Acquisition complete HashiCorp officially joins the IBM family. Learn more
Terraform
Terraform Home

Plugin signatures

This topic provides information about the types of signatures that can be built into plugins you install. Terraform only authenticates provider plugins fetched from a registry.

Types of plugin signatures

Terraform providers installed from the registry are cryptographically signed. Terraform verifies the signature during installation. There are three types of signatures:

  • Providers signed by HashiCorp: HashiCorp builds, signs, and supports these providers.
  • Providers signed by trusted partners: A third party builds, signs, and supports these providers. HashiCorp verifies the ownership of the private key and provides a chain of trust to the CLI to verify ownership programatically.
  • Self-signed providers: A third party builds, signs, and supports these providers. HashiCorp does not provide a verification or chain of trust for the signature. You may obtain and validate fingerprints manually if you want to ensure you are using a binary you can trust.

Unsigned binaries

You cannot fetch and use unsigned binaries from the registry, but you can manually install unsigned binaries. We strongly recommend that you thoroughly vetting providers that you manually install so that these providers do not programatically authenticate.

Registry terms of use

Use of plugins from the registry is subject to the registry's terms of use.

Edit this page on GitHub