Signing issue when keypair provisioned with Terraform

[Haoz-Aid]

We am using jfrog/artifactory v6.9.1:

resource "artifactory_keypair" "deb-gpg-keypair" {

	pair_name = "deb-gpg-keypair"
	pair_type = "GPG"
	alias = "deb-gpg-keypair"
	private_key = file("config-files/gpg.priv")
	public_key = file("config-files/gpg.pub")
	passphrase = "PASSPHRASE"

	lifecycle {
		ignore_changes = [
		private_key,
		passphrase,
		]
	}
}

resource "artifactory_local_debian_repository" "deb-test" {

	description = null
	key = "deb-test"
	property_sets = ["artifactory"]
	primary_keypair_ref = artifactory_keypair.deb-gpg-keypair.pair_name
	index_compression_formats = ["bz2"]
	depends_on = [artifactory_keypair.deb-gpg-keypair]
}

We see the keypair within the UI so it gets created. The issue is that the Release file does not get signed so we enabled the Debian debug logs on Artifactory and see the following log:
2022-10-26 21:49:27,487Z [jfrt ] [DEBUG] [e42a9544c225f0db] [bianReleaseMetadataIndexer:115] [art-exec-8 ] - Skipping the creation of InRelease file: missing private signing key or password
2022-10-26 21:49:27,560Z [jfrt ] [DEBUG] [e42a9544c225f0db] [bianReleaseMetadataIndexer:252] [art-exec-8 ] - Skipping the signing process: missing private signing key or password

The issue looks to be with providing the passphrase, but we see other issues if we don't provide this passphrase.

[danielmkn]

@authentichz, thank you for the ticket, we'll take a look.

[oleg-sapegin-quadcode]

We have faced the same issue

Debug mode TF_LOG="TRACE" shows that passphrase is empty, although it's defined in runtime and terraform configuration

Terraform configuration

terraform {
  required_providers {
    artifactory = {
      source  = "jfrog/artifactory"
      version = ">=6.11.0"
    }
  }
  required_version = ">=1.2.2"
}

resource "artifactory_keypair" "passphrased_key_trace_test" {
  pair_name   = "passphrased_key_trace_test"
  pair_type   = "GPG"
  alias       = "passphrased_key_trace_test"
  private_key = file(var.gpg_private_key_with_passphrase)
  public_key  = file(var.gpg_public_key_with_passphrase)
  passphrase  = var.gpg_key_passphrase
  lifecycle {
    ignore_changes = [
      private_key,
      passphrase,
    ]
  }
}

Debug output

2022-10-27T13:52:51.427Z [DEBUG] [aws-sdk-go] DEBUG: Request s3/PutObject Details:
---[ REQUEST POST-SIGN ]-----------------------------
PUT /artifactory-terraform/artifactory.tfstate HTTP/1.1
Host: s3-host.example.com
User-Agent: APN/1.0 HashiCorp/1.0 Terraform/1.2.2 aws-sdk-go/1.42.35 (go1.18.1; linux; amd64)
Content-Length: 307635
Authorization: AWS4-HMAC-SHA256 Credential=[MASKED]/20221027/default/s3/aws4_request, SignedHeaders=content-length;content-md5;content-type;host;x-amz-content-sha256;x-amz-date, Signature=cd1354e80ea8a95skdd874c5a67c7b2049b07cd92m5e3d52053fc349e0885614
Content-Md5: ijvz4RKjdyH9t8vxvs2fUg==
Content-Type: application/json
X-Amz-Content-Sha256: a0f57da0c9a257a64ca0888e4461c0c77abe3c3865744ad6ad34a7d5a727fd23
X-Amz-Date: 20221027T135251Z
Accept-Encoding: gzip
....
{
  "mode": "managed",
  "type": "artifactory_keypair",
  "name": "passphrased_key_trace_test",
  "provider": "provider[\"registry.terraform.io/jfrog/artifactory\"]",
  "instances": [
  {
    "schema_version": 0,
    "attributes": {
    "alias": "passphrased_key_trace_test",
    "id": "passphrased_key_trace_test",
    "pair_name": "passphrased_key_trace_test",
    "pair_type": "GPG",
    "passphrase": "",
    "private_key": "-----BEGIN PGP PRIVATE KEY BLOCK-----DATA_GOES_HERE_IN_PLAIN_TEXT-----END PGP PRIVATE KEY BLOCK-----",
    "public_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----DATA_GOES_HERE_IN_PLAIN_TEXT-----END PGP PUBLIC KEY BLOCK-----",
    "unavailable": false
    },
    "sensitive_attributes": [],
    "private": "bnVsbA=="
  }
  ]
}
...

The documentation says Passphrases are not currently supported, though they exist in the API, although there is in Argument Reference section mentioned [passphrase] argument, and it looks confusing

[chb0github]

Hey @oleg-sapegin-quadcode - I wrote most/all of this code. Your observation about the passphrase is correct. If I remember right, when i tried to send the passphrase, it simply failed at the API level with no explanation. I tried anything I could think of, but it didn't work. The API documentation simply doesn't work as is and took a lot of reverse engineering to figure out how to get anything to work at all. You'll notice, for example, in the tests for this the public and private keys have to have literal \n new lines in them or they will fail. There is nothing about that in the spec and no reason for it since it's just mime encoded bytes, and it isn't mentioned in the documentation

@alexhung @danielmkn will almost certainly need to take this up with the artifactory/product team. I am pretty sure it's a bug. Even if it isn't, it's usage is not at all obvious

[danielmkn]

Thanks, @chb0github! We are planning to look into it again, but I'm pretty sure we will have to just add some clarification to the attribute description since there is nothing to fix it in the provider.
@alexhung, what do you think?

[danielmkn]

Fixed in v6.19.2