Can't install / update gh due to expired GPG key?
#9569
Comments
Relates #9569 Having been 2 years since the GitHub CLI changed GPG keys used to sign our releases, it no longer seems relevant to keep these notes in our installation docs as they are confusing to the uninitiated.
Relates #9569 Updates notes from older 2 year GPG ID change to redirect users in case of GPG errors to recent issue.
|
Note that an earlier version of the instructions used the location Alternatively, one could of course download the updated key to |
@rrthomas : Great call out! 🙇 This change originated in #8693 back in early Feb 2024 for anyone wanting to see the older documentation changes and understand the motivations. UPDATE: The instructions above have been enhanced to account for this older approach 👏 |
|
NB: if you can't run the apt update to install wget because of the problem we are all trying to solve you can use curl to curl -sS https://cli.github.com/packages/githubcli-archive-keyring.gpg -o |
|
I encountered an issue with my expired GPG key related to GitHub CLI today. Thankfully, @andyfeller's solutions worked for me. |
|
Slight issue in the Fedora instructions: Current:
Suggest:
Also in --> Option 2: You don't want to reinstall gh |
|
Thanks @leifmadsen, updated. |
Sorry, can you also adjust this?
-->
|
This is a proposed work around to the expired GPG issue with the GitHub CLI packages - cli/cli#9569. The better fix is to support new keys, but this works and should be relatively safe as we know and mostly trust the source of the deb. It's a big improvement on the orb being broken as it is today.
|
Thanks for the help @andyfeller and @kdarndt. This worked like magic. I followed "Installed via apt" for my RaspberryPi |
|
Thanks for the help @andyfeller These two blocks solve the problem for me if [ -f /usr/share/keyrings/githubcli-archive-keyring.gpg ]; then
keyring_path="/usr/share/keyrings/githubcli-archive-keyring.gpg"
else
keyring_path="/etc/apt/keyrings/githubcli-archive-keyring.gpg"
fi
# Download and set up the keyring
wget -qO- https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo tee "$keyring_path" > /dev/null \
&& sudo chmod go+r "$keyring_path" |
This comment was marked as spam.
This comment was marked as spam.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cli/cli](https://redirect.github.com/cli/cli) | minor | `v2.55.0` -> `v2.56.0` | --- ### Release Notes <details> <summary>cli/cli (cli/cli)</summary> ### [`v2.56.0`](https://redirect.github.com/cli/cli/releases/tag/v2.56.0): GitHub CLI 2.56.0 [Compare Source](https://redirect.github.com/cli/cli/compare/v2.55.0...v2.56.0) #### Important note about renewed GPG key The Debian and RedHat releases have been signed with a new GPG key. If you are experiencing issues updating your `.deb` or `.rpm` packages, please read [cli/cli#9569](https://redirect.github.com/cli/cli/issues/9569). #### What's Changed - Always print URL scheme to stdout by [@​heaths](https://redirect.github.com/heaths) in [cli/cli#9471 - Quote repo names consistently in `gh repo sync` stdout by [@​muzimuzhi](https://redirect.github.com/muzimuzhi) in [cli/cli#9491 - Fetch bundle from OCI registry for verify by [@​ejahnGithub](https://redirect.github.com/ejahnGithub) in [cli/cli#9421 - Remove `Internal` from `gh repo create` prompt when owner is not an org by [@​jtmcg](https://redirect.github.com/jtmcg) in [cli/cli#9465 - Drop surplus trailing space char in flag names in web by [@​muzimuzhi](https://redirect.github.com/muzimuzhi) in [cli/cli#9495 - fix the trimming of log filenames for `gh run view` by [@​benebsiny](https://redirect.github.com/benebsiny) in [cli/cli#9482 - "offline" verification using the bundle of attestations without any additional handling of the file by [@​aryanbhosale](https://redirect.github.com/aryanbhosale) in [cli/cli#9523 - build(deps): bump actions/attest-build-provenance from 1.4.1 to 1.4.2 by [@​dependabot](https://redirect.github.com/dependabot) in [cli/cli#9518 - Fix doc typo for `repo sync` by [@​muzimuzhi](https://redirect.github.com/muzimuzhi) in [cli/cli#9509 - Correct the help message for -F by [@​Goooler](https://redirect.github.com/Goooler) in [cli/cli#9525 - chore: fix some function names by [@​crystalstall](https://redirect.github.com/crystalstall) in [cli/cli#9555 - verify 2nd artifact without swapping order by [@​aryanbhosale](https://redirect.github.com/aryanbhosale) in [cli/cli#9532 - `gh attestation verify` handles empty JSONL files by [@​malancas](https://redirect.github.com/malancas) in [cli/cli#9541 - Enhance Linux installation docs to redirect users to GPG renewal issue, better troubleshooting support by [@​andyfeller](https://redirect.github.com/andyfeller) in [cli/cli#9573 - Upgrade sigstore-go to v0.6.1 by [@​codysoyland](https://redirect.github.com/codysoyland) in [cli/cli#9566 - Check for nil values to prevent nil dereference panic by [@​codysoyland](https://redirect.github.com/codysoyland) in [cli/cli#9578 - build(deps): bump actions/attest-build-provenance from 1.4.2 to 1.4.3 by [@​dependabot](https://redirect.github.com/dependabot) in [cli/cli#9575 #### New Contributors - [@​aryanbhosale](https://redirect.github.com/aryanbhosale) made their first contribution in [cli/cli#9523 - [@​Goooler](https://redirect.github.com/Goooler) made their first contribution in [cli/cli#9525 - [@​crystalstall](https://redirect.github.com/crystalstall) made their first contribution in [cli/cli#9555 **Full Changelog**: cli/cli@v2.55.0...v2.56.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/izumin5210/dotfiles). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC43NC4xIiwidXBkYXRlZEluVmVyIjoiMzguNzQuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: izumin5210-update-aqua-checksum[bot] <169593670+izumin5210-update-aqua-checksum[bot]@users.noreply.github.com>
|
Hi, I have come across this issue and adding up my 2c hoping they will be helpful as a one-stop solution for future users reading this thread. Solution is a grab-and-go for Debian based distros. keypath=$(cat /etc/apt/sources.list.d/github-cli.list | grep -oE '/[^]]*' | head -n1)
cat "$keypath"
sudo -E rm -rf "$keypath"
curl -sS https://cli.github.com/packages/githubcli-archive-keyring.gpg -o /tmp/githubcli-archive-keyring.gpg
sudo mv /tmp/githubcli-archive-keyring.gpg /etc/apt/keyrings/githubcli-archive-keyring.gpg
sudo -E sed -i 's,/usr/share/keyrings,/etc/apt/keyrings,g' /etc/apt/sources.list.d/github-cli.list |
|
@pirafrank that looks good to me. Just making sure I understand correctly, this is equivalent to the script provided in the original issue description except that it will also update the |
|
@williammartin yes, and I think it's a more straightforward solution (minus the |
|
In the dnf steps, option 1 (reinstall) will not work, it will keep complaining even if you remove the key from rpm. I was required to go with option 2 to fetch key and feed it for rpm and after this dnf installation worked. Problem is though that I did this already with last update and now I had to do this again ... will this be happening with each gh update? |
|
@tpalli thanks for letting us know. Option 1 worked for us during our investigation but it's good to know that there might be issues.
I wonder if your problem with Option 1 relates to this. You should only need to do this once. After you get the new key and |
aptdnfapt-keyWhat's going to happen?
On Friday 6th September at approximately 11:17 am UTC, the GPG key used to verify our
.deband.rpmpackage repository contents will expire.This will impact
apt updateanddnf install / updateusage, which will look something like the following:or
If you have not previously installed the GitHub CLI via our package repositories, there should be no impact for you.
What are we doing about it?
We have extended the expiration dates on our key, which is available at https://cli.github.com/packages/githubcli-archive-keyring.gpg and on the following keyservers with the
2C6106201985B60E6C7AC87323F3D4EA75716059ID:keys.openpgp.orgkeyserver.ubuntu.comWhat do you need to do about it?
Important
This section will be updated as more information becomes available.
You will need to get this new key from one of the sources mentioned ☝️ above, which be achieved in multiple ways depending on your setup.
Installed via
aptIf you followed our
aptinstructions, you should be able to run them again. Depending on when you ran these instructions, you may have placed the old keyring in a different location to the current instructions; the script below accounts for this difference by using the file location you previously used.The important line is:
Which will fetch the new key and overwrite the expired one. From this point you should be able to
apt updatesuccessfully, andapt upgrade ghsuccessfully (once we have created a new release).Docker build failing?
If your Docker build is failing as in aws/aws-codebuild-docker-images#739, most likely there is a layer in your image that previously added our package repository, and you have a later layer running
apt update.If you have control of the offending layer, you can re-build it so that it pulls the latest key. If you're searching for the layer, it most likely has a line that looks like
wget -qO- https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null.If you don't have control of the offending layer, you have two options:
You can add a new layer before the
apt updatethat fetches the new key:Or, if you aren't using
ghand it just happens to be in the base image you are using, you can remove the repository so thatapt updateno longer tries to verify it:Installed via
dnfIf you followed our
dnfinstructions, you will need to remove the expired key from therpmcache before downloading the new key.Option 1: You are comfortable reinstalling
ghFind and remove the old key:
Under most circumstances we expect the key to be named
gpg-pubkey-75716059-63172e8abut you can otherwise identify the correct key by checking whether a key's Packager is is "opensource+cli@github.com" e.g.Removing and reinstalling
gh:Option 2: You don't want to reinstall
ghIn #6175 (comment), there was another suggested approach to download the keyring, create an
.ascfile from it, and import that intorpm:Find and remove the old key like Option 1:
Download new key and import into
rpmkeyring:curl -fsSL -o /var/tmp/githubcli-archive-keyring.gpg https://cli.github.com/packages/githubcli-archive-keyring.gpg gpg --keyring /var/tmp/githubcli-archive-keyring.gpg --no-default-keyring --export --armor > /var/tmp/githubcli-archive-keyring.asc sudo rpm --import /var/tmp/githubcli-archive-keyring.ascPotential issue with Fedora
During our testing in Fedora 38, we encountered a sporadic error we believe will be fixed when a new release is created:
This appears to be due to Fedora 38 enforcing a strict policy about the contents of the public key. Some contents are stripped from the key when extending the expiration. We were only able to reproduce this error using the script above, and not when removing and reinstalling
gh.Again, we believe that this will be resolved when we do a release, and the
rpmpackage repository contents are re-signed with the new, extended expiration private key.More reading: rpm-software-management/rpm-sequoia#46
Obtained the key from a keyserver
You can fetch the new key by running:
Obtained the key using
apt-keyYou can fetch the new key by running:
What are we going to do next?
We want to work with our community to devise smoother package management experience
We have created Ensure a smoother GPG key update process for September 2026 expiration #9572 to track improvements for how the GitHub CLI keys can be distributed for a smoother, native package management experience.
If you or someone you know has experience with managing
aptandrpmrepository keys in OSS, we would love to hear from you on the aforementioned issue.We will address issues raised by the community and GitHub support
The information here is our best effort to account for the myriad ways that
ghis installed, however it isn't definitive.If you run into any problems, please follow up here.
We are going to ensure future releases with new key work as expected
The information captured here is to ensure past releases, which were signed by our key are still usable.
We plan to cut a new release with the new key on Fri Sep 6th to ensure full confidence that future releases work seamlessly.
How did this happen?
Since the last time this key expired, the entire GitHub CLI team has changed, resulting in a loss of institutional knowledge. Unfortunately, the current team was unaware of the timebomb in this part of our release process.
Final Notes
Firstly, thanks to @kdarndt for raising awareness to these concerns in #9562!
Secondly, we want to apologise for the inconvenience this may have caused you. Hopefully through #9572 we can avoid it happening again.
Finally, thank you for your patience and understanding along with any constructive insights you can share.
The text was updated successfully, but these errors were encountered: