[hcsec-2021-12] Add hashicorp new pgp public Key

[Genesys05]

Hashicorp has changed pgp key because old key has been compromised.

Link: https://discuss.hashicorp.com/t/hcsec-2021-12-codecov-security-event-and-hashicorp-gpg-key-exposure/23512

This PR is important because tfenv does not work with "gpgv verification" activation on terraform release since 26/04/21.

No breaking change: New "hashicorp-keys.pgp " file contain old key (Old releases are sign with this key) and new key (New releases since 26/04/21 are sign with this key).

Commands used:

$ cat hashicorp-keys_old.asc > hashicorp-keys.asc
$ cat hashicorp-keys_new.asc >> hashicorp-keys.asc
$ gpg --dearmor -o hashicorp-keys.pgp hashicorp-keys_combined.asc

Old hashicorp-keys.pgp file:

$ gpg hashicorp-keys.pgp 

pub   rsa2048 2014-02-26 [SC]
      91A6E7F85D05C65630BEF18951852D87348FFC4C
uid           HashiCorp Security <security@hashicorp.com>
sub   rsa2048 2014-02-26 [E]

New hashicorp-keys.pgp file:

$ gpg hashicorp-keys.pgp 

pub   rsa2048 2014-02-26 [SC]
      91A6E7F85D05C65630BEF18951852D87348FFC4C
uid           HashiCorp Security <security@hashicorp.com>
sub   rsa2048 2014-02-26 [E] [expires: 2024-03-25]
pub   rsa4096 2021-04-19 [SC] [expires: 2026-04-18]
      C874011F0AB405110D02105534365D9472D7468F
uid           HashiCorp Security (hashicorp.com/security) <security@hashicorp.com>
sub   rsa4096 2021-04-19 [E] [expires: 2026-04-18]
sub   rsa4096 2021-04-19 [S] [expires: 2022-04-20]
sub   rsa4096 2021-04-21 [S] [expires: 2026-04-20]

Issues Reference fix by this PR

• 259

[don-code]

Devil's advocate: should we not also actively distrust (and remove from the bundle) the current key, where Hashicorp says that all of the existing binaries have been resigned? We know the old key can now be used to sign releases, and while they say there's no sign that this was done, it might be a defense-in-depth strategy to no longer validate said key.

[Genesys05]

Devil's advocate: should we not also actively distrust (and remove from the bundle) the current key, where Hashicorp says that all of the existing binaries have been resigned? We know the old key can now be used to sign releases, and while they say there's no sign that this was done, it might be a defense-in-depth strategy to no longer validate said key.

I'm totally agree with you.

Hashicorp have resign only last release of each branch:

• v0.11.15
• v0.12.31
• v0.13.7
• v0.14.11
• v0.15.1

I have add this key and not remove old key to avoid breaking change on "tfenv" usage but i can change that.

In security bulletin we have this section:

What was the timeline?

HashiCorp rotated and revoked the exposed GPG key, re-signed the majority of existing product releases with the new GPG key, and published a public security bulletin on April 22, 2021.

HashiCorp released updated Terraform binaries with updated GPG keys on April 26, 2021.

I think that we have two solutions:

• I can drop old certificate and replace it by new certificate (Better mechanism)

  • We can use tag mechanism on github to precise that breaking change is present and old terraform releases can not be verify with "gpgv" mechanism. (Releases before v0.11.15/v0.12.31/v0.13.7/v0.14.11/v0.15.1)

• I can add old and new certificate (Actual mechanism)

  • Defense-in-depth who is not optimal usage but avoid breaking change