cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon cloudfoundry

Certificate Expired Again

Open jarod-durkin-sap opened this issue 3 months ago • 3 comments

Please fill out the issue checklist below and provide ALL the requested information.

  • [x] I reviewed open and closed github issues that may be related to my problem.
  • [x] I tried updating to the latest version of the CF CLI to see if it fixed my problem.
  • [ ] I attempted to run the command with CF_TRACE=1 to help debug the issue.
  • [x] I am reporting a bug that others will be able to reproduce.

Describe the bug and the command you saw an issue with When trying to install Cloud Foundry CLI on Ubuntu Debian, I get the following error after adding the signing key and trying to update package lists. apt-get update

Get:5 https://cf-cli-debian-repo.s3.amazonaws.com stable InRelease [4368 B]
Err:5 https://cf-cli-debian-repo.s3.amazonaws.com stable InRelease
  Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on C19C04748BF33B2E17863557172B5989FCD21EF8 is bad:            The primary key is not live   because: Expired on 2020-09-12T18:17:33Z
Reading package lists... Done
W: OpenPGP signature verification failed: https://cf-cli-debian-repo.s3.amazonaws.com stable InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on C19C04748BF33B2E17863557172B5989FCD21EF8 is bad:            The primary key is not live   because: Expired on 2020-09-12T18:17:33Z
E: The repository 'https://packages.cloudfoundry.org/debian stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

This also seems to happen every year around this time: https://github.com/cloudfoundry/cli/issues/3208 https://github.com/cloudfoundry/cli/issues/2046

What happened Unable to install Cloud Foundry CLI due to the package list not being signed.

Expected behavior The package list should be able to update securely and successfully due to the expired key.

Exact Steps To Reproduce Following instructions from install page for Ubuntu/Debian based Linux distributions:

wget -q -O - https://packages.cloudfoundry.org/debian/cli.cloudfoundry.org.key | sudo gpg --dearmor -o /usr/share/keyrings/cli.cloudfoundry.org.gpg
echo "deb [signed-by=/usr/share/keyrings/cli.cloudfoundry.org.gpg] https://packages.cloudfoundry.org/debian stable main" | sudo tee /etc/apt/sources.list.d/cloudfoundry-cli.list
sudo apt-get update

Provide more context Running this inside of Ubuntu-based Docker container. Worked previously before this week.

Notes regarding V6 and V7 CLI support:

  • V6:
    • Minimum supported version of CF Deployment: v7.0.0 (CAPI Release: 1.74.0 (APIs 2.128.0 and 3.63.0))
    • Maximum supported version of CF Deployment: v13.4.0 (CAPI Release: 1.94.0 (APIs 2.149.0 and 3.84.0))
  • V7:
    • Minimum supported version of CF Deployment: v13.5.0 (CAPI Release: 1.95.0 (APIs 2.150.0 and 3.85.0))

jarod-durkin-sap avatar Sep 15 '25 15:09 jarod-durkin-sap

Can this be prioritized, please? It really jeopardizes the purpose of signed software when everybody has to work around this by accepting unsigned software again...

nils avatar Sep 25 '25 12:09 nils

This issue should be resolved by now. If yes, we should close this now. cc @gururajsh

anujc25 avatar Oct 30 '25 21:10 anujc25

To me it doesn't look like it is resolved...

nils avatar Nov 04 '25 13:11 nils