• HashiCorp Developer

  • HashiCorp Cloud Platform
  • Terraform
  • Packer
  • Consul
  • Vault
  • Boundary
  • Nomad
  • Waypoint
  • Vagrant
Terraform
  • Install
  • Tutorials
    • About the Docs
    • Configuration Language
    • Terraform CLI
    • Terraform Cloud
    • Terraform Enterprise
    • CDK for Terraform
    • Provider Use
    • Plugin Development
    • Registry Publishing
    • Integration Program
  • Registry(opens in new tab)
  • Try Cloud(opens in new tab)
  • Sign up
Terraform Home

Terraform CLI

Skip to main content
  • Terraform CLI
  • Basic CLI Features
    • Overview
    • Plugin Signing
    • providers
    • version
    • providers lock
    • providers mirror
    • providers schema

  • Terraform Internals

  • Resources

  • Tutorial Library
  • Certifications
  • Community Forum
    (opens in new tab)
  • Support
    (opens in new tab)
  • GitHub
    (opens in new tab)
  • Terraform Registry
    (opens in new tab)
  1. Developer
  2. Terraform
  3. Terraform CLI
  4. Managing Plugins
  5. Plugin Signing
  • Terraform
  • v1.2.x
  • v1.1 and earlier

ยปPlugin Signing

Note Terraform only authenticates provider plugins fetched from a registry.

Terraform providers installed from the Registry are cryptographically signed, and the signature is verified at time of installation. There are three types of provider signatures, each with different trust implications:

  • Signed by HashiCorp - are built, signed, and supported by HashiCorp.
  • Signed by Trusted Partners - are built, signed, and supported by a third party. HashiCorp has verified the ownership of the private key and we provide a chain of trust to the CLI to verify this programatically.
  • Self-signed - are built, signed, and supported by a third party. HashiCorp does not provide a verification or chain of trust for the signature. You may obtain and validate fingerprints manually if you want to ensure you are using a binary you can trust.

Terraform does NOT support fetching and using unsigned binaries, but you can manually install unsigned binaries. You should take extreme care when doing so as no programatic authentication is performed.

Usage of plugins from the registry is subject to the Registry's Terms of Use.

Edit this page on GitHub
Give Feedback(opens in new tab)
  • Certifications
  • System Status
  • Terms of Use
  • Security
  • Privacy
  • Trademark Policy
  • Trade Controls
  • Give Feedback(opens in new tab)