Sign the docker images or provide a method to validate them

[yeikel]

Terraform Version

Any

Use Cases

It is possible to validate Terraform zip artifacts by following the process described in the HashiCorp Well-Architected Framework. However, the official Terraform Docker images currently lack a method to verify authenticity, leaving a gap in supply chain security for workflows that rely on containerized deployments

Examples

• Enterprise CI/CD Pipelines: Enforce policies requiring all artifacts used in pipelines to be verified and trusted. Without signed Docker images, Terraform images cannot be validated, making it impossible to enforce compliance or prevent untrusted images from being used.

• Multi-Registry Distribution: Teams distributing Terraform images across private and public registries cannot guarantee the image integrity at each destination. Without a verifiable signature, it is difficult to confirm that images pulled from any registry are the official HashiCorp builds.

• Supply Chain Security: Docker images pulled from public repositories may be subject to tampering or compromise. Without signing, users cannot cryptographically verify the provenance of Terraform images, leaving pipelines vulnerable to supply chain attacks.

Attempted Solutions

Considered using a third party offering such as https://images.chainguard.dev/directory/image/terraform/provenance

Proposal

HashiCorp should distribute Terraform Docker images with cryptographic signatures, using a mechanism such as Cosign or Docker Content Trust/Notary v2. The public keys and verification instructions should be published alongside the images, allowing users to independently verify that the images are authentic and untampered.

References

No response

[crw]

Thanks for this feature request! If you are viewing this issue and would like to indicate your interest, please use the 👍 reaction on the issue description to upvote this issue.

Thanks again!