HCSEC-2022-11 - HashiCorp GPG Signing Subkey Change

Bulletin ID: HCSEC-2022-11
Publication Date: April 18, 2022

Summary
The GPG subkey currently used for HashiCorp product release signing and verification expires on Tuesday, April 19, 2022 and release signing will be done with another GPG subkey going forwards.

This bulletin is for informational purposes only. HashiCorp-published signatures can be verified using the same public key as previously, and there should be no external action required.

Details
HashiCorp uses GPG for signing hashes used to validate HashiCorp product downloads (SHA256SUM files, as available from https://releases.hashicorp.com and documented at Security at HashiCorp).

In 2021, as part of our response to the Codecov security event, we moved to a new primary HashiCorp GPG keypair, as published at https://www.hashicorp.com/security#pgp-public-keys. At that time we began signing releases with an interim signing subkey (ID 7685B676) associated with that keypair.

As planned in 2021, we are now moving from the interim to a long-term signing subkey (ID CD27AB87) which was also generated at that time. Releases will be signed with the new subkey going forwards. Existing releases have been validated and re-signed with the new subkey.

Signatures can be verified using the same public key as previously, and there should be no external action required.

Note that this change only affects HashiCorp’s SHA256SUM signing mechanism. MacOS code signing / notarization, Windows AuthentiCode signing, and Linux package signing are unaffected.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.