Terraform: Add cosign integrity check for TFLint (#586)

* add cosign integrity check for tflint

* fallback to gpg verification

src/terraform/devcontainer-feature.json

@@ -1,6 +1,6 @@
 {
     "id": "terraform",
-    "version": "1.3.1",
+    "version": "1.3.2",
     "name": "Terraform, tflint, and TFGrunt",
     "documentationURL": "https://github.com/devcontainers/features/tree/main/src/terraform",
     "description": "Installs the Terraform CLI and optionally TFLint and Terragrunt. Auto-detects latest version and installs needed dependencies.",
@@ -24,8 +24,8 @@
                 "0.47.0",
                 "0.46.1"
             ],
-            "default": "0.46.1",
-            "description": "Tflint version (Default value temporarily pinned to version 0.46.1: https://github.com/devcontainers/features/issues/581)"
+            "default": "latest",
+            "description": "Tflint version (https://github.com/terraform-linters/tflint/releases)"
         },
         "terragrunt": {
             "type": "string",

src/terraform/install.sh

@@ -158,6 +158,26 @@ check_packages() {
     fi
 }
 
+# Install 'cosign' for validating signatures
+# https://docs.sigstore.dev/cosign/overview/
+ensure_cosign() {
+    check_packages curl ca-certificates gnupg2
+
+    if ! type cosign > /dev/null 2>&1; then
+        echo "Installing cosign..."
+        local LATEST_COSIGN_VERSION=$(curl https://api.github.com/repos/sigstore/cosign/releases/latest | grep tag_name | cut -d : -f2 | tr -d "v\", ")
+        curl -L "https://github.com/sigstore/cosign/releases/latest/download/cosign_${LATEST_COSIGN_VERSION}_${architecture}.deb" -o /tmp/cosign_${LATEST_COSIGN_VERSION}_${architecture}.deb
+        
+        dpkg -i /tmp/cosign_${LATEST_COSIGN_VERSION}_${architecture}.deb
+        rm /tmp/cosign_${LATEST_COSIGN_VERSION}_${architecture}.deb
+    fi
+    if ! type cosign > /dev/null 2>&1; then
+        echo "(!) Failed to install cosign."
+        exit 1
+    fi
+    cosign version
+}
+
 # Ensure apt is in non-interactive to avoid prompts
 export DEBIAN_FRONTEND=noninteractive
 
@@ -198,17 +218,42 @@ if [ "${TFLINT_VERSION}" != "none" ]; then
     TFLINT_FILENAME="tflint_linux_${architecture}.zip"
     curl -sSL -o /tmp/tf-downloads/${TFLINT_FILENAME} https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/${TFLINT_FILENAME}
     if [ "${TFLINT_SHA256}" != "dev-mode" ]; then
-        if [ "${TFLINT_SHA256}" = "automatic" ]; then
+
+        if [ "${TFLINT_SHA256}" != "automatic" ]; then
+            echo "${TFLINT_SHA256} *${TFLINT_FILENAME}" > tflint_checksums.txt
+            sha256sum --ignore-missing -c tflint_checksums.txt
+        else
+            curl -sSL -o tflint_checksums.txt https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt
+
+            set +e
+            curl -sSL -o checksums.txt.keyless.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.keyless.sig
+            set -e
+
+            # Check that checksums.txt.keyless.sig exists and is not empty
+            if [ -s checksums.txt.keyless.sig ]; then
+                # Validate checksums with cosign
+                curl -sSL -o checksums.txt.pem https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.pem
+                ensure_cosign
+                cosign verify-blob \
+                    --certificate=/tmp/tf-downloads/checksums.txt.pem \
+                    --signature=/tmp/tf-downloads/checksums.txt.keyless.sig \
+                    --certificate-identity-regexp="^https://github.com/terraform-linters/tflint"  \
+                    --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+                    /tmp/tf-downloads/tflint_checksums.txt
+                # Ensure that checksums.txt has $TFLINT_FILENAME
+                grep ${TFLINT_FILENAME} /tmp/tf-downloads/tflint_checksums.txt
+                # Validate downloaded file
+                sha256sum --ignore-missing -c tflint_checksums.txt
+            else
+                # Fallback to older, GPG-based verification (pre-0.47.0 of tflint)
+                curl -sSL -o tflint_checksums.txt.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.sig
                 curl -sSL -o tflint_key "${TFLINT_GPG_KEY_URI}"
                 gpg -q --import tflint_key
-            curl -sSL -o tflint_checksums.txt https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt
-            curl -sSL -o tflint_checksums.txt.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.sig
                 gpg --verify tflint_checksums.txt.sig tflint_checksums.txt
-        else
-            echo "${TFLINT_SHA256} *${TFLINT_FILENAME}" > tflint_checksums.txt
             fi
-        sha256sum --ignore-missing -c tflint_checksums.txt
         fi
+    fi
+
     unzip /tmp/tf-downloads/${TFLINT_FILENAME}
     mv -f tflint /usr/local/bin/
 fi

test/terraform/older_tflint.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+# Optional: Import test library
+source dev-container-features-test-lib
+
+check "terraform" terraform -version
+
+check "tflint" tflint --version
+
+# Report result
+reportResults

test/terraform/scenarios.json

@@ -22,5 +22,13 @@
                 "installTerraformDocs": true
             }
         }
+    },
+    "older_tflint": {
+        "image": "mcr.microsoft.com/devcontainers/base:jammy",
+        "features": {
+            "terraform": {
+                "tflint": "0.40.0"
+            }
+        }
     }
 }