Hashicorp public key trusted signatures
661 views
Skip to first unread message
Stephan Stachurski
Aug 29, 2017, 5:08:50 PM8/29/17
to Vault
When checking the signed hashes of binaries from releases.hashicorp.com (described here), my gpg client gives a warning about trusted signatures of the hashicorp key:
Is it possible for you to add some trusted signatures?
gpg: Signature made Thu 10 Aug 2017 12:59:45 AM UTC using RSA key ID 348FFC4C gpg: Good signature from "HashiCorp Security <secu...@hashicorp.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 91A6 E7F8 5D05 C656 30BE F189 5185 2D87 348F FC4C
Is it possible for you to add some trusted signatures?
Joel Thompson
Aug 29, 2017, 5:25:57 PM8/29/17
to vault...@googlegroups.com
Hi Stephan,
No, it's not really possible for HashiCorp to add trusted signatures due to the distributed nature of PGP's web of trust. What GPG is warning you about is that neither you nor anybody whose key you have personally gone out of your way to explicitly trust has signed the HashiCorp key. And HashiCorp really has no idea whom you personally trust. It's not like in the HTTPS world where there are literally hundreds of trusted issuers that generally everybody trusts. Instead, in PGP, the trust is completely decentralized.
If you look at a public key server, it looks like a few individuals have signed the HashiCorp key and published their signatures (e.g., http://pgp.key-server.io/pks/lookup?search=security%40hashicorp.com&fingerprint=on&op=vindex), but that was up to those individuals.
You can also find HashiCorp's key on KeyBase at https://keybase.io/hashicorp
https://en.wikipedia.org/wiki/Web_of_trust is probably a good place to start for further reading on this.
Hope this helps,
--Joel
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/26341efe-5804-4a50-b805-91879ccede0f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Stephan Stachurski
Aug 29, 2017, 6:03:10 PM8/29/17
to Vault
Thanks, Joel.
I also reached out to secu...@hashicorp.com and I got this answer from Armon D. I hope he doesn't mind if I repost it here:
>We don’t make use of trusted signatures, but we do verify our key via Keybase here: https://keybase.io/hashicorp
>We don’t make use of trusted signatures, but we do verify our key via Keybase here: https://keybase.io/hashicorp
>It is also published on our site here: https://www.hashicorp.com/security/
>Hopefully that is enough verification to add it as a trusted key!
>Best Regards,
>Armon Dadgar
Reply all
Reply to author
Forward
0 new messages