aws-cli icon indicating copy to clipboard operation
aws-cli copied to clipboard

Published 20 hours ago verified publisher icon aws

Feature Request: Hosting GPG Key

Open sigonzal3 opened this issue 4 years ago • 6 comments

Describe the solution you'd like

AWS has one GPG key available to download here: https://d1.awsstatic.com/security-center/aws-security-20190115-8490A11E.1746bab76c79738a45967dca72b2e5c5202aa6ad.asc

More info described here: https://aws.amazon.com/security/aws-pgp-public-key/

Unfortunately, AWS CLI uses a separate GPG key for verifying an installation: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2-linux.html#v2-install-linux-validate

This GPG key don't have an URL that can be downloaded easily with scripts, forcing you to copy/paste the key and find a way to distribute it before running your scripts.

It would be nice that this GPG key is hosted somewhere curl friendly, with the naming of:

awscli-exe-linux-x86_64.zip.asc

Another option could be storing the GPG key in a keyserver, allowing to do:

gpg --keyserver ${KEY_SERVER} --receive-keys ${KEY}

This would help a lot for CI/CD, scripts, automation, even VSCode DevContainers setup.

sigonzal3 avatar Jun 16 '21 21:06 sigonzal3

Thanks for the feature request, @sigonzal3!

kdaily avatar Jun 16 '21 22:06 kdaily

@kdaily Could this issue receive a bit more attention and love please? Here is why this is quite important.

  1. Following the closed discussion here, developers/dev(sec)ops have a limited choice to install the AWS cli. See #4947
  2. In automated processes like creating a container image that rely on the cli and other tools, it nearly impossible to parse a HTML page to extract the PGP signing key in order to verify the signature. This obviously break automated processes.

It would be nice to :

  • Have the key hosted on a keyserver
  • Have the key hosted alongside the releases. Something like https://awscli.amazonaws.com/gpg-signing-key-$AWSCLI_VERSION.asc

aureq avatar Sep 26 '21 08:09 aureq

+1 on this. This would also help with providing updated keys when old ones expire. For example, at time of writing, the docs pages here and here have old keys that expired 2023-09-17, while the doc page here has the latest (that I could find) which expires 2024-07-26. Having a centrally-hosted place for this key would keep the docs DRY and up-to-date.

calebmckay avatar Dec 07 '23 18:12 calebmckay

+1 on this. This would also help with providing updated keys when old ones expire. For example, at time of writing, the docs pages here and here have old keys that expired 2023-09-17, while the doc page here has the latest (that I could find) which expires 2024-07-26. Having a centrally-hosted place for this key would keep the docs DRY and up-to-date.

And now we are at 2024-07-28 (as of the time of writing), this key has now also expired, but is still listed.

Lattyware avatar Jul 28 '24 16:07 Lattyware

2025 and still no action on this...

Drew-Daniels avatar Mar 17 '25 21:03 Drew-Daniels

How is this not a thing?

lechaimwilson avatar Jun 13 '25 19:06 lechaimwilson