Entire deployment fails because EC2 init script contains revoked PGP public key

Question

Entire deployment fails because EC2 init script contains revoked PGP public key

Closed this issue 3 years ago · 2 comments

As per HCSEC-2021-12 HashiCorp’s PGP public key has been rotated as of April 22nd, 2021.

HashiCorp's revoked PGP public key (ID 348FFC4C) is embedded in the scripts/functions.sh script and used when the following command runs in order to verify that the signature file has not been tampered with:

# Verify the signature file is untampered.
gpg --verify /tmp/vault_${VAULT_VERSION}_SHA256SUMS.sig /tmp/vault_${VAULT_VERSION}_SHA256SUMS

Because the key has been revoked, the script fails, and the deployment fails as a result with the following CloudFormation status messages:

The following resource(s) failed to create: [VaultServerAutoScalingGroup].

and

Received 2 FAILURE signal(s) out of 3. Unable to satisfy 100% MinSuccessfulInstancesPercent requirement

The PGP public key embedded in the functions.sh script needs to be updated with HashiCorp's new PGP public key:
https://www.hashicorp.com/security

Answer 1 · 2021-04-30T19:13:10.000Z

I have updated the signature. Waiting for the changes to pass CI/CD and promotion to prod and will update here.

Answer 2 · 2021-04-30T22:17:46.000Z

Closing since CI/CD tests passed. Merged into main and now synced to public buckets.