Explicitly gpg verify the expected signed

dflook · dflook · commit 818f0fc114ca · 2026-03-28T12:53:32.000Z
diff --git a/image/Dockerfile-base b/image/Dockerfile-base
@@ -44,6 +44,7 @@ RUN <<EOF
  echo "C874011F0AB405110D02105534365D9472D7468F:6:" | gpg --import-ownertrust
 
  curl https://get.opentofu.org/opentofu.gpg | gpg --import
+ gpg --fingerprint E3E6E43D84CB852EADB0051D0C0AF313E5FD9F80
  echo "E3E6E43D84CB852EADB0051D0C0AF313E5FD9F80:6:" | gpg --import-ownertrust
 
  gpg --check-trustdb
diff --git a/image/src/opentofu/download.py b/image/src/opentofu/download.py
@@ -65,7 +65,7 @@ def get_checksums(version: Version, checksum_dir: Path) -> Path:
     if signature_path.exists():
         try:
             subprocess.run(
-                ['gpg', '--verify', signature_path, checksums_path],
+                ['gpg', '--assert-signer', 'E3E6E43D84CB852EADB0051D0C0AF313E5FD9F80', '--verify', signature_path, checksums_path],
                 check=True,
                 env={'GNUPGHOME': '/root/.gnupg'} | os.environ
             )
diff --git a/image/src/terraform/download.py b/image/src/terraform/download.py
@@ -98,7 +98,7 @@ def get_checksums(version: Version, checksum_dir: Path) -> Path:
 
     try:
         subprocess.run(
-            ['gpg', '--verify', signature_path, checksums_path],
+            ['gpg', '--assert-signer', 'C874011F0AB405110D02105534365D9472D7468F', '--verify', signature_path, checksums_path],
             check=True,
             env={'GNUPGHOME': '/root/.gnupg'} | os.environ
         )

Original file line number	Diff line number	Diff line change
`@@ -65,7 +65,7 @@ def get_checksums(version: Version, checksum_dir: Path) -> Path:`
`65`	`65`	`if signature_path.exists():`
`66`	`66`	`try:`
`67`	`67`	`subprocess.run(`
`68`		`- ['gpg', '--verify', signature_path, checksums_path],`
	`68`	`+ ['gpg', '--assert-signer', 'E3E6E43D84CB852EADB0051D0C0AF313E5FD9F80', '--verify', signature_path, checksums_path],`
`69`	`69`	`check=True,`
`70`	`70`	`env={'GNUPGHOME': '/root/.gnupg'} \| os.environ`
`71`	`71`	`)`
Original file line number	Diff line number	Diff line change
`@@ -98,7 +98,7 @@ def get_checksums(version: Version, checksum_dir: Path) -> Path:`
`98`	`98`
`99`	`99`	`try:`
`100`	`100`	`subprocess.run(`
`101`		`- ['gpg', '--verify', signature_path, checksums_path],`
	`101`	`+ ['gpg', '--assert-signer', 'C874011F0AB405110D02105534365D9472D7468F', '--verify', signature_path, checksums_path],`
`102`	`102`	`check=True,`
`103`	`103`	`env={'GNUPGHOME': '/root/.gnupg'} \| os.environ`
`104`	`104`	`)`