always check the new Hashicorp key signatures

[nathantypanski]

For Hashicorp Vault packages, a SHA256SUMS.sig file is always present, even for older version of Vault. However, for older Terraform versions, this file contains an older signature. It seems that all releases of all Hashicorp software support the new filename.

$ asdf install terraform 0.14.10
Downloading terraform version 0.14.10 from
https://releases.hashicorp.com/terraform/0.14.10/terraform_0.14.10_linux_amd64.zip
Verifying signatures and checksums
gpg: keybox '/tmp/asdf_terraform_nMg8PU/pubring.kbx' created
gpg: /tmp/asdf_terraform_nMg8PU/trustdb.gpg: trustdb created
gpg: key 34365D9472D7468F: public key "HashiCorp Security
(hashicorp.com/security) <security@hashicorp.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: Signature made Thu 22 Apr 2021 01:16:33 PM EDT
gpg:                using RSA key B0B441097685B676
gpg: Good signature from "HashiCorp Security (hashicorp.com/security)
<security@hashicorp.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: C874 011F 0AB4 0511 0D02  1055 3436 5D94 72D7
468F
     Subkey fingerprint: B36C BA91 A2C0 730C 435F  C280 B0B4 4109 7685
     B676
     terraform_0.14.10_linux_amd64.zip: OK
     Cleaning terraform previous binaries
     Creating terraform bin directory
     Extracting terraform archive

Fixes #26.

First and last Terraform contain this file:

https://releases.hashicorp.com/terraform/0.1.0/ https://releases.hashicorp.com/terraform/0.15.4/

First and last Consul contain it:

https://releases.hashicorp.com/consul/0.1.0/ https://releases.hashicorp.com/consul/1.10.0-beta2/

First and last last Vault contain it:

https://releases.hashicorp.com/vault/0.1.0/ https://releases.hashicorp.com/vault/1.7.0+ent.hsm/

[smorimoto]

Ouch, seems to be failed with 1.7.2+ent...

[radditude]

I believe 1.7.2 was just released, so it's possible we haven't finished generating all the release artifacts yet (looking at https://releases.hashicorp.com/vault/1.7.2+ent/)

[smorimoto]

Unfortunately, we are now faced with the problem of renaming files: vault_1.7.1_SHA256SUMS.72D7468F.sig -> vault_1.7.2_SHA256SUMS.sig https://releases.hashicorp.com/vault/1.7.2/ https://releases.hashicorp.com/vault/1.7.1/

[radditude]

oh no ☹️ would it be best to revert the gpg check for now, do you think? I can try to get some clarification from the release engineering team on what kind of consistency we can expect from those filenames going forward.

[smorimoto]

That might be a good idea, and of course we can do some conditional branching by version as I suggested in https://github.com/asdf-community/asdf-hashicorp/pull/24#issuecomment-845205159.

[radditude]

Ah, good idea! Yeah, why don't we revert these changes for now and take another swing at implementing this functionality 😄 I'll open a pull request.