HashiCorp has rotated its release signing key as a part of HCSEC-2021-12.
Terraform automatically downloads provider binaries during the terraform init
operation and performs signature verification automatically during this process.
To preserve functionality for existing releases of Terraform and its providers, new signatures have been published with a different file extension _SHA256SUM.72D7468F.sig
, leaving the existing signatures in place for the time being.
The following updated releases are now out for Terraform which verify providers using the rotated key:
Commonly asked questions
What is the impact of the incident?
A detailed description of the impact has been posted on the main security bulletin article here.
How does this incident impact the Terraform ecosystem?
There is no evidence of malicious modification to HashiCorp code or binaries, including Terraform official providers, at this point in time.
The GPG key used for release signing and verification has been rotated. New releases of Terraform use this updated key for verifying official providers, and official provider releases will be signed with this key going forwards. Specific guidance, dependent on a range of environment-specific scenarios, is below.
What should I do as a Terraform 0.X user?
HashiCorp has taken steps to ensure that existing workflows will not break on existing releases of providers.
The recommended corrective steps depend on the version of Terraform you’re using and whether you are pinning your provider versions. See the following table for details:
Current Version | Using Pinned Providers? | Impact | Recommendation |
---|---|---|---|
0.11.0 - 0.11.14 | Y | Terraform should function as it did previously; however, you should update to get the new GPG key before upgrading any providers. | Upgrade to 0.11.15. |
0.11.0 - 0.11.14 | N | Terraform may fail GPG checks with errors as new providers are released. | Upgrade to 0.11.15. Pin providers if upgrading is unfeasible. |
0.12.0 - 0.12.30 | Y | Terraform should function as it did previously; however, you should update to get the new GPG key before upgrading any providers. | Upgrade to 0.12.31. |
0.12.0 - 0.12.30 | N | Terraform may fail GPG checks with errors as new providers are released. | Upgrade to 0.12.31. Pin providers if upgrading is unfeasible. |
0.13.0 - 0.13.6 | Y or N | Terraform should function as it did previously. Official providers will begin showing as (self-signed, key ID 34365D9472D7468F) in terraform init output. |
Upgrade to 0.13.7, which will remove the message. |
0.14.0 - 0.14.10 | Y or N | Terraform should function as it did previously. Official providers will begin showing as (self-signed, key ID 34365D9472D7468F)
|
Upgrade to 0.14.11, which will remove the message. |
0.15.0 | Y or N | Terraform should function as it did previously. Official providers will begin showing as (self-signed, key ID 34365D9472D7468F)
|
Upgrade to 0.15.1, which will remove the message. |
What should I do as a Terraform Cloud customer?
The new Terraform versions listed above have been released to Terraform Cloud. You should update the Terraform version inside your workspaces to ensure you are running a version that is checking against the new GPG key. If any of your workspaces use Terraform Cloud Agents, you should manually update your running agents to version 0.1.14 or later. Prior versions will continue to operate, but will stop receiving automatic updates.
What should I do as a Terraform Enterprise customer?
Terraform Enterprise customers should add the above versions of Terraform to their installations by following the instructions here. A new release of Terraform Enterprise is forthcoming that will have the updated versions of Terraform preloaded. The Terraform Enterprise installer does not utilize the revoked GPG key and there is no evidence of malicious modification to HashiCorp code or binaries at this point in time.
I see a message (self-signed, key ID 34365D9472D7468F)
in my Terraform output for official providers. What does this mean?
This is expected behavior for certain existing Terraform versions (0.15.0, 0.14.10 and earlier, 0.13.6 and earlier) because the Terraform Registry has started returning signatures from the rotated GPG release key. Upgrade to patch releases that verify against the new key (0.15.1, 0.14.11, 0.13.7) to remove this message from Terraform output.
I see a warning during terraform init
which says “This version of Terraform has an outdated GPG key”. What does this mean?
The Terraform Registry is returning a warning message to Terraform clients version 0.12.1 - 0.12.30:
Warning: registry.terraform.io: This version of Terraform has an outdated GPG key and
is unable to verify new provider releases. Please upgrade Terraform to at least 0.12.31 to
receive new provider updates. For details see:
https://discuss.hashicorp.com/t/hcsec-2021-12-codecov-security-event-and-hashicorp-gpg-key-exposure/23512
This message means that the Registry is omitting provider versions signed by the new GPG key, and your Terraform client will install the last version of each provider that it can successfully verify. Upgrade to 0.12.31 or one of the other maintenance releases listed above to remove this warning.
What should I do as a Terraform Community Provider maintainer?
Given that Community Providers are signed with per-publisher GPG keys that provider authors control, the exposure of HashiCorp’s key does not imply those key need to be rotated.
If you use the TF_ACC_TERRAFORM_VERSION setting to run your provider’s acceptance tests, the SDK will be unable to download Terraform versions signed by our new GPG key. We have released a patch to both SDKv1 and SDKv2 and we advise upgrading your SDK version to the latest patched release in order to continue using this feature.
Assuming you use TF_ACC_TERRAFORM_VERSION for acceptance tests, we recommend the following:
If you are using SDKv1, please upgrade to v1.17.2.
If you are using SDKv2, please upgrade to v2.6.1 or later.
Alternatively, you may download Terraform separately and include its location in either PATH or TF_ACC_TERRAFORM_PATH.