Skip to content

fix(tflint): verify aws plugin via PGP to dodge tflint init panic#106

Closed
camrschuette wants to merge 1 commit into
mainfrom
fix/tflint-pgp-signature
Closed

fix(tflint): verify aws plugin via PGP to dodge tflint init panic#106
camrschuette wants to merge 1 commit into
mainfrom
fix/tflint-pgp-signature

Conversation

@camrschuette

@camrschuette camrschuette commented Jul 16, 2026

Copy link
Copy Markdown

Every repo using pre-commit.yml is currently failing terraform_tflint. This is not a lint failure — tflint --init panics installing the aws plugin, before any linting runs.

Installing "aws" plugin...
Panic: runtime error: invalid memory address or nil pointer dereference
 -> 4: github.com/sigstore/sigstore-go/pkg/bundle.(*Bundle).TlogEntries: /bundle.go(300)
 -> 8: github.com/terraform-linters/tflint/plugin.(*SignatureChecker).VerifyAttestations: /signature.go(136)
 -> 9: github.com/terraform-linters/tflint/plugin.(*InstallConfig).Install: /install.go(134)

Cause

Server-side, nothing in our repos changed. GitHub REST API version 2026-03-10 removed the bundle field from attestation list responses. tflint calls that endpoint to verify the plugin, and:

  1. GitHub now returns "bundle": null
  2. tflint unmarshals null into a **Bundle — this sets the pointer nil and returns no error, so its own nil guard at plugin/signature.go:133 never fires
  3. verifier.Verify(b, policy) then calls a method on the nil receiver, and sigstore-go`s nil check dereferences it. Panic.

A latent tflint bug that only fires once the server returns null. Upstream: terraform-linters/tflint#2591 — filed 2026-07-16, still open, master unpatched.

Fix

signature = "pgp" takes the legacy PGP verification path instead of the default auto (which prefers attestations). Verification stays enabled. tflint emits a deprecation warning about the legacy signing key; the hook still passes.

Alternatives ruled out:

  • Pinning an older tflint — does not work. The trigger is server-side; every version taking the attestation path panics. Confirmed on v0.62.1 and v0.63.1.
  • Bumping sigstore-go — does not work. v1.2.2 has the identical nil-receiver line. Fix must be tflint-side.
  • signature = "none" — works but disables verification. Avoided; the PGP path works.

Verification

Reproduced the exact CI panic locally with the current config, then confirmed the fix against a clean plugin dir on tflint v0.63.1 with an authenticated GITHUB_TOKEN:

Installing "aws" plugin...
The plugin was signed using a legacy PGP signing key. Please update the plugin to the latest version
Installed "aws" (source: github.com/terraform-linters/tflint-ruleset-aws, version: 0.40.0)
+ ruleset.aws (0.40.0)

Full CI rule set against a real terraform/ tree: exit 0, zero findings.

v0.40.0 release assets include checksums.txt.sig, so the PGP path is valid for the pinned version.

Note for reviewers

The Checkout precommit config step has no ref:, so config is always read from this repos default branch — pinning the reusable workflow to a feature branch does not change which config CI uses. That is why this has to land on mainto take effect anywhere. Consuming repos can drop a local.tflint.hclas a stopgap (thecp -r -n` no-clobber makes it win); stratusphere has one, to be removed once this merges.

🤖 Generated with Claude Code

GitHub REST API 2026-03-10 removed the `bundle` field from attestation
list responses. tflint's default `auto` signature mode prefers
attestations, unmarshals the now-null bundle into a nil *bundle.Bundle
without erroring, and panics dereferencing it inside sigstore verify.
`tflint --init` crashes before any linting runs, failing the
terraform_tflint hook in every consuming repo.

Pinning the plugin to `signature = "pgp"` takes the legacy verification
path instead. Verification stays enabled; tflint emits a deprecation
warning about the legacy signing key. Pinning an older tflint does not
help — the trigger is server-side and every version taking the
attestation path panics.

Upstream: terraform-linters/tflint#2591

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@camrschuette

Copy link
Copy Markdown
Author

Superseded by #107, which lands this same tflint fix together with the free-disk and trivy_scan_ref commits already running in stratusphere via the branch pin. Merging them as one retires that pin and clears the revert-to-main TODO in stratusphere's ci.yml.

@camrschuette
camrschuette deleted the fix/tflint-pgp-signature branch July 16, 2026 20:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant