Skip to content

Release signing key 0x51A8E050D0052E5D will expire in about one week #676

Description

@tkren

The PGP key that is used to sign the latest release for amazon-ssm-agent.rpm will expire in about one week:

pub   rsa4096/0x51A8E050D0052E5D 2025-01-22 [SCEA] [expires: 2026-07-15]
      4855A9E6833216D6A77D8FE451A8E050D0052E5D        
uid                              SSM Agent <ssm-agent-signer@amazon.com>

See also https://docs.aws.amazon.com/systems-manager/latest/userguide/verify-agent-signature.html, which acknowledges the issue, but no updated public key was published so far:

The following public key expires on 2026-07-15 (July 15, 2026). Systems Manager will publish a new public key in this topic before the old one expires. We encourage you to subscribe to the RSS feed for this topic to get a notification when the new key is available.

The most recent signature was still made with this key:

gpg --list-packets amazon-ssm-agent.rpm.sig 
# off=0 ctb=89 tag=2 hlen=3 plen=592
:signature packet: algo 1, keyid 51A8E050D0052E5D
        version 4, created 1782293037, md5len 0, sigclass 0x00
        digest algo 8, begin of digest 29 45
        hashed subpkt 33 len 21 (issuer fpr v4 4855A9E6833216D6A77D8FE451A8E050D0052E5D)
        hashed subpkt 2 len 4 (sig created 2026-06-24)
        hashed subpkt 28 len 27 (signer's user ID)
        subpkt 16 len 8 (issuer key ID 51A8E050D0052E5D)
        data: [4093 bits]

Verifying the integrity of the SSM agent rpm will fail in about one week. A new public key with extended lifetime has not yet been distributed. A new release signature public key should be created ahead of the key expiry for a smooth key transition.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions