HCSEC-2026-03 - HashiCorp GPG Key (72D7468F) Update

mickael · March 12, 2026, 6:09pm

Bulletin ID: HCSEC-2026-03
Publication Date: March 12, 2026

Summary
This bulletin is for informational purposes only. HashiCorp published signatures can be verified using the same public key as previously, and there should be no external action required.

The GPG key for security@hashicorp.com (C874011F0AB405110D02105534365D9472D7468F), used to sign binaries on releases.hashicorp.com, is set to expire on April 18th, 2026. The key has been updated to expire on March 1st, 2030. The latest version of the public key can also be obtained here.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.

Topic		Replies	Views
HCSEC-2022-11 - HashiCorp GPG Signing Subkey Change Security	0	4499	April 18, 2022
HCSEC-2021-12 - Codecov Security Event and HashiCorp GPG Key Exposure Security security-nomad , security-consul , security-vault , security-terraform	2	67163	May 4, 2021
HCSEC-2023-01 - HashiCorp Response to CircleCI Security Alert Security	3	14385	April 24, 2023
Impact of GPG Key Exposure (HCSEC-2021-12) on Terraform Cloud, Terraform Enterprise, & plugin use HCP Terraform	2	2316	April 27, 2021
Failed to publish provider to registry: "SHASUM signature failed verification: Invalid signature" Terraform	13	551	December 22, 2025

HCSEC-2026-03 - HashiCorp GPG Key (72D7468F) Update

Related topics