Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[hcsec-2021-12] Add hashicorp new pgp public Key #257

Merged

Conversation

Genesys05
Copy link

@Genesys05 Genesys05 commented Apr 27, 2021

Hashicorp has changed pgp key because old key has been compromised.

Link: https://discuss.hashicorp.com/t/hcsec-2021-12-codecov-security-event-and-hashicorp-gpg-key-exposure/23512

This PR is important because tfenv does not work with "gpgv verification" activation on terraform release since 26/04/21.

No breaking change: New "hashicorp-keys.pgp " file contain old key (Old releases are sign with this key) and new key (New releases since 26/04/21 are sign with this key).

Commands used:

$ cat hashicorp-keys_old.asc > hashicorp-keys.asc
$ cat hashicorp-keys_new.asc >> hashicorp-keys.asc
$ gpg --dearmor -o hashicorp-keys.pgp hashicorp-keys_combined.asc

Old hashicorp-keys.pgp file:

$ gpg hashicorp-keys.pgp 

pub   rsa2048 2014-02-26 [SC]
      91A6E7F85D05C65630BEF18951852D87348FFC4C
uid           HashiCorp Security <security@hashicorp.com>
sub   rsa2048 2014-02-26 [E]

New hashicorp-keys.pgp file:

$ gpg hashicorp-keys.pgp 

pub   rsa2048 2014-02-26 [SC]
      91A6E7F85D05C65630BEF18951852D87348FFC4C
uid           HashiCorp Security <security@hashicorp.com>
sub   rsa2048 2014-02-26 [E] [expires: 2024-03-25]
pub   rsa4096 2021-04-19 [SC] [expires: 2026-04-18]
      C874011F0AB405110D02105534365D9472D7468F
uid           HashiCorp Security (hashicorp.com/security) <security@hashicorp.com>
sub   rsa4096 2021-04-19 [E] [expires: 2026-04-18]
sub   rsa4096 2021-04-19 [S] [expires: 2022-04-20]
sub   rsa4096 2021-04-21 [S] [expires: 2026-04-20]

Issues Reference fix by this PR

@Genesys05 Genesys05 changed the title Add hashicorp new pgp public Key [hcsec-2021-12] Add hashicorp new pgp public Key Apr 27, 2021
@Genesys05 Genesys05 changed the title [hcsec-2021-12] Add hashicorp new pgp public Key [hcsec-2021-12] Add hashicorp new pgp public Key - Resolve tfenv breaking verification usage of terraform releases since 26/04/2021 Apr 27, 2021
@Genesys05 Genesys05 changed the title [hcsec-2021-12] Add hashicorp new pgp public Key - Resolve tfenv breaking verification usage of terraform releases since 26/04/2021 [hcsec-2021-12] Add hashicorp new pgp public Key Apr 27, 2021
@don-code
Copy link

Devil's advocate: should we not also actively distrust (and remove from the bundle) the current key, where Hashicorp says that all of the existing binaries have been resigned? We know the old key can now be used to sign releases, and while they say there's no sign that this was done, it might be a defense-in-depth strategy to no longer validate said key.

@Genesys05
Copy link
Author

Genesys05 commented Apr 28, 2021

Devil's advocate: should we not also actively distrust (and remove from the bundle) the current key, where Hashicorp says that all of the existing binaries have been resigned? We know the old key can now be used to sign releases, and while they say there's no sign that this was done, it might be a defense-in-depth strategy to no longer validate said key.

I'm totally agree with you.

Hashicorp have resign only last release of each branch:

  • v0.11.15
  • v0.12.31
  • v0.13.7
  • v0.14.11
  • v0.15.1

I have add this key and not remove old key to avoid breaking change on "tfenv" usage but i can change that.

In security bulletin we have this section:

What was the timeline?

HashiCorp rotated and revoked the exposed GPG key, re-signed the majority of existing product releases with the new GPG key, and published a public security bulletin on April 22, 2021.

HashiCorp released updated Terraform binaries with updated GPG keys on April 26, 2021.

I think that we have two solutions:

  • I can drop old certificate and replace it by new certificate (Better mechanism)

    • We can use tag mechanism on github to precise that breaking change is present and old terraform releases can not be verify with "gpgv" mechanism. (Releases before v0.11.15/v0.12.31/v0.13.7/v0.14.11/v0.15.1)
  • I can add old and new certificate (Actual mechanism)

    • Defense-in-depth who is not optimal usage but avoid breaking change

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants