cli: GPG key expired
Please fill out the issue checklist below and provide ALL the requested information.
- I reviewed open and closed github issues that may be related to my problem.
- I tried updating to the latest version of the CF CLI to see if it fixed my problem.
- I attempted to run the command with
CF_TRACE=1to help debug the issue. - I am reporting a bug that others will be able to reproduce.
- If this is an issue for the v7 beta release, I’ve read through the official docs and the release notes.
Describe the bug and the command you saw an issue with Provide details on what you were trying to do (and why).
Looks like the GPG key expired.
pub rsa4096 2018-09-13 [SC] [expired: 2020-09-12]
C19C 0474 8BF3 3B2E 1786 3557 172B 5989 FCD2 1EF8
uid [ expired] CF CLI Team <cf-cli-eng@pivotal.io>
See prior ticket from 2018 (#1459).
What happened A clear and concise description of what happen.
$ sudo apt update
Hit:1 http://us.archive.ubuntu.com/ubuntu bionic InRelease
Hit:2 http://security.ubuntu.com/ubuntu bionic-security InRelease
Hit:3 https://deb.nodesource.com/node_12.x bionic InRelease
Hit:4 http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:5 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:6 http://apt.starkandwayne.com stable InRelease
Hit:7 http://us.archive.ubuntu.com/ubuntu bionic-backports InRelease
Hit:8 http://ppa.launchpad.net/alexlarsson/flatpak/ubuntu bionic InRelease
Hit:10 http://ppa.launchpad.net/c.falco/mame/ubuntu bionic InRelease
Hit:9 https://cf-cli-debian-repo.s3.amazonaws.com stable InRelease
Err:9 https://cf-cli-debian-repo.s3.amazonaws.com stable InRelease
The following signatures were invalid: EXPKEYSIG 172B5989FCD21EF8 CF CLI Team <cf-cli-eng@pivotal.io>
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://cf-cli-debian-repo.s3.amazonaws.com stable InRelease: The following signatures were invalid: EXPKEYSIG 172B5989FCD21EF8 CF CLI Team <cf-cli-eng@pivotal.io>
W: Failed to fetch https://packages.cloudfoundry.org/debian/dists/stable/InRelease The following signatures were invalid: EXPKEYSIG 172B5989FCD21EF8 CF CLI Team <cf-cli-eng@pivotal.io>
W: Some index files failed to download. They have been ignored, or old ones used instead.
Expected behavior A clear and concise description of what you expected to happen.
Ability to update/install CF CLI.
To Reproduce Steps to reproduce the behavior; include the exact CLI commands and verbose output:
- Run
cf ... - Bind a service
cf bind-service - See error
See above.
Provide more context
- platform and shell details ( e.g. Mac OS X 10.11 iTerm)
- version of the CLI you are running
- version of the CC API Release you are on
Note: As of January 2019, we no longer support API versions older than CF Release v284/CF Deployment v1.7.0 (CAPI Release: 1.46.0 (APIs 2.100.0 and 3.35.0).
Note: In order to complete the v7 beta cf CLI in a timely matter, we develop and test against the latest CAPI release candidate. When v7 cf CLI is generally available, we will start supporting official CC API releases again.
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 4
- Comments: 31 (11 by maintainers)
Hi everyone, we’ve regenerated our public key with an expiration date one year in the future and that key is available now. To add the new key to your list of apt’s trusted keys, run:
Once the key has been added you are good to install the CLI with our usual installation instructions (see v6, v7). We have tested the new key with both
apt-getandrpmon both the latest versions of the cf CLI and on old versions.cc @a-b
+1 for us and we are in trouble. There’s some workaround?
I should also add that I did try to update the key:
And those are the responses after updating the key.
I think someone might want to automate this process or at least schedule a reminder as it reappears every year.
Some background, by way of explanation. Feel free to ignore this post unless you want some details about how this continues to happen.
Long ago, the CLI release process lived in the cloud, and it was Pretty Good™. However, the team slipped up, and we leaked signing keys. This lead to a series of extreme measures which locked our release process down to a single, offline laptop and usb hardware containing our keys, all stored in separate physical lockers.
The implementation of the release process has been evolving in this offline environment into an ever-growing mess that under other circumstances would be kind of funny.
The good news is that we have been spending significant time and resources overhauling the process. We’re happy to report that we’ve almost completely re-implemented the release process (interestingly, leveraging Kubernetes), resulting in vastly improved build times (literally days to hours).
The bad news is that the signing infrastructure remains the final frontier (we hope), and for long enough that we tripped over it again this week.
We intend to continue pushing on this part of the process to finish what we started, but we’re not there yet.
the --allow-unauthenticated doesn’t work for me, I’m blocked
This works well for me, both in Gitlab and Bitbucket pipelines:
apt-get update apt-get install -y apt-transport-https wget gnupg git wget -q -O - https://packages.cloudfoundry.org/debian/cli.cloudfoundry.org.key | apt-key add - echo “deb https://packages.cloudfoundry.org/debian stable main” | tee /etc/apt/sources.list.d/cloudfoundry-cli.list apt -o Acquire::AllowInsecureRepositories=true -o Acquire::AllowDowngradeToInsecureRepositories=true update apt-get install --allow-unauthenticated -y cf-cli
For others who are unable to use this workaround: the fact that there appears to be a workaround is not altering our response. We’re working on fixing this as our top priority.
We’ve prioritized this as top of backlog, and will resolve it asap.
This appears to have occured again this year.
For some reason it resurfaced today.
The fix from https://github.com/cloudfoundry/cli/issues/2046#issuecomment-930545620 worked so I’m not reopening the issue.
I notice that all the problems happened in September: 2020, 2021, 2022. Recurring problems in the process for managing signatures?
@a-b any chance we didn’t get a permafix in place for binary signatures? Looks like it may be binary season again 😞
@a2geek ironically I ran into the same issue just a few minutes ago. +1
@astellingwerf we proactively rotated our key a couple of weeks ago.
Can you please try to update previously cached key in your system
Let us know if that helps.
I’m guessing that this key now also expired?