Skip to content
This repository has been archived by the owner on Dec 6, 2023. It is now read-only.

Hashicorp vault signature validation is failing as the key is revoked #227

Open
pdpjw opened this issue Apr 26, 2021 · 1 comment
Open

Hashicorp vault signature validation is failing as the key is revoked #227

pdpjw opened this issue Apr 26, 2021 · 1 comment

Comments

@pdpjw
Copy link

pdpjw commented Apr 26, 2021
edited
Loading

Vault image signature validation is failing. Gpg key has been revoked recently.

gpg -k 91A6E7F85D05C65630BEF18951852D87348FFC4C
pub   rsa2048 2014-02-26 [SC] [revoked: 2021-04-21]
      91A6E7F85D05C65630BEF18951852D87348FFC4C
uid           [ revoked] HashiCorp Security <[email protected]>
@mdeggies
Copy link
Member

mdeggies commented Apr 29, 2021
edited
Loading

Hey there, are you having issues with the vault docker image? If so, please post your reproduction steps so we can take a look.

As noted in the security bulletin, we recently rotated our GPG key. We updated references to the old GPG key ID in this repo so that future builds will check against the new key ID, but local docker builds and pulls from dockerhub should continue to work without any changes. As you can see in the dockerfile, when a new build is triggered, the relevant binary is pulled down from releases.hashicorp.com. All of our binaries on releases.hashicorp.com have been validated and re-signed with the new GPG key, and these are the binaries used on fresh docker pulls.

Let us know if you have any questions about this.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mdeggies @pdpjw