I was trying to install Terraform on Ubuntu with the official instructions [0].
When trying to verify Hashicorp's GPG signing key I see this command
gpg --no-default-keyring \
--keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg \
--fingerprint
should have the expected output of
/usr/share/keyrings/hashicorp-archive-keyring.gpg
-------------------------------------------------
pub rsa4096 2020-05-07 [SC]
E8A0 32E0 94D8 EB4E A189 D270 DA41 8C88 A321 9F7B
uid [ unknown] HashiCorp Security (HashiCorp Package Signing) <security+packaging@hashicorp.com>
sub rsa4096 2020-05-07 [E]
as of the posting of this question. This also matches Hashicorp's Security page [1] under the heading Linux Package Checksum Verification.
However, I see a new key created 2023-01-10 instead:
/usr/share/keyrings/hashicorp-archive-keyring.gpg
-------------------------------------------------
pub rsa4096 2023-01-10 [SC] [expires: 2028-01-09]
798A EC65 4E5C 1542 8C8E 42EE AA16 FCBC A621 E701
uid [ unknown] HashiCorp Security (HashiCorp Package Signing) <security+packaging@hashicorp.com>
sub rsa4096 2023-01-10 [S] [expires: 2028-01-09]
Am I correct in not trusting this key, as until Hashicorp fixes their documentation, this could be a compromised key? I assume it's related to their response to the CircleCI incident [2] but considering that their response links to their security page...don't they need to update their documentation to reflect the rotated key?
[0]: https://developer.hashicorp.com/terraform/tutorials/docker-get-started/install-cli
[1]: https://www.hashicorp.com/security
[2]: https://discuss.hashicorp.com/t/hcsec-2023-01-hashicorp-response-to-circleci-security-alert/48842/2
