Certificate Expired Again

[jarod-durkin-sap]

Please fill out the issue checklist below and provide ALL the requested information.

• I reviewed open and closed github issues that may be related to my problem.
• I tried updating to the latest version of the CF CLI to see if it fixed my problem.
• I attempted to run the command with CF_TRACE=1 to help debug the issue.
• I am reporting a bug that others will be able to reproduce.

Describe the bug and the command you saw an issue with
When trying to install Cloud Foundry CLI on Ubuntu Debian, I get the following error after adding the signing key and trying to update package lists. apt-get update

Get:5 https://cf-cli-debian-repo.s3.amazonaws.com stable InRelease [4368 B]
Err:5 https://cf-cli-debian-repo.s3.amazonaws.com stable InRelease
  Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on C19C04748BF33B2E17863557172B5989FCD21EF8 is bad:            The primary key is not live   because: Expired on 2020-09-12T18:17:33Z
Reading package lists... Done
W: OpenPGP signature verification failed: https://cf-cli-debian-repo.s3.amazonaws.com stable InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on C19C04748BF33B2E17863557172B5989FCD21EF8 is bad:            The primary key is not live   because: Expired on 2020-09-12T18:17:33Z
E: The repository 'https://packages.cloudfoundry.org/debian stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

This also seems to happen every year around this time:
#3208
#2046

What happened
Unable to install Cloud Foundry CLI due to the package list not being signed.

Expected behavior
The package list should be able to update securely and successfully due to the expired key.

Exact Steps To Reproduce
Following instructions from install page for Ubuntu/Debian based Linux distributions:

wget -q -O - https://packages.cloudfoundry.org/debian/cli.cloudfoundry.org.key | sudo gpg --dearmor -o /usr/share/keyrings/cli.cloudfoundry.org.gpg
echo "deb [signed-by=/usr/share/keyrings/cli.cloudfoundry.org.gpg] https://packages.cloudfoundry.org/debian stable main" | sudo tee /etc/apt/sources.list.d/cloudfoundry-cli.list
sudo apt-get update

Provide more context
Running this inside of Ubuntu-based Docker container. Worked previously before this week.

Notes regarding V6 and V7 CLI support:

• V6:
  • Minimum supported version of CF Deployment: v7.0.0 (CAPI Release: 1.74.0 (APIs 2.128.0 and 3.63.0))
  • Maximum supported version of CF Deployment: v13.4.0 (CAPI Release: 1.94.0 (APIs 2.149.0 and 3.84.0))
• V7:
  • Minimum supported version of CF Deployment: v13.5.0 (CAPI Release: 1.95.0 (APIs 2.150.0 and 3.85.0))

[nils]

Can this be prioritized, please? It really jeopardizes the purpose of signed software when everybody has to work around this by accepting unsigned software again...

[anujc25]

This issue should be resolved by now. If yes, we should close this now. cc @gururajsh

[nils]

To me it doesn't look like it is resolved...

[vuil]

Any chance you still had the old key in your system? I did some tests and verified that the gpg key has been updated.

root@08653d8d92b5:/# apt-get update
...
Get:5 https://cf-cli-debian-repo.s3.amazonaws.com stable InRelease [4368 B]
Err:5 https://cf-cli-debian-repo.s3.amazonaws.com stable InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 172B5989FCD21EF8
Reading package lists... Done
W: GPG error: https://cf-cli-debian-repo.s3.amazonaws.com stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 172B5989FCD21EF8
E: The repository 'https://packages.cloudfoundry.org/debian stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.


root@08653d8d92b5:/# wget -q -O - https://packages.cloudfoundry.org/debian/cli.cloudfoundry.org.key | apt-key add -
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK
root@08653d8d92b5:/# apt-get update
...
Get:1 https://cf-cli-debian-repo.s3.amazonaws.com stable InRelease [4368 B]
Get:6 https://cf-cli-debian-repo.s3.amazonaws.com stable/main amd64 Packages [16.9 kB]
Fetched 21.2 kB in 5s (4306 B/s)
Reading package lists... Done
W: https://packages.cloudfoundry.org/debian/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.


root@08653d8d92b5:/# apt-get install cf8-cli
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  cf8-cli
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 7113 kB of archives.
After this operation, 27.8 MB of additional disk space will be used.
Get:1 https://packages.cloudfoundry.org/debian stable/main amd64 cf8-cli amd64 8.17.0 [7113 kB]
Fetched 7113 kB in 5s (1566 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package cf8-cli.
(Reading database ... 5110 files and directories currently installed.)
Preparing to unpack .../cf8-cli_8.17.0_amd64.deb ...
Unpacking cf8-cli (8.17.0) ...
Setting up cf8-cli (8.17.0) ...


# curl -s https://packages.cloudfoundry.org/debian/cli.cloudfoundry.org.key | gpg --import - ; gpg --list-keys | grep expire
...
pub   rsa4096 2018-09-13 [SC] [expires: 2026-09-11]
sub   rsa4096 2018-09-13 [E] [expires: 2026-09-11]

[nils]

Yes, you are right! I have used it in Docker, and forgot to rebuild the image without cache.