Description
Describe the feature
The PGP key that is used to sign the latest release for awscli-exe-linux-x86_64.zip will expire in less than 60 days:
pub rsa4096/0xA6310ACC4672475C 2019-09-18 [SC] [expires: 2025-07-24]
FB5DB77FD5C118B80511ADA8A6310ACC4672475C
uid AWS CLI Team <[email protected]>See verification instruction for the public key: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
The most recent signature was from 2 days ago and is still using FB5DB77FD5C118B80511ADA8A6310ACC4672475C to sign the release:
gpg --list-packets <(curl -s https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip.sig)
# off=0 ctb=89 tag=2 hlen=3 plen=563
:signature packet: algo 1, keyid A6310ACC4672475C
version 4, created 1748024135, md5len 0, sigclass 0x00
digest algo 10, begin of digest 58 2b
hashed subpkt 33 len 21 (issuer fpr v4 FB5DB77FD5C118B80511ADA8A6310ACC4672475C)
hashed subpkt 2 len 4 (sig created 2025-05-23)
subpkt 16 len 8 (issuer key ID A6310ACC4672475C)
data: [4094 bits]https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip.sig
Use Case
Verifying the integrity of your downloaded zip file will fail in less than 60 days and we have not yet distributed the newest version of the key so we can update our signature verification checks before the key expires.
Proposed Solution
A new release signature key should be created ahead of the key expiry for a smooth key transition. The release should be signed with both keys (old one expiring in less than 60 days and new one) until the old one is expired.
Other Information
No response
Acknowledgements
- I may be able to implement this feature request
- This feature might incur a breaking change
CLI version used
latest version from https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip
Environment details (OS name and version, etc.)
Linux