debops.hashicorp security considerations¶
debops.hashicorp role can be used to install binary Go
applications on production systems, it was designed to check and validate the
archives used for application deployment against a known Trust Path. This
document explains the steps taken by the role to authenticate and verify the
The Debian Go Packaging Team maintains source and binary packages of selected HashiCorp applications in the Debian Software Repository. The Debian packages for different applications should be the preferred installation method when they are readily available on the Debian Stable release.
debops.hashicorp role is written in the belief that the verified and
authenticated access to the upstream versions of HashiCorp applications, even
though installed using binary packages, can still be useful, for example to
provide secure installation path to the software not packaged in Debian.
The process that HashiCorp uses to build binary Go packages from the sources on GitHub and deploy them on their release page is currently unpublished.
It is unknown if the HashiCorp application builds are reproducible and can be independently verified.
Each released version of an application is published on the HashiCorp
release page. The applications are published
.zip archives, each archive containing one or more Go binaries.
Each archive file is hashed using SHA256 algorithm. Hashes of all provided
files are stored in a separate file which is signed by the HashiCorp OpenPGP key.
91A6 E7F8 5D05 C656 30BE F189 5185 2D87 348F FC4C
user@host:~$ gpg --keyserver hkp://pool.sks-keyservers.net \ --recv-key 91A6E7F85D05C65630BEF18951852D87348FFC4C
The steps outlined below describe the method used by the
role to verify and install the HashiCorp applications selected by the user or
another Ansible role:
debops.hashicorpAnsible role creates a separate, unprivileged system group and UNIX user account, by default both named
hashicorp. The account does not provide shell access and uses
/usr/sbin/nologinshell by default.
Additionally, several directories owned by the new user account are created to provide location to unpack the verified archives in preparation for the installation.
hashicorpuser account imports the HashiCorp OpenPGP key from the OpenPGP keyserver network, by default using one of the SHS Keyservers.
hashicorpuser account downloads the necessary files from the HashiCorp release page over the HTTPS protocol. These files include: binary archive files, files containing SHA256 hashes of the provided files, files containing OpenPGP signatures of the hash files.
hashicorpuser account verifies the signature of the SHA256 hash file against the HashiCorp OpenPGP key imported prior.
If the signature verification passed, the
hashicorpuser compares the SHA 256 hashes provided in the signed file against the downloaded binary archives.
If the hash verification was successful, the
hashicorpuser account unpacks the binary archives of the HashiCorp applications to separate directories created prior.
rootuser account installs the unpacked application binaries to the specified directory (by default
root:rootowner and group. Additional files required by the Consul Web UI are copied to specified web root directory (by default
/srv/www/consul/sites/public/) when the Consul Web UI is enabled.
All of the downloaded and unpacked files are left intact to allow for idempotent operation and verification.