Validate uploaded GPG keys against providers

[cam72cam]

Description of the feature you are looking for.

As we've seen in #352, providers can upload the wrong key for providers. We should validate that they key matches the already existing providers in the add key workflow.

[diofeher]

From what I understood, the provider name is optional when submitting the provider key:
example: #1408

So the steps for validating would be:

1 - Download the provider file by name, if existing, if not, list the providers in the namespace;
2 - Try to match the GPG Public key to signing of one of these providers
3 - If matches, validates, if not, we display an error to the user asking to match the uploaded key

Is this understanding correct? If not, what should be taken in consideration?

[ollevche]

Hey @diofeher!

It sounds reasonable, I would add that we already have the code to download and validate the signature in the tofu itself so it is a good idea to reuse this part.

We might want to check the signatures of all the provider binaries (for different architectures), however, I am not sure if it makes practical sense.

For the third bullet point, I would still check all the providers in the namespace even if some of them are already failed the check. This way we would have a full report of what providers passed and what didn't.

As far as I remember @cam72cam already has some draft code for this one.

[cam72cam]

Here is my terrible code main...provider_key_checker, feel free to use parts of that or start from scratch

[diofeher]

The GPG Key pull request is usually added after the provider? That's why we can check these provider files (e.g. provider/o/opentofu/aws.json), right?

Thanks for the code @cam72cam and @ollevche for the detailed instructions :)

[diofeher]

Hey team, I have a quick question:

How do you verify manually if the key is valid for the provider? I just want to double-check that my code is doing what's expected.