Terraform Install GPG signature failing

[cajund]

Installing TF as part of a AWS CodeBuild step.

This was working fine last night, this morning, same code results in this error.

Thanks,

Codebuild Output

[Container] 2024/09/06 14:42:58.663996 Entering phase INSTALL
[Container] 2024/09/06 14:42:58.702957 Running command wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
--2024-09-06 14:42:59--  https://apt.releases.hashicorp.com/gpg
Resolving apt.releases.hashicorp.com (apt.releases.hashicorp.com)... 99.84.108.40, 99.84.108.36, 99.84.108.74, ...
Connecting to apt.releases.hashicorp.com (apt.releases.hashicorp.com)|99.84.108.40|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3980 (3.9K) [binary/octet-stream]
Saving to: ‘STDOUT’
     0K ...                                                   100% 2.84G=0s
2024-09-06 14:42:59 (2.84 GB/s) - written to stdout [3980/3980]
[Container] 2024/09/06 14:43:00.741024 Running command echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com jammy main
[Container] 2024/09/06 14:43:02.299032 Running command sudo apt update && sudo apt install terraform
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
Get:1 https://apt.corretto.aws stable InRelease [10.7 kB]
Get:2 https://apt.releases.hashicorp.com jammy InRelease [12.9 kB]
Get:3 https://cli.github.com/packages stable InRelease [3917 B]
Get:4 http://security.ubuntu.com/ubuntu jammy-security InRelease [129 kB]
Get:5 http://archive.ubuntu.com/ubuntu jammy InRelease [270 kB]
Get:6 https://apt.corretto.aws stable/main i386 Packages [4743 B]
Get:7 https://apt.corretto.aws stable/main amd64 Packages [19.2 kB]
Get:8 https://apt.releases.hashicorp.com jammy/main i386 Packages [78.6 kB]
Get:9 https://apt.releases.hashicorp.com jammy/main amd64 Packages [184 kB]
Get:10 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [128 kB]
Get:11 http://archive.ubuntu.com/ubuntu jammy-backports InRelease [127 kB]
Err:3 https://cli.github.com/packages stable InRelease
  The following signatures were invalid: EXPKEYSIG 23F3D4EA75716059 GitHub CLI <[email protected]>
Get:12 http://security.ubuntu.com/ubuntu jammy-security/multiverse amd64 Packages [44.7 kB]
Get:13 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages [1792 kB]
Get:14 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages [2224 kB]
Get:15 http://archive.ubuntu.com/ubuntu jammy/multiverse i386 Packages [134 kB]
Get:16 http://archive.ubuntu.com/ubuntu jammy/main i386 Packages [1324 kB]
Get:17 http://archive.ubuntu.com/ubuntu jammy/restricted amd64 Packages [164 kB]
Get:18 http://security.ubuntu.com/ubuntu jammy-security/multiverse i386 Packages [1338 B]
Get:19 http://security.ubuntu.com/ubuntu jammy-security/restricted i386 Packages [45.6 kB]
Get:20 http://security.ubuntu.com/ubuntu jammy-security/universe i386 Packages [781 kB]
Get:21 http://archive.ubuntu.com/ubuntu jammy/universe i386 Packages [9385 kB]
Get:22 http://security.ubuntu.com/ubuntu jammy-security/restricted amd64 Packages [2967 kB]
Get:23 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 Packages [1149 kB]
Get:24 http://security.ubuntu.com/ubuntu jammy-security/main i386 Packages [660 kB]
Get:25 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages [17.5 MB]
Get:26 http://archive.ubuntu.com/ubuntu jammy/multiverse amd64 Packages [266 kB]
Get:27 http://archive.ubuntu.com/ubuntu jammy/restricted i386 Packages [36.7 kB]
Get:28 http://archive.ubuntu.com/ubuntu jammy-updates/restricted i386 Packages [47.6 kB]
Get:29 http://archive.ubuntu.com/ubuntu jammy-updates/main i386 Packages [860 kB]
Get:30 http://archive.ubuntu.com/ubuntu jammy-updates/restricted amd64 Packages [3045 kB]
Get:31 http://archive.ubuntu.com/ubuntu jammy-updates/multiverse i386 Packages [5048 B]
Get:32 http://archive.ubuntu.com/ubuntu jammy-updates/universe i386 Packages [912 kB]
Get:33 http://archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 Packages [51.8 kB]
Get:34 http://archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages [1438 kB]
Get:35 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [2499 kB]
Get:36 http://archive.ubuntu.com/ubuntu jammy-backports/universe amd64 Packages [33.7 kB]
Get:37 http://archive.ubuntu.com/ubuntu jammy-backports/universe i386 Packages [19.8 kB]
Get:38 http://archive.ubuntu.com/ubuntu jammy-backports/main i386 Packages [71.5 kB]
Get:39 http://archive.ubuntu.com/ubuntu jammy-backports/main amd64 Packages [81.4 kB]
Reading package lists...
W: GPG error: https://cli.github.com/packages stable InRelease: The following signatures were invalid: EXPKEYSIG 23F3D4EA75716059 GitHub CLI <[email protected]>
E: The repository 'https://cli.github.com/packages stable InRelease' is not signed.
[Container] 2024/09/06 14:43:10.484834 Command did not exit successfully sudo apt update && sudo apt install terraform exit status 100
[Container] 2024/09/06 14:43:10.489441 Phase complete: INSTALL State: FAILED
[Container] 2024/09/06 14:43:10.489462 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: sudo apt update && sudo apt install terraform. Reason: exit status 100

Expected Behavior

Terraform should have installed properly

Actual Behavior

This was returned:

W: GPG error: https://cli.github.com/packages stable InRelease: The following signatures were invalid: EXPKEYSIG 23F3D4EA75716059 GitHub CLI <[email protected]>
E: The repository 'https://cli.github.com/packages stable InRelease' is not signed.

[williammartin]

Hi folks, many apologies for the troubles from the GitHub CLI.

First of all, you can find more details here: cli/cli#9569

I'm not sure exactly what the setup here is for Terraform but it seems like some previous step has probably downloaded or baked in the old apt repository GPG key. You will need to download the new key before proceeding. There are some instructions for this in the aforementioned issue.

Since you mentioned AWS CodeBuild, this may be related to aws/aws-codebuild-docker-images#739

As you find out more about this specific case, it would be awesome if you could update this issue so we can track it and update our instructions and so that we can proactively reach out.

Again, very sorry for the inconvenience 🙏

[cajund]

Thanks @williammartin. I also just found this issue.

[cajund]

@williammartin

The instructions here have worked form me: cli/cli#9569

Here's the AWS CodeBuild script I am using (3rd line is new):

  install:
    commands:
      - wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
      - echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
      - wget -qO- https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null  && chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg
      - sudo apt update && sudo apt install terraform

Thanks again.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.