cli: GPG key expired / regression on Linux repository (EXPKEYSIG)

Please fill out the issue checklist below and provide ALL the requested information.

  • I reviewed open and closed github issues that may be related to my problem.
  • I tried updating to the latest version of the CF CLI to see if it fixed my problem.
  • I attempted to run the command with CF_TRACE=1 to help debug the issue.
  • I am reporting a bug that others will be able to reproduce.

Describe the bug and the command you saw an issue with Looks like your GPG key again expired, like in issue https://github.com/cloudfoundry/cli/issues/2046:

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://cf-cli-debian-repo.s3.amazonaws.com stable InRelease: The following signatures were invalid: EXPKEYSIG 172B5989FCD21EF8 CF CLI Team <cf-cli-eng@pivotal.io>
W: Failed to fetch https://packages.cloudfoundry.org/debian/dists/stable/InRelease  The following signatures were invalid: EXPKEYSIG 172B5989FCD21EF8 CF CLI Team <cf-cli-eng@pivotal.io>
W: Some index files failed to download. They have been ignored, or old ones used instead.

What happened A clear and concise description of what happen.

Cannot install CF CLI on Linux.

Expected behavior A clear and concise description of what you expected to happen.

Can install CF CLI on Linux.

Exact Steps To Reproduce Steps to reproduce the behavior; include the exact CLI commands and verbose output:

wget -q -O - https://packages.cloudfoundry.org/debian/cli.cloudfoundry.org.key | sudo apt-key add -
echo "deb https://packages.cloudfoundry.org/debian stable main" | sudo tee /etc/apt/sources.list.d/cloudfoundry-cli.list
sudo apt-get update

Provide more context Debian

About this issue

  • Original URL
  • State: closed
  • Created 10 months ago
  • Reactions: 7
  • Comments: 19 (2 by maintainers)

Commits related to this issue

Most upvoted comments

CLI team is working on this.

+8
a-b on Sep 11, 2023

These errors are really problematic for any teams that have implemented ci/cd, as that usually involves the CLI tool… Very painful, please fix ASAP!!!

+8
jbrown-xentity on Sep 11, 2023

@urquha as soon as Pivotal fixes the key, your scenario will start to work again.

+4
kristian on Sep 11, 2023

This is a issue that happened couple of times in the past already (this is why I put “regression” in the title initially).

Also in regards to the comments of @michelmueller and @Markus-Schroeder-de, everything you do on the apt-get side to allow insecure repositories is compromising your system security, as it will allow man-in-the-middle attacks to inject arbitrary code! A somewhat safe-ish bet on how to use the package anyways is what @sv320151774 suggested. I would definitely not consider setting AllowDowngradeToInsecureRepositories or allow-unauthenticated as it was pointed out by @michelmueller these options are not only “dirty & bad” but in the end insecure.

+4
kristian on Sep 11, 2023

grr, it seems, if this happens every year in September.

+4
Markus-Schroeder-de on Sep 11, 2023

Thanks for bringing it up. Debian should be fixed by now. Please test and let us know.

The RedHat will be fixed by cutting a new release because we sign rpms here. We will start release process tomorrow.

cc @ccjaimes , @moleske

+3
a-b on Sep 11, 2023

We too facing the below metioned issue while installing cf7-cli

W: GPG error: https://cf-cli-debian-repo.s3.amazonaws.com stable InRelease: The following signatures were invalid: EXPKEYSIG 172B5989FCD21EF8 CF CLI Team cf-cli-eng@pivotal.io E: The repository ‘https://cf-cli-debian-repo.s3.amazonaws.com stable InRelease’ is not signed. N: Updating from such a repository can’t be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details.

+3
sv320151774 on Sep 11, 2023

I tried raising awareness to the CLI team of Pivotal by sending an email to the DL they provided in the key.

+2
kristian on Sep 11, 2023

Is there any sort of regression test in place which might prevent this from recurring in the future?

+1
mogul on Sep 13, 2023

🎉 CF CLI v8.7.3 and v7.7.3 have been released! This includes the RedHat fix. Feel free to reopen in any case needed.

+1
ccjaimes on Sep 13, 2023

Working! Thanks so much @a-b & team!

+1
kristian on Sep 12, 2023

To workaround that issue, I replaced the existing apt-get update command with the following:

apt -o Acquire::AllowInsecureRepositories=true -o Acquire::AllowDowngradeToInsecureRepositories=true update

( thanks to https://github.com/cloudfoundry/cli/issues/2046#issuecomment-692238208 )

Please note: the above mentioned command will compromise system security and is not recommended.

+1
michelmueller on Sep 11, 2023

Download from URL and installed; this works for now

https://cli.run.pivotal.io/stable?release=debian64&source=github dpkg -i cf7-cli-installer_7.7.2_x86-64.deb && apt-get install -f

+1
sv320151774 on Sep 11, 2023

Yes same here.

+1
WvdKra on Sep 11, 2023
Read more comments on GitHub
← cli: GPG key expired
cli: I am confused why I cannot see a route that I'm told is unavailable. →