Hashicorp Terraform GPG Rotation (CodeCov vulnerability)
Issue
Hashicorp rotated GPG keys due to the CodeCov vulnerability. As a result, old GPG keys were rendered invalid and Terraformer required updates to available versions to allow for the key rotations, especially on Terraform versions 0.11.x and 0.12.x. Customers will need to update their Terraform versions for all releases with the updated binaries & GPG keys. Our latest release of Armory Spinnaker (2.25.0, 2.24.1, 2.23.5) did not have these latest versions as they were only recently released. They were not available in the Terraformer stage dropdown dropdown list.
``````
Cause
HashiCorp was impacted by a security incident with a third party (Codecov) that led to potential disclosure of sensitive information. As a result, the GPG key used for release signing and verification has been rotated. Customers who verify HashiCorp release signatures may need to update their process to use the new key.To learn more, please see:https://discuss.hashicorp.com/t/hcsec-2021-12-codecov-security-event-and-hashicorp-gpg-key-exposure/23512