HashiCorp has been taking ongoing action to respond to CircleCI’s January 3, 2023 security alert. Our investigations have found no evidence of HashiCorp customer data disclosure and no evidence of malicious modification to HashiCorp source code or binaries.
Please refer to HashiCorp’s security bulletin for more information, and
HashiCorp’s status page for information regarding maintenance windows and
ongoing operational impact.
HashiCorp customers should be aware of possible impact and actions necessary as a result of proactive secret rotation that has been completed:
Guidance for customers using the RPM repository at https://rpm.releases.hashicorp.com
The signing key for RPM packages was rotated on January 23rd, with packages re-signed and released using the new key. The previous signing key was revoked on April 24th, 2023.
Action for customers:
- To verify new packages, users will need to use the new key from https://rpm.releases.hashicorp.com/gpg.
- To avoid disruption after revocation, users will need to download the new GPG key from https://rpm.releases.hashicorp.com/gpg, update the RPM repo, and download the package again to pick up the newly signed package.
- Users may need to re-install their HashiCorp Linux packages that have been signed using the new key, following instructions from the official packaging guide.
Guidance for customers using the APT repository at https://apt.releases.hashicorp.com
The signing key for APT packages was rotated on January 23rd, with packages re-signed and released using the new key. The previous signing key was revoked on April 24th, 2023.
Action for customers:
- To verify new packages, users will need to use the new key from https://apt.releases.hashicorp.com/gpg.
- To avoid disruption after revocation, users will need to download the new GPG key from https://apt.releases.hashicorp.com/gpgto an existing or new keyring, verify the key’s fingerprint, add the HashiCorp repo, and run the update command.
- Users may need to re-install their HashiCorp Linux packages that have been signed using the new key, following instructions from the official packaging guide.
Guidance for customers using Apple builds from HashiCorp Releases at https://releases.hashicorp.com
The certificate used to sign Apple artifacts was rotated on January 23rd, with existing artifacts re-signed with the new certificate. The previous signing key was revoked on April 24th, 2023.
If you run a previously downloaded Apple artifact signed with the old certificate, you may see an error like:
Action for customers:
- After certificate revocation, users are expected to encounter errors using Apple artifacts that were downloaded before January 23rd.
- Users will need to re-download Apple artifacts from the Releases Site, which have been signed using the new certificate.