Skip to main content

Hashicorp Terraform GPG Rotation (CodeCov vulnerability)

Issue

Hashicorp rotated GPG keys due to the CodeCov vulnerability.  As a result, old GPG keys were rendered invalid and Terraformer required updates to available versions to allow for the key rotations, especially on Terraform versions 0.11.x and 0.12.x.   Customers will need to update their Terraform versions for all releases with the updated binaries & GPG keys.  Our latest release of Armory Spinnaker (2.25.0, 2.24.1, 2.23.5) did not have these latest versions as they were only recently released.  They were not available in the Terraformer stage dropdown dropdown list.

``````

Cause

HashiCorp was impacted by a security incident with a third party (Codecov) that led to potential disclosure of sensitive information. As a result, the GPG key used for release signing and verification has been rotated. Customers who verify HashiCorp release signatures may need to update their process to use the new key.To learn more, please see:https://discuss.hashicorp.com/t/hcsec-2021-12-codecov-security-event-and-hashicorp-gpg-key-exposure/23512

AIDA logo
AIDA logo

Harness AIDA Chatbot

AI Development Assistant

Today, March 15, 6:49am

AIDA logo

Accelerate your software delivery with the powerful capabilities of Harness’s Platform.

AIDA logo

How can I help?

Log into your Harness Account to access AIDA