Properly sign the Windows executable

[Tbohunek]

Terraform Version

Terraform v1.10.4
on windows_amd64

Terraform Configuration Files

n/a

Debug Output

n/a

Expected Behavior

Terraform runs

Actual Behavior

Program terraform.exe failed to run: This program is blocked by group policy.

Steps to Reproduce

terraform -version

Additional Context

Our company recently switched to AppLocker, and the IT team say Terraform executable isn't signed properly.
They showed me the AppLocker rule for the Publisher string, everything looks good, but doesn't work.
They tell me it's because the other details in the file are empty:

For now the only thing that works is file hashes, which only work till next version. :)

References

Same problem with azurerm and azuread providers
hashicorp/terraform-provider-azurerm#26369

Generative AI / LLM assisted development?

No response

[crw]

Hi @Tbohunek, the artifact builds are handled by a build system within HashiCorp, which the core team does not have direct access to influence. I did a little digging and I think I found the correct tool to file this bug. I created an upstream issue which will only be visible to employees of HashiCorp: https://github.com/hashicorp/signore/issues/250. Thanks!

[msusicky]

Hi @Tbohunek, the artifact builds are handled by a build system within HashiCorp, which the core team does not have direct access to influence. I did a little digging and I think I found the correct tool to file this bug. I created an upstream issue which will only be visible to employees of HashiCorp: https://github.com/hashicorp/signore/issues/250. Thanks!

Hi, anything new about this issue? Thanks.

[crw]

No new updates, other than the teams involved know about the issue.

[crw]

Hi @Tbohunek, @msusicky: according to the release engineering team, the signing issue / Applocker issue was fixed by updating an intermediate certificate on our end.

The metadata issue is not fixed, however, I believe the core issue is the signing issue, which should be fixed. Please let me know if you are still experiencing this issue. Thanks!

[Tbohunek]

Hi @crw, thanks a lot for your response. Most of us resorted to some workarounds as it was really difficult to work otherwise, so I need to go and check with our IT team if they still observe the issue. Sorry for the delay, I'll let you know as soon as I can!

[dlavric]

Hi @crw, thanks a lot for your response. Most of us resorted to some workarounds as it was really difficult to work otherwise, so I need to go and check with our IT team if they still observe the issue. Sorry for the delay, I'll let you know as soon as I can!

Hi Tomas, Did you get any feedback from the IT team? Thank you!

[Tbohunek]

Hi @dlavric I did not, but I will try better next week.
On my Windows device I seem able to install latest terraform with winget and run it just fine, so I believe that the core issue is indeed resolved. But I would really love to be able to confirm 100%.

[Tbohunek]

@dlavric @crw I can confirm AppLocker works fine now! ✅
Thank you! 🎉

Will you continue fixing the metadata, or we close this issue? It's not blocking use of TF, but maybe it wont take much effort to do it properly. 🍻

[crw]

Given that this was fixed by updating a certificate, I am guessing the actual process of updating metadata wasn't examined in fixing that issue. I am also guessing there is not much interest in figuring out how to wire in the metadata generation but feel free to open a new issue for metadata.