Entire deployment fails because EC2 init script contains revoked PGP public key
Closed this issue · 2 comments
As per HCSEC-2021-12 HashiCorp’s PGP public key has been rotated as of April 22nd, 2021.
HashiCorp's revoked PGP public key (ID 348FFC4C) is embedded in the scripts/functions.sh
script and used when the following command runs in order to verify that the signature file has not been tampered with:
# Verify the signature file is untampered.
gpg --verify /tmp/vault_${VAULT_VERSION}_SHA256SUMS.sig /tmp/vault_${VAULT_VERSION}_SHA256SUMS
Because the key has been revoked, the script fails, and the deployment fails as a result with the following CloudFormation status messages:
The following resource(s) failed to create: [VaultServerAutoScalingGroup].
and
Received 2 FAILURE signal(s) out of 3. Unable to satisfy 100% MinSuccessfulInstancesPercent requirement
The PGP public key embedded in the functions.sh
script needs to be updated with HashiCorp's new PGP public key:
https://www.hashicorp.com/security
I have updated the signature. Waiting for the changes to pass CI/CD and promotion to prod and will update here.
Closing since CI/CD tests passed. Merged into main and now synced to public buckets.