Impact of GPG Key Exposure (HCSEC-2021-12) on Terraform Cloud, Terraform Enterprise, & plugin use

Hello,

How does the GPG Key Exposure event (HCSEC-2021-12) affect Terraform Cloud, Terraform Enterprise, and their users? Are they now verifying Terraform plugins with the new HashiCorp key?

Thank you,
-Scott Corzine-

codesign --verify -d --verbose=2 terraform-provider-aws_v3.37.0_x5
code object is not signed at all

How can we validated terraform providers signatures?

1 Like

We’re publishing Terraform-specific details related to the security bulletin over on this topic. Right now it has basic information about the updated Terraform CLI releases, but it will be updated with more detailed information about Terraform Cloud and Terraform Enterprise.

Each existing Terraform provider’s release is published with dual GPG signatures - one for the old key and one for the new key. You can verify the signature with the new key by checking the signature in the file that ends in SHA256SUMS.72D7468F.sig using the instructions and key published on our security page.

1 Like