HashiCorp has finished analysis of the subset of repositories that were integrated with CircleCI and have created and executed a proactive secrets rotation plan starting from the time CircleCI notified customers of their security incident. We have not identified any unauthorized access or modification to HashiCorp systems and software over the time period in question, but continue to monitor them.
We are taking a very conservative approach and rotated any secret that was stored in or connected to CircleCI. This includes proactive rotation of the following signing keys HashiCorp uses to sign/notarize packages and/or package metadata for customers to be able to verify the packages can be trusted:
- Linux Packaging GPG Key
- Rotation scheduled on 1/23/2023
- Revocation scheduled on 4/24/2023
- Windows Code Signing Key
- Revoked on 1/5/2023
- New key acquired since the old key was expiring 1/20/2023
- Apple Notarization Developer Certificate
- Rotation scheduled on 1/23/2023
- Revocation scheduled on 4/24/2023
Frequently Asked Questions
Has any HashiCorp customer data been disclosed?
There is no evidence of HashiCorp customer data disclosure at this point in time.
Was HashiCorp source code and/or binaries maliciously modified?
There is no evidence of malicious modification to HashiCorp code or binaries at this point in time.
What happens when the keys mentioned above are revoked?
Linux Packaging GPG Key - Linux systems that have trusted the revoked key will not be able to install the Linux packages (.deb or .rpm). Users will need to trust the new key found under the Linux Packaging section of our Security page here: Security at HashiCorp.
Windows Code Signing Key - Windows binaries and installers signed with the revoked signing key will continue to work due to HashiCorp utilizing the secure signing timestamp option when signing the binaries/installers. This allows Windows to know when the signature happened and verify against the revocation timestamp. All new Windows binaries and installers will be signed with the new HashiCorp code signing key moving forward.
Apple Notarization Developer Certificate - Once we proactively revoke our Apple Developer Certificate, all HashiCorp software built for Apple devices and signed by this certificate will stop working on the next execution. Due to this, we are waiting 90 days to revoke the key to allow users to download the newly signed binaries from our trusted release channel https://releases.hashicorp.com.