[atlantis-aws] bump Atlantis to 0.42.0 to fix expired HashiCorp GPG key#4292
Open
amit-darji wants to merge 1 commit into
Open
[atlantis-aws] bump Atlantis to 0.42.0 to fix expired HashiCorp GPG key#4292amit-darji wants to merge 1 commit into
amit-darji wants to merge 1 commit into
Conversation
Atlantis <= 0.41.0 ships hc-install v0.9.2, which embeds the HashiCorp
GPG key 72D7468F that expired on 2026-04-18. At runtime, Atlantis uses
hc-install to verify Terraform binaries it downloads on demand, so any
Terraform version not baked into this image (e.g., 1.15.x) fails with:
error downloading terraform version <X>: unable to verify checksums
signature: openpgp: key expired
Upstream fix (runatlantis/atlantis#6410) bumped hc-install to v0.9.4,
which carries the renewed key (valid until 2030-03-01 per HCSEC-2026-03).
That fix shipped in atlantis v0.42.0.
Refs:
- runatlantis/atlantis#6405
- runatlantis/atlantis#6410
- https://discuss.hashicorp.com/t/hcsec-2026-03-hashicorp-gpg-key-72d7468f-update/77237
amit-darji
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps
ATLANTIS_VERSIONinatlantis-awsfrom0.40.0to0.42.0to resolve the expired HashiCorp GPG key (72D7468F) that breaks runtime Terraform downloads.Problem
Users of
chatwork/atlantis-aws:0.40.0(and any earlier release) hit this when Atlantis tries to fetch a Terraform version that isn't baked into the image (e.g.1.15.x):Root cause: Atlantis delegates Terraform download + signature verification to
hashicorp/hc-install. Versions<= v0.9.2embed the HashiCorp GPG key72D7468F, which expired on 2026-04-18 (HashiCorp advisory HCSEC-2026-03). Atlantisv0.41.0pinshc-install v0.9.2, so any image based on it inherits the expired key.Fix
Upstream Atlantis PR #6410 ("chore(deps): bump go to 1.25.8 and hc-install to v0.9.4") bumped
hc-installtov0.9.4, which ships the renewed key valid until 2030-03-01. That fix was released in Atlantis v0.42.0.Verified via
go.modat each tag:hc-installversionBecause the fix lives entirely inside the compiled
atlantisbinary, the only change needed in this image is bumping the version we download.Why 0.42.0 (not latest 0.43.0)
Pinning to the exact version where the fix landed keeps the diff minimal and scoped to the security regression. Subsequent minor bumps can flow through the existing automated update workflow.
Changes
atlantis-aws/Dockerfile:ARG ATLANTIS_VERSION=0.40.0→0.42.0atlantis-aws/goss/goss.yaml: update version assertion to0.42.0Dockerfile.arm64is a symlink toDockerfileso it's covered automatically.Dockerfile.tplandgoss.yaml.tpluse templating ({{ .atlantis_version }}) so they don't need editing;variant.lockwill be refreshed by the automated update workflow on its next run.References
Test plan
make buildsucceeds on amd64 and arm64make testpasses (goss assertions match new version)atlantis versionreports0.42.0openpgp: key expirederror no longer occurs