Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

plugin/discovery: Verify sig against HashiCorp key #20543

Merged
merged 1 commit into from
Mar 4, 2019
Merged

plugin/discovery: Verify sig against HashiCorp key #20543

merged 1 commit into from
Mar 4, 2019

Conversation

justincampbell
Copy link
Contributor

#19389 introduced a change to
the provider GPG signature verification process, and removed the
hardcoded HashiCorp GPG key.

While the changes were intended and are still planned for a future
release, we should still be verifying all providers in the TF 0.12.0
release against the HashiCorp GPG key until a more robust key
verification procedure is in place.

Fixes #20527

@justincampbell
plugin/discovery: Verify sig against HashiCorp key
0574ead 
#19389 introduced a change to
the provider GPG signature verification process, and removed the
hardcoded HashiCorp GPG key.

While the changes were intended and are still planned for a future
release, we should still be verifying all providers in the TF 0.12.0
release against the HashiCorp GPG key until a more robust key
verification procedure is in place.

Fixes #20527
@hashicorp-cla
Copy link

hashicorp-cla commented Mar 1, 2019
edited
Loading

CLA assistant check
All committers have signed the CLA.

apparentlymart
apparentlymart approved these changes Mar 1, 2019
View reviewed changes
Copy link
Contributor

@apparentlymart apparentlymart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry I didn't catch this sooner ... the CLA bot overtook your avatar in my notifications page 🙄

It looks like you'll need to accept the CLA first, but feel free to merge this when you're ready after that.

@justincampbell justincampbell merged commit e466bc4 into master Mar 4, 2019
@justincampbell justincampbell deleted the hashicorp-signing-key branch March 4, 2019 14:47
@Techcadia Techcadia mentioned this pull request Sep 7, 2019
Closed
@ghost
Copy link

ghost commented Mar 29, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Mar 29, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@apparentlymart apparentlymart apparentlymart approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Registry API is now single point of failure for secure provider distribution
3 participants
@justincampbell @hashicorp-cla @apparentlymart