Linux repositories GPG key mismatch

[brunston]

Terraform Version

Terraform v1.3.6
on linux_amd64

Your version of Terraform is out of date! The latest version
is 1.3.7. You can update by downloading from https://www.terraform.io/downloads.html

Affected Pages

https://www.hashicorp.com/security https://developer.hashicorp.com/terraform/tutorials/docker-get-started/install-cli https://www.hashicorp.com/official-packaging-guide

What is the docs issue?

I was trying to install Terraform on Ubuntu with the official instructions 0.

When trying to verify Hashicorp's GPG signing key I see this command

  gpg --no-default-keyring \
      --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg \
      --fingerprint

should have the expected output of

  /usr/share/keyrings/hashicorp-archive-keyring.gpg
  -------------------------------------------------
  pub   rsa4096 2020-05-07 [SC]
        E8A0 32E0 94D8 EB4E A189  D270 DA41 8C88 A321 9F7B
  uid           [ unknown] HashiCorp Security (HashiCorp Package Signing) <security+packaging@hashicorp.com>
  sub   rsa4096 2020-05-07 [E]

as of the writing of this issue. This also matches Hashicorp's Security page 1 under the heading Linux Package Checksum Verification.

However, I see a new key created 2023-01-10 instead:

  /usr/share/keyrings/hashicorp-archive-keyring.gpg
  -------------------------------------------------
  pub   rsa4096 2023-01-10 [SC] [expires: 2028-01-09]
        798A EC65 4E5C 1542 8C8E  42EE AA16 FCBC A621 E701
  uid           [ unknown] HashiCorp Security (HashiCorp Package Signing) <security+packaging@hashicorp.com>
  sub   rsa4096 2023-01-10 [S] [expires: 2028-01-09]

I assume this change is related to the response to the CircleCI incident 2 but the documentation has not been updated to reflect the new keys?

Proposal

GPG key needs to be updated.

References

No response

[SF100BLVD]

This seems to be causing Terraform installs on Amazon Linux to fail.

Getting this error as of the last couple of hours (was working up until then):

Public key for terraform-1.3.7-1.x86_64.rpm is not installed terraform-1.3.7-1.x86_64.rpm | 13 MB 00:00:00
Retrieving key from https://rpm.releases.hashicorp.com/gpg

Invalid GPG Key from https://rpm.releases.hashicorp.com/gpg: No key found in given key data

[desilinguist]

We are experiencing exact same issue on our EC2 instances as well.

[Egr711]

Getting the same issue on docker centos:7 image.

[mdeggies]

Thanks for the reports. Please follow https://status.hashicorp.com/incidents/5zxyf7fyzq91 for updates

[brunston]

Thanks for the reports. Please follow https://status.hashicorp.com/incidents/5zxyf7fyzq91 for updates

@mdeggies please note this is also affecting Ubuntu apt repositories for Terraform, not just rpm, as anyone comparing fingerprints with the documentation will see a mismatch.

[mdeggies]

Thanks @brunston - I've updated all known references to the old key's fingerprint in the documentation official packaging guide, security page, https://developer.hashicorp.com/terraform/tutorials/docker-get-started/install-cli, etc. Let me know if you find any other stragglers.

[ijc]

@mdeggies I see the old fingerprint at https://developer.hashicorp.com/terraform/cli/install/apt still

[stackthecat]

Hi everyone,

It's not fixed for APT repositories. The key is still invalid and we can't download package (except with the use of --allow-unauthenticated options with apt)

Thanks

[crw]

The documentation fix was not fully deployed at the time this issue was marked closed. It should be live now, with all references pointing back to the official packaging guide. Please let us know if you are still seeing an issue when following these instructions.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.