GPG key used to sign debian packages is expired

[matt-allan]

Describe the bug

You can't install the CLI from the .deb package on Ubuntu or other Debian based systems as of today because the GPG key used to sign the package has expired.

Steps to reproduce the behavior

1. Attempt to follow the debian installation instructions

Expected vs actual behavior

The apt update step fails with the following error:

W: GPG error: https://cli.github.com/packages stable InRelease: The following signatures were invalid: EXPKEYSIG C99B11DEB97541F0 Nate Smith <vilmibm@github.com>
E: The repository 'https://cli.github.com/packages stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.

Logs

You can see the key expired today if you examine it:

I'm pretty sure this is the same issue as #6174.

[mahdikhaligh]

how fix this ...?

[michaelmior]

This is hitting me now trying to install the github-cli feature in Codespaces. My container fails to build because of this.

[azzydoesgit]

how fix this ...?

Well, the cli still works for now. The only "fix" is to wait for Mr. Nate Smith to publish their updated key.

[michaelmior]

You can use the --allow-unauthenticated to apt to install the package in the meantime without verification. Of course, this is somewhat of a security concern. You could also download the package directly from the releases page.

[dmitsf]

The importance of the issue seems to be critical since it breaks all workflows/... containing any related update inside.
Probably we can mention @vilmibm here for visibility :)

[vgrafe]

Pretty severe blocker for my team. This issue prevents us from building our devcontainers on our laptops.

[craftyc0der]

Many of us in that boat amigo.

[rmw]

Update: this is now fixed: #6175 (comment)

🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨

We are working on an update for Codespaces. (Update: #6175 (comment))

If you are seeing issues in Actions workflows, please share more details in this issue.

Manually, you are able to reset your system with sudo apt-key del C99B11DEB97541F0 && sudo rm /etc/apt/sources.list.d/github-cli.list

Also see #6175 (comment)

🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨 🚨

[robherley]

@dmitsf 👋 Hello from Actions! This should not impact all workflows, are you pulling the GitHub CLI from a package manager in your workflow?

Would also like to note that any GitHub hosted runners will have the CLI preinstalled as per: https://docs.github.com/en/actions/using-workflows/using-github-cli-in-workflows

[dmitsf]

Hello @robherley ! Thank you!
I'm not pulling GitHub CLI in a workflow (it's included to the basic image, self-hosted runner), I mean, if there is, e.g. something like apt-get update in a workflow, this will be affected (the examples that I have and that OP mentioned).