cli: GPG key used to sign debian packages is expired
Describe the bug
You can’t install the CLI from the .deb
package on Ubuntu or other Debian based systems as of today because the GPG key used to sign the package has expired.
Steps to reproduce the behavior
- Attempt to follow the debian installation instructions
Expected vs actual behavior
The apt update
step fails with the following error:
W: GPG error: https://cli.github.com/packages stable InRelease: The following signatures were invalid: EXPKEYSIG C99B11DEB97541F0 Nate Smith <vilmibm@github.com>
E: The repository 'https://cli.github.com/packages stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
Logs
You can see the key expired today if you examine it:
I’m pretty sure this is the same issue as #6174.
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 136
- Comments: 74 (9 by maintainers)
Commits related to this issue
- Update devcontainer scripts Won't work until https://github.com/cli/cli/issues/6175 is fixed — committed to oven-sh/bun by Jarred-Sumner 2 years ago
- download gh cli release (https://github.com/cli/cli/issues/6175) — committed to devcontainers/features by joshspicer 2 years ago
- download gh cli directly from release (https://github.com/cli/cli/issues/6175) (#133) * download gh cli release (https://github.com/cli/cli/issues/6175) * typo * typo — committed to devcontainers/features by joshspicer 2 years ago
- Fix GitHub CLI installation A workaround for <https://github.com/cli/cli/issues/6175>. This commit references <https://github.com/devcontainers/features/pull/133>. — committed to Kit-p/bun by Kit-p 2 years ago
- Fix GitHub CLI installation (#1204) A workaround for <https://github.com/cli/cli/issues/6175>. This commit references <https://github.com/devcontainers/features/pull/133>. — committed to oven-sh/bun by Kit-p 2 years ago
- dogfood: remove github apt source The source was causing our dogfood CI to fail. See https://github.com/cli/cli/issues/6175#issuecomment-1235984381. — committed to coder/coder by ammario 2 years ago
- Add github cli install script Work around of https://github.com/cli/cli/issues/6175 — committed to mtaron/dotfiles by mtaron 2 years ago
- Install gh from github releases Fixes issue with package signing. See: https://github.com/cli/cli/issues/6175 — committed to brew/trivy-report-issue-action by brew 2 years ago
- Install gh from github releases Fixes issue with package signing. See: https://github.com/cli/cli/issues/6175 — committed to brew/trivy-report-issue-action by brew 2 years ago
- Install gh from github releases Fixes issue with package signing. See: https://github.com/cli/cli/issues/6175 — committed to brew/trivy-report-issue-action by brew 2 years ago
- gh cli apt install is broken, install binary "manually" see https://github.com/cli/cli/issues/6175 — committed to grimm26/dotfiles by grimm26 2 years ago
- Install GitHub CLI from release page https://github.com/cli/cli/issues/6175#issuecomment-1235984381 — committed to hankei6km/h6-dev-containers by hankei6km 2 years ago
- Change gh cli install method to github releases The apt repo for the gh cli is broken due to an expired GPG key: https://github.com/cli/cli/issues/6175 They want to retire the debian packaging altog... — committed to nmalaguti/docker-github-actions-runner by nmalaguti 2 years ago
- update gh gpg key for Debian per https://github.com/cli/cli/issues/6175 — committed to toozej/ansible by toozej 2 years ago
- update gh gpg key for Debian per https://github.com/cli/cli/issues/6175 — committed to toozej/ansible by toozej 2 years ago
- Code cleanup and refactoring (#34) A variety of code cleanup changes, including some spelling corrections in code and documentation, update to the gh repo key, and version bumps for MARIA_VER and MAN... — committed to mgsisk/providence by mgsisk 2 years ago
- GPG key used to sign GitHub CLI repo expired https://github.com/cli/cli/issues/6175 — committed to armbian/build by igorpecovnik 2 years ago
- GPG key used to sign GitHub CLI repo expired (#4163) https://github.com/cli/cli/issues/6175 — committed to armbian/build by igorpecovnik 2 years ago
- GPG key used to sign GitHub CLI repo expired (#4163) https://github.com/cli/cli/issues/6175 — committed to smlinux/armbian-tanix-tx6 by igorpecovnik 2 years ago
- update GitHub CLI GPG key ID Due to the previous key expiring: https://github.com/cli/cli/issues/6175 — committed to kenyon/puppet by kenyon 2 years ago
Please consider not doing this. The Linux packaging method is much more convenient and easier to work with.
Hello, I’m very sorry for this confusion and frustration. We dropped the ball here due to a confluence of life factors and coincidences.
Due to those same factors it’s possible this key will not be fixed in a short time frame. I would recommend that people automating the installation of
gh
switch towget
ing a binary from https://github.com/cli/cli/releases/latest . These releases are accessed overhttps
and have the same level of authenticity as our signed Debian packages.This change might end up being long term, as we have recently been discussing retiring our Linux packaging in favor of our releases (see #5941 ), but once the team is able we will attempt to fix the GPG key.
The GPG key issue should now be fixed.
Please note that if you’ve downloaded
https://cli.github.com/packages/githubcli-archive-keyring.gpg
previously, you will need to re-download it.As per our Linux installation instructions, Debian/Ubuntu installation hasn’t changed:
For those using keyserver, the ID of the new key is
23F3D4EA75716059
. Due to the number of gotchas involved in fetching keys from a keyserver, we chose to not include this in the official installation instructions, advising users to fetch the key from our website instead.Let us know if there are any further issues!
@aucampia None of us on the team particularly enjoy the developer experience of signing anything with GPG. We didn’t have any experience with this prior to publishing GitHub CLI and, if we had a choice, we wouldn’t be doing it. However, signing package repositories seems to be mandatory, at least for Debian/Ubuntu.
Hi all, thanks for reporting the problem and for sharing your workarounds!
We’re pushing a new release of GitHub CLI soon that will be signed with an updated key served from the same location as before:
https://cli.github.com/packages/githubcli-archive-keyring.gpg
. Please stay tuned and don’t rewrite your setups if you can wait an hour or two more. ❤️Unfortunately, we weren’t able to access the original signing key to bump up the expiration date, so the new key has a different ID and belongs to
GitHub CLI
rather thanNate Smith
. I apologize for the disruption, especially because this broke so many people’s container setups andapt update
upgrades over the long weekend for US folks. This caught us at the worst possible time too, since all members of our team were unavailable to deal with the incident in a timely manner. We have already taken precaution that our new key is shared within the organization so that there isn’t a single point of ownership anymore.For now we are focused on fixing and resuming our publishing of Debian packages to work as they did before. Thanks for all the feedback 🙇
I really hope this does not happen, and it is not just because of a personal preference but because of a concern for the security of the developer ecosystem.
Like everyone else, developers like to get their work done with as few context switches and interrupts as possible. The more “snowflake” updates we have to perform in order to keep software up-to-date, the less likely we are to do so. That’s harsh, but we all know that it’s the truth. Even if an app is kind enough to tell us it needs to be updated, it typically tells us this at the worst possible time - namely, right when we need to use it. This makes it likely that we might just click the option to “remind me later” … again.
On the other hand, when app updates are part of routine app maintenance, they are almost never singled out for exclusion.
Please consider sticking with de facto standards on each platform: yum, apt, snap, winget/choco, and the like.
Thank you.
Update: this is now fixed: https://github.com/cli/cli/issues/6175#issuecomment-1238477714
🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨
We are working on an update for Codespaces. (Update: https://github.com/cli/cli/issues/6175#issuecomment-1235998656)
If you are seeing issues in Actions workflows, please share more details in this issue.
Manually, you are able to reset your system with
sudo apt-key del C99B11DEB97541F0 && sudo rm /etc/apt/sources.list.d/github-cli.list
Also see https://github.com/cli/cli/issues/6175#issuecomment-1235984381
🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨
And well it’s weird GH went with GPG-signing its CLI tool using someone’s personal GPG key and didn’t make it to switch to Org’s key until it was too late 😞
Had to do this on fedora:
Not if the keys are mismanaged.
The benefit of
apt
approach is auto or semi-auto upgrades of the package(s) w/o a need to watch for new releases on e.g. GH pages. So the issue is not affecting GH Workflows only but other apt-based installations too.👋 For anyone using Codespaces, Remote-Containers, or the dev container CLI, we have updated the dev container feature to prefer pulling from the latest GitHub Release instead of adding the apt repo. (see: https://github.com/devcontainers/features/pull/133)
Example
devcontainer.json
For future reference, supplying the option
installDirectlyFromGitHubRelease: false
will attempt the traditional approach that adds and fetches the github-cli via apt.Note: We were recently forced to change our GPG signing key. If you’ve previously downloaded the githubcli-archive-keyring.gpg file, you should re-download it again per above instructions. If you are using a keyserver to download the key, the ID of the new key is 23F3D4EA75716059.
If you decide to ditch the packaging, could you at least make the CLI self-updatable? In other words, if I install using some mechanism you show on cli.github.com, then I can do something like
gh self-update
to get the latest version, without having to figure out how I installed in the first place, or how to update it without ending up in a broken state with multiple competing versions.But much better would be to just fix the packaging.
The importance of the issue seems to be critical since it breaks all workflows/… containing any related update inside. Probably we can mention @vilmibm here for visibility 😃
With Debian, just follow the installation instructions and you’re done. (You don’t need to delete the previous key)
Well, the cli still works for now. The only “fix” is to wait for Mr. Nate Smith to publish their updated key.
Re the suggestions of installing the latest package, here’s a, um, one line that does it (sprinkle
sudo
to taste):This should be fine for short-term installation (= docker images).
For longer term setups (eg, your work machine):
APT::Update::Post-Invoke-Success
hook(And just because I suspect that this will be taken seriously, given the lack of a roaring laughter soundtrack when reading the above suggestions: it’s not. This comment said it nicely.)
Good work everyone. I’m running Ubuntu 22.04 LTS and had this issue as well. After doing
sudo apt-key del C99B11DEB97541F0 && sudo rm /etc/apt/sources.list.d/github-cli.list
and reinstalling through the installation instructions, everything worked perfectly.@sebma , the only command you miss is
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 23F3D4EA75716059
It is the simplest way to import the new key from trusted root server.I also received this error on my nvidia jetson xavier when running
sudo apt update
. To resolve this error, I manually downloaded the gpg key into the directory listed in thesigned-by
attribute within the/etc/apt/sources.list.d/github-cli.list
Command I ran:
@aucampia Thanks for sharing the solution for Fedora!
Going forward, we’ll try to manage the new key in a better way— starting with it being owned by the organization, and updating its expiry date when it’s time. I am also learning about the approach of distributing public keys as packages as well, and considering it as public key upgrade mechanism for the future when this one expires.
@elibarzilay thanks for the very handy script! For those of us less fluent in Bash, here’s the same one-liner adapted into a more verbose docker command.
It is worth pointing out to any relatively inexperienced users that this is not a “fix” if you want to install using
apt
. This will removegh
from theapt
repository resulting in the following:apt
will still be able to see any pre-existing install ofgh
that it did for youapt
will be able to uninstall any such pre-existingapt
-based installapt
uninstalls it,gh
will no longer be listed in yourapt
repositoriesTL;DR - this is a great way to keep
apt
from throwing error messages because of the invalid key. If you do this you may want to uninstall anyapt
-based installations ofgh
and start maintaininggh
by direct download or by usingsnap
.Many of us in that boat amigo.
Let’s hope that gpgkey exchange/update will be done successfully by @vilmibm @mislav before Sep, 6th 2024 😉
Another note: On Fedora 35 onwards we don’t need the extra repo gh-cli anymore. I found that package gh is in official Fedora repos now.
@robherley I’m using Ubuntu-based image with GH CLI installed via
apt-get
, and doapt-get update
in a workflow. But I see if I’m switching to a binary downloading instead - everything works nice. That resolves the problem!You can use the
--allow-unauthenticated
toapt
to install the package in the meantime without verification. Of course, this is somewhat of a security concern. You could also download the package directly from the releases page.but for me can not again install bcuz not connection to server cli.gh 😭 and i live in iran and can not connect to server for download
@iakov I found it : Just removed the old
signed-by
instruction which was pointing to the previous path/usr/share/keyrings/githubcli-archive-keyring.gpg
:@iakov Hi,
I just did what you proposed and the
sudo apt update
does not work either, same result :I think this issue can be closed? Seems it’s resolved for everyone involved
https://cli.github.com/packages/rpm/gh-cli.repo is still not updated to point to the new keyserver entry, so the dnf installation instructions are still broken.
See the comments above, @SofianeB : 1, 2. Which depends on how you added the repository and the repository name may be slightly different due to which (Debian based) distribution you are using.
Or, alternatively, you could liekly disable the Repository in your your GUI Package Manager; how you do this depends on which you have installed.
This is ridiculous, signing using someone’s personal GPG key. How can I remove it from apt list? I don’t find it anymore.
I think that much of the confusion is that with apt v2.4 the apt approved way of doing this changed. From “apt changelog apt”:
From “man apt-key”:
erAck is suggesting that people use the new apt policy, which does require the
signed-by
directive.Isu
@mislav Hi, on my Ubuntu 20.04 LTS, I typed this :
I see the expiration date is
2024-09-06
. I don’t understand what is wrong here. Any idea ?@DogaCUlupinar Strange! The key that apparently wasn’t found looks correct, and I can verify that it’s present on at least one of the keyservers that the
github-cli
feature uses. Could you report this to the https://github.com/devcontainers/features project?Yep, I can confirm it looks like it’s working now, once you update the locally-stored public key by following the instructions. Thanks for fixing this - the GPG signing of debian repos is a bit of a pain, yes, but it is an important safety measure. (Also it is not very much like using GPG for any other purpose, at least for automated publication like this.)
it works 🚀 🚀 🚀
If you’re not using gh (like I just wanted to learn about it) you can remove it from your package list:
Hello @robherley ! Thank you! I’m not pulling GitHub CLI in a workflow (it’s included to the basic image, self-hosted runner), I mean, if there is, e.g. something like
apt-get update
in a workflow, this will be affected (the examples that I have and that OP mentioned).