aws-cli icon indicating copy to clipboard operation
aws-cli copied to clipboard
verified publisher icon aws

Release signature key 0xA6310ACC4672475C expires in less than 60 days on 2025-07-24

Open tkren opened this issue 7 months ago • 2 comments

Describe the feature

The PGP key that is used to sign the latest release for awscli-exe-linux-x86_64.zip will expire in less than 60 days:

pub   rsa4096/0xA6310ACC4672475C 2019-09-18 [SC] [expires: 2025-07-24]
      FB5DB77FD5C118B80511ADA8A6310ACC4672475C
uid                              AWS CLI Team <[email protected]>

See verification instruction for the public key: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)

The most recent signature was from 2 days ago and is still using FB5DB77FD5C118B80511ADA8A6310ACC4672475C to sign the release:

gpg --list-packets  <(curl -s https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip.sig)
# off=0 ctb=89 tag=2 hlen=3 plen=563
:signature packet: algo 1, keyid A6310ACC4672475C
        version 4, created 1748024135, md5len 0, sigclass 0x00
        digest algo 10, begin of digest 58 2b
        hashed subpkt 33 len 21 (issuer fpr v4 FB5DB77FD5C118B80511ADA8A6310ACC4672475C)
        hashed subpkt 2 len 4 (sig created 2025-05-23)
        subpkt 16 len 8 (issuer key ID A6310ACC4672475C)
        data: [4094 bits]

https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip.sig

Use Case

Verifying the integrity of your downloaded zip file will fail in less than 60 days and we have not yet distributed the newest version of the key so we can update our signature verification checks before the key expires.

Proposed Solution

A new release signature key should be created ahead of the key expiry for a smooth key transition. The release should be signed with both keys (old one expiring in less than 60 days and new one) until the old one is expired.

Other Information

No response

Acknowledgements

  • [ ] I may be able to implement this feature request
  • [ ] This feature might incur a breaking change

CLI version used

latest version from https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip

Environment details (OS name and version, etc.)

Linux

tkren avatar May 25 '25 23:05 tkren

Hello @tkren, thanks for reaching out. I will bring this up to the team and I will update you as soon as there are updates. If you have any questions, please do let me know. Thank you.

adev-code avatar Jun 10 '25 18:06 adev-code

Hello @tkren, the team has decided to plan for this feature request. Moving forward and to track updates, please ensure to check our CLI changelog : https://raw.githubusercontent.com/aws/aws-cli/v2/CHANGELOG.rst Thank you.

adev-code avatar Jun 17 '25 21:06 adev-code

@adev-code The signing key now expires in less than two weeks. The PGP key is embedded in the documentation, and documentation updates might take some time. Is the team still on track to have this completed by the deadline?

kellertk avatar Jul 11 '25 22:07 kellertk

We have extended the expiration for the key. Everything works that you were using before and will continue to work past July 24, 2025. Documentation update is pending.

adev-code avatar Jul 15 '25 21:07 adev-code

Where can we download the extended key? https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html still references the key with expiry on 2025-07-24:

gpg --import --import-options show-only <<EOF                       
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBF2Cr7UBEADJZHcgusOJl7ENSyumXh85z0TRV0xJorM2B/JL0kHOyigQluUG
ZMLhENaG0bYatdrKP+3H91lvK050pXwnO/R7fB/FSTouki4ciIx5OuLlnJZIxSzx
PqGl0mkxImLNbGWoi6Lto0LYxqHN2iQtzlwTVmq9733zd3XfcXrZ3+LblHAgEt5G
TfNxEKJ8soPLyWmwDH6HWCnjZ/aIQRBTIQ05uVeEoYxSh6wOai7ss/KveoSNBbYz
gbdzoqI2Y8cgH2nbfgp3DSasaLZEdCSsIsK1u05CinE7k2qZ7KgKAUIcT/cR/grk
C6VwsnDU0OUCideXcQ8WeHutqvgZH1JgKDbznoIzeQHJD238GEu+eKhRHcz8/jeG
94zkcgJOz3KbZGYMiTh277Fvj9zzvZsbMBCedV1BTg3TqgvdX4bdkhf5cH+7NtWO
lrFj6UwAsGukBTAOxC0l/dnSmZhJ7Z1KmEWilro/gOrjtOxqRQutlIqG22TaqoPG
fYVN+en3Zwbt97kcgZDwqbuykNt64oZWc4XKCa3mprEGC3IbJTBFqglXmZ7l9ywG
EEUJYOlb2XrSuPWml39beWdKM8kzr1OjnlOm6+lpTRCBfo0wa9F8YZRhHPAkwKkX
XDeOGpWRj4ohOx0d2GWkyV5xyN14p2tQOCdOODmz80yUTgRpPVQUtOEhXQARAQAB
tCFBV1MgQ0xJIFRlYW0gPGF3cy1jbGlAYW1hem9uLmNvbT6JAlQEEwEIAD4CGwMF
CwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQT7Xbd/1cEYuAURraimMQrMRnJHXAUC
ZqFYbwUJCv/cOgAKCRCmMQrMRnJHXKYuEAC+wtZ611qQtOl0t5spM9SWZuszbcyA
0xBAJq2pncnp6wdCOkuAPu4/R3UCIoD2C49MkLj9Y0Yvue8CCF6OIJ8L+fKBv2DI
yWZGmHL0p9wa/X8NCKQrKxK1gq5PuCzi3f3SqwfbZuZGeK/ubnmtttWXpUtuU/Iz
VR0u/0sAy3j4uTGKh2cX7XnZbSqgJhUk9H324mIJiSwzvw1Ker6xtH/LwdBeJCck
bVBdh3LZis4zuD4IZeBO1vRvjot3Oq4xadUv5RSPATg7T1kivrtLCnwvqc6L4LnF
0OkNysk94L3LQSHyQW2kQS1cVwr+yGUSiSp+VvMbAobAapmMJWP6e/dKyAUGIX6+
2waLdbBs2U7MXznx/2ayCLPH7qCY9cenbdj5JhG9ibVvFWqqhSo22B/URQE/CMrG
+3xXwtHEBoMyWEATr1tWwn2yyQGbkUGANneSDFiTFeoQvKNyyCFTFO1F2XKCcuDs
19nj34PE2TJilTG2QRlMr4D0NgwLLAMg2Los1CK6nXWnImYHKuaKS9LVaCoC8vu7
IRBik1NX6SjrQnftk0M9dY+s0ZbAN1gbdjZ8H3qlbl/4TxMdr87m8LP4FZIIo261
Eycv34pVkCePZiP+dgamEiQJ7IL4ZArio9mv6HbDGV6mLY45+l6/0EzCwkI5IyIf
BfWC9s/USgxchg==
=ptgS
-----END PGP PUBLIC KEY BLOCK-----
EOF               
pub   rsa4096/0xA6310ACC4672475C 2019-09-18 [SC] [expires: 2025-07-24]
      FB5DB77FD5C118B80511ADA8A6310ACC4672475C
uid                              AWS CLI Team <[email protected]>

tkren avatar Jul 15 '25 23:07 tkren

@tkren We are working on updating the User Guide with the new public key ASAP. It will be updated before expiration.

aemous avatar Jul 16 '25 00:07 aemous

The key has been updated in the User Guide. Closing issue.

aemous avatar Jul 23 '25 10:07 aemous

This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.

github-actions[bot] avatar Jul 23 '25 10:07 github-actions[bot]