From ba7f0e491e88e166e79b6419609319b45ff99f7d Mon Sep 17 00:00:00 2001 From: Kazuma Watanabe Date: Sun, 8 Dec 2024 22:23:45 +0900 Subject: [PATCH] Update docs/user-guide/plugins.md Co-authored-by: Ben Drucker --- docs/user-guide/plugins.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user-guide/plugins.md b/docs/user-guide/plugins.md index e8015bbed..e457b58cc 100644 --- a/docs/user-guide/plugins.md +++ b/docs/user-guide/plugins.md @@ -141,4 +141,4 @@ If the plugin developer has generated [Artifact Attestations](https://docs.githu This verification is experimental and optional: it is only attempted if there is no PGP public signing key, and if there is no artifact attestation, a warning will be output, not an error. If you want to require all plugin installs to be signed with a PGP signing key or an artifact attestation, you can force this behavior to be enabled by setting the `TFLINT_EXPERIMENTAL=1`. This behavior will be the default in future versions, but is subject to change without notice. -Note that this validation, like the PGP signing key, does not guarantee that the plugin is secure. Moreover it only guarantees the repository it was built from, not the signer, so it is not secure if an attacker has control over the repository. +Note that this validation, like the PGP signing key, does not guarantee that the plugin is secure. It only attests the source repository/revision from which it was built. It prevents direct upload of malicious release artifacts to GitHub or manipulation of download requests. If an attacker has control over the repository and can perform execution during a build, any resulting malicious release will still be considered "verified."