debops.hashicorp security considerations¶
debops.hashicorp role can be used to install binary Go
applications on production systems, it was designed to check and validate the
archives used for application deployment against a known Trust Path. This
document explains the steps taken by the role to authenticate and verify the
The Debian Go Packaging Team maintains source and binary packages of selected HashiCorp applications in the Debian Software Repository. The Debian packages for different applications should be the preferred installation method when they are readily available on the Debian Stable release.
debops.hashicorp role is written in the belief that the verified and
authenticated access to the upstream versions of HashiCorp applications, even
though installed using binary packages, can still be useful, for example to
provide secure installation path to the software not packaged in Debian.
The process that HashiCorp uses to build binary Go packages from the sources on GitHub and deploy them on their release page is currently unpublished.
It is unknown if the HashiCorp application builds are reproducible and can be independently verified.
Each released version of an application is published on the HashiCorp
release page. The applications are published
.zip archives, each archive containing one or more Go binaries.
Each archive file is hashed using SHA256 algorithm. Hashes of all provided
files are stored in a separate file which is signed by the HashiCorp OpenPGP key.
C874 011F 0AB4 0511 0D02 1055 3436 5D94 72D7 468F
user@host:~$ gpg --keyserver hkp://pool.sks-keyservers.net \ --recv-key C874011F0AB405110D02105534365D9472D7468F
The steps outlined below describe the method used by the
role to verify and install the HashiCorp applications selected by the user or
another Ansible role:
debops.hashicorpAnsible role creates a separate, unprivileged system group and UNIX user account, by default both named
hashicorp. The account does not provide shell access and uses
/usr/sbin/nologinshell by default.
Additionally, several directories owned by the new user account are created to provide location to unpack the verified archives in preparation for the installation.
hashicorpuser account imports the HashiCorp OpenPGP key from the OpenPGP keyserver network, by default using one of the SHS Keyservers.
hashicorpuser account downloads the necessary files from the HashiCorp release page over the HTTPS protocol. These files include: binary archive files, files containing SHA256 hashes of the provided files, files containing OpenPGP signatures of the hash files.
hashicorpuser account verifies the signature of the SHA256 hash file against the HashiCorp OpenPGP key imported prior.
If the signature verification passed, the
hashicorpuser compares the SHA 256 hashes provided in the signed file against the downloaded binary archives.
If the hash verification was successful, the
hashicorpuser account unpacks the binary archives of the HashiCorp applications to separate directories created prior.
rootuser account installs the unpacked application binaries to the specified directory (by default
root:rootowner and group. Additional files required by the Consul Web UI are copied to specified web root directory (by default
/srv/www/consul/sites/public/) when the Consul Web UI is enabled.
All of the downloaded and unpacked files are left intact to allow for idempotent operation and verification.