Hashicorp public key trusted signatures

Skip to first unread message

Stephan Stachurski

Aug 29, 2017, 5:08:50 PM8/29/17
to Vault
When checking the signed hashes of binaries from releases.hashicorp.com (described here), my gpg client gives a warning about trusted signatures of the hashicorp key:

gpg: Signature made Thu 10 Aug 2017 12:59:45 AM UTC using RSA key ID 348FFC4C
gpg: Good signature from "HashiCorp Security <secu...@hashicorp.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 91A6 E7F8 5D05 C656 30BE  F189 5185 2D87 348F FC4C

Is it possible for you to add some trusted signatures?

Joel Thompson

Aug 29, 2017, 5:25:57 PM8/29/17
to vault...@googlegroups.com
Hi Stephan,

No, it's not really possible for HashiCorp to add trusted signatures due to the distributed nature of PGP's web of trust. What GPG is warning you about is that neither you nor anybody whose key you have personally gone out of your way to explicitly trust has signed the HashiCorp key. And HashiCorp really has no idea whom you personally trust. It's not like in the HTTPS world where there are literally hundreds of trusted issuers that generally everybody trusts. Instead, in PGP, the trust is completely decentralized.

If you look at a public key server, it looks like a few individuals have signed the HashiCorp key and published their signatures (e.g., http://pgp.key-server.io/pks/lookup?search=security%40hashicorp.com&fingerprint=on&op=vindex), but that was up to those individuals.

You can also find HashiCorp's key on KeyBase at https://keybase.io/hashicorp

https://en.wikipedia.org/wiki/Web_of_trust is probably a good place to start for further reading on this.

Hope this helps,


This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/26341efe-5804-4a50-b805-91879ccede0f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Stephan Stachurski

Aug 29, 2017, 6:03:10 PM8/29/17
to Vault
Thanks, Joel.

I also reached out to secu...@hashicorp.com and I got this answer from Armon D. I hope he doesn't mind if I repost it here:

>We don’t make use of trusted signatures, but we do verify our key via Keybase here: https://keybase.io/hashicorp
>It is also published on our site here: https://www.hashicorp.com/security/

>Hopefully that is enough verification to add it as a trusted key!

>Best Regards,
>Armon Dadgar
Reply all
Reply to author
0 new messages