I was trying to install Terraform on Ubuntu with the official instructions [0].

When trying to verify Hashicorp's GPG signing key I see this command

  gpg --no-default-keyring \
      --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg \
      --fingerprint

should have the expected output of

  /usr/share/keyrings/hashicorp-archive-keyring.gpg
  -------------------------------------------------
  pub   rsa4096 2020-05-07 [SC]
        E8A0 32E0 94D8 EB4E A189  D270 DA41 8C88 A321 9F7B
  uid           [ unknown] HashiCorp Security (HashiCorp Package Signing) <security+packaging@hashicorp.com>
  sub   rsa4096 2020-05-07 [E]

as of the posting of this question. This also matches Hashicorp's Security page [1] under the heading Linux Package Checksum Verification.

However, I see a new key created 2023-01-10 instead:

  /usr/share/keyrings/hashicorp-archive-keyring.gpg
  -------------------------------------------------
  pub   rsa4096 2023-01-10 [SC] [expires: 2028-01-09]
        798A EC65 4E5C 1542 8C8E  42EE AA16 FCBC A621 E701
  uid           [ unknown] HashiCorp Security (HashiCorp Package Signing) <security+packaging@hashicorp.com>
  sub   rsa4096 2023-01-10 [S] [expires: 2028-01-09]

Am I correct in not trusting this key, as until Hashicorp fixes their documentation, this could be a compromised key? I assume it's related to their response to the CircleCI incident [2] but considering that their response links to their security page...don't they need to update their documentation to reflect the rotated key?

[0]: https://developer.hashicorp.com/terraform/tutorials/docker-get-started/install-cli [1]: https://www.hashicorp.com/security [2]: https://discuss.hashicorp.com/t/hcsec-2023-01-hashicorp-response-to-circleci-security-alert/48842/2