registry.terraform.io/v1/providers/opensearch-project/opensearch' | jq

Provider downloads will include the GPG key and signatures once you've submitted the key to the registry!

[prudhvigodithi]

Yes its present in Hashicorp terraform registry https://registry.terraform.io/providers/opensearch-project/opensearch/latest, not in OpenTofu registry, was checking it will be part of https://search.opentofu.org/ or https://opentofu.org/registry/ once the requests is submitted ?

[tthompson-figma]

Agh sorry, I used the wrong registry in the curl command! Confirmed that the provider isn't present yet–I thought I'd submitted it already. You can use this issue type to submit it and it should appear within 15 minutes!

[abstractionfactory]

I have merged the key into the OpenTofu Registry and it should be online shortly. I believe this issue can be closed as resolved. Thank you to everyone involved here for helping make OpenTofu more secure!

[tthompson-figma]

Thanks all for the help!! 🙇