terraform-linters
diff --git a/‎README.md‎
Lines changed: 0 additions & 9 deletions b/‎README.md‎
Lines changed: 0 additions & 9 deletions
diff --git a/‎cmd/init.go‎
Lines changed: 4 additions & 5 deletions b/‎cmd/init.go‎
Lines changed: 4 additions & 5 deletions
diff --git a/‎docs/developer-guide/plugins.md‎
Lines changed: 2 additions & 2 deletions b/‎docs/developer-guide/plugins.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/user-guide/environment_variables.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/user-guide/environment_variables.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/user-guide/plugins.md‎
Lines changed: 3 additions & 20 deletions b/‎docs/user-guide/plugins.md‎
Lines changed: 3 additions & 20 deletions
diff --git a/‎go.mod‎
Lines changed: 1 addition & 1 deletion b/‎go.mod‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎go.sum‎
Lines changed: 2 additions & 2 deletions b/‎go.sum‎
Lines changed: 2 additions & 2 deletions
@@ -107,15 +107,6 @@ plugin "foo" {
   enabled = true
   version = "0.1.0"
   source  = "github.com/org/tflint-ruleset-foo"
-
-  signing_key = <<-KEY
-  -----BEGIN PGP PUBLIC KEY BLOCK-----
-
-  mQINBFzpPOMBEADOat4P4z0jvXaYdhfy+UcGivb2XYgGSPQycTgeW1YuGLYdfrwz
-  9okJj9pMMWgt/HpW8WrJOLv7fGecFT3eIVGDOzyT8j2GIRJdXjv8ZbZIn1Q+1V72
-  AkqlyThflWOZf8GFrOw+UAR1OASzR00EDxC9BqWtW5YZYfwFUQnmhxU+9Cd92e6i
-  ...
-  KEY
 }
 ```
 
 
@@ -12,10 +12,6 @@ import (
 )
 
 func (cli *CLI) init(opts Options) int {
-	if plugin.IsExperimentalModeEnabled() {
-		_, _ = color.New(color.FgYellow).Fprintln(cli.outStream, `Experimental mode is enabled. This behavior may change in future versions without notice`)
-	}
-
 	workingDirs, err := findWorkingDirs(opts)
 	if err != nil {
 		cli.formatter.Print(tflint.Issues{}, fmt.Errorf("Failed to find workspaces; %w", err), map[string][]byte{})
@@ -53,7 +49,10 @@ func (cli *CLI) init(opts Options) int {
 					_, err = installCfg.Install()
 					if err != nil {
 						if errors.Is(err, plugin.ErrPluginNotVerified) {
-							_, _ = color.New(color.FgYellow).Fprintln(cli.outStream, `No signing key configured. Set "signing_key" to verify that the release is signed by the plugin developer`)
+							_, _ = color.New(color.FgYellow).Fprintln(cli.outStream, `No signing key or attestations found. The plugin signature is not verified`)
+							err = nil
+						} else if errors.Is(err, plugin.ErrLegacySigningKeyUsed) {
+							_, _ = color.New(color.FgYellow).Fprintln(cli.outStream, `The plugin was signed using a legacy PGP signing key. Please update the plugin to the latest version`)
 							err = nil
 						} else {
 							return fmt.Errorf("Failed to install a plugin; %w", err)
 
@@ -55,10 +55,10 @@ The requirements to support automatic installation are as follows:
 
 When signing a release, one of the following requirements must be met:
 
+- [Artifact Attestation](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds)
+  - Include a step in your GitHub Actions workflow that uses the [`attest-build-provenance` action](https://github.com/actions/attest-build-provenance) for `checksums.txt`.
 - PGP signing key
   - The release must contain a signature file for the checksum file with the name `checksums.txt.sig`
   - The signature file must be binary OpenPGP format
-- [Artifact Attestation](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds)
-  - Include a step in your GitHub Actions workflow that uses the [`attest-build-provenance` action](https://github.com/actions/attest-build-provenance) for `checksums.txt`.
 
 Releases that meet these requirements can be easily created by following the GoReleaser config in the template repository.
@@ -13,7 +13,7 @@ Below is a list of environment variables available in TFLint.
 - `GITHUB_TOKEN`
   - (Optional) Used for authenticated GitHub API requests when checking for updates and downloading plugins. Increases the rate limit from 60 to 5000 requests per hour. Useful if you encounter rate limit errors. You can obtain a token by creating a [GitHub personal access token](https://github.com/settings/tokens); no special scopes are required.
 - `TFLINT_EXPERIMENTAL`
-  - Enable experimental features. Note that experimental features are subject to change without notice. Currently only [Keyless Verification](./plugins.md#keyless-verification-experimental) are supported.
+  - Enable experimental features. Note that experimental features are subject to change without notice. Currently there is no impact.
 - `TF_VAR_name`
   - Set variables for compatibility with Terraform. See [Compatibility with Terraform](./compatibility.md).
 - `TF_DATA_DIR`
 
@@ -7,15 +7,6 @@ plugin "foo" {
   enabled = true
   version = "0.1.0"
   source  = "github.com/org/tflint-ruleset-foo"
-
-  signing_key = <<-KEY
-  -----BEGIN PGP PUBLIC KEY BLOCK-----
-
-  mQINBFzpPOMBEADOat4P4z0jvXaYdhfy+UcGivb2XYgGSPQycTgeW1YuGLYdfrwz
-  9okJj9pMMWgt/HpW8WrJOLv7fGecFT3eIVGDOzyT8j2GIRJdXjv8ZbZIn1Q+1V72
-  AkqlyThflWOZf8GFrOw+UAR1OASzR00EDxC9BqWtW5YZYfwFUQnmhxU+9Cd92e6i
-  ...
-  KEY
 }
 ```
 
@@ -50,11 +41,11 @@ Plugin version. Do not prefix with "v". This attribute cannot be omitted when th
 
 ### `signing_key`
 
-Plugin developer's PGP public signing key. When this attribute is set, TFLint will automatically verify the signature of the checksum file downloaded from GitHub. It is recommended to set it to prevent supply chain attacks.
+Plugins are verified by default with [Artifact Attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds) when available. If no attestations are found, TFLint falls back to PGP signature verification using the `signing_key`.
 
-Plugins under the terraform-linters organization (AWS/GCP/Azure ruleset plugins) can use the built-in signing key, so this attribute can be omitted.
+If the plugin developer distributes a PGP public key, setting the `signing_key` will ensure that the signature of the checksum file downloaded from GitHub is signed by the key.
 
-If the plugin developer generates [Artifact Attestation](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds), you can omit this attribute. See [Keyless Verification](#keyless-verification-experimental) for details.
+NOTE: Artifact Attestations will not be verified if the `source` is a private repository. If you want to verify signatures in a private repository, you must set the `signing_key`.
 
 ## Plugin directory
 
@@ -136,11 +127,3 @@ plugin "terraform" {
 ```
 
 If you have tflint-ruleset-terraform manually installed, the bundled plugin will not be automatically enabled. In this case the manually installed version takes precedence.
-
-## Keyless verification (experimental)
-
-If the plugin developer has generated [Artifact Attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds), TFLint will automatically verify them and prove that the plugin binary was built in that repository.
-
-This verification is experimental and optional: it is only attempted if there is no PGP public signing key, and if there is no artifact attestation, a warning will be output, not an error. If you want to require all plugin installs to be signed with a PGP signing key or an artifact attestation, you can force this behavior to be enabled by setting the `TFLINT_EXPERIMENTAL=1`. This behavior will be the default in future versions, but is subject to change without notice.
-
-Note that this validation, like the PGP signing key, does not guarantee that the plugin is secure. It only attests the source repository/revision from which it was built. It prevents direct upload of malicious release artifacts to GitHub or manipulation of download requests. If an attacker has control over the repository and can perform execution during a build, any resulting malicious release will still be considered "verified."
@@ -9,7 +9,7 @@ require (
 	github.com/fatih/color v1.18.0
 	github.com/go-test/deep v1.1.1
 	github.com/google/go-cmp v0.7.0
-	github.com/google/go-github/v67 v67.0.0
+	github.com/google/go-github/v81 v81.0.0
 	github.com/google/uuid v1.6.0
 	github.com/hashicorp/go-plugin v1.7.0
 	github.com/hashicorp/go-uuid v1.0.3
 
@@ -229,8 +229,8 @@ github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/go-containerregistry v0.20.7 h1:24VGNpS0IwrOZ2ms2P1QE3Xa5X9p4phx0aUgzYzHW6I=
 github.com/google/go-containerregistry v0.20.7/go.mod h1:Lx5LCZQjLH1QBaMPeGwsME9biPeo1lPx6lbGj/UmzgM=
-github.com/google/go-github/v67 v67.0.0 h1:g11NDAmfaBaCO8qYdI9fsmbaRipHNWRIU/2YGvlh4rg=
-github.com/google/go-github/v67 v67.0.0/go.mod h1:zH3K7BxjFndr9QSeFibx4lTKkYS3K9nDanoI1NjaOtY=
+github.com/google/go-github/v81 v81.0.0 h1:hTLugQRxSLD1Yei18fk4A5eYjOGLUBKAl/VCqOfFkZc=
+github.com/google/go-github/v81 v81.0.0/go.mod h1:upyjaybucIbBIuxgJS7YLOZGziyvvJ92WX6WEBNE3sM=
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/martian/v3 v3.3.3 h1:DIhPTQrbPkgs2yJYdXU/eNACCG5DVQjySNRNlflZ9Fc=