View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0009150Kali LinuxKali Package Bugpublic2025-05-02 13:492025-05-20 02:55
Reportermichiiii Assigned Toarnaudr  
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
Summary0009150: Kali AWS AMI images fail to deploy correctly due to missing new archive signing key
Description

When deploying Kali Linux from the official AWS AMI (e.g., ami-0047857697886e2c2), the instance fails to update packages during provisioning. The error is:

W: GPG error: http://kali.download/kali kali-rolling InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key 827C8569F2518CC677FECA1AED65462EC8D5E4C5, which is needed to verify signature.
E: The repository 'http://kali.download/kali kali-rolling InRelease' is not signed.
This is due to the recent change in the Kali archive signing key (Kali blog announcement). As a result, cloud-init and any automation that relies on apt update or installing packages during instance launch fails, breaking automated deployments.

Steps to Reproduce:

Launch a new instance using the affected Kali AMI (e.g., ami-0047857697886e2c2)

Allow cloud-init or user-data scripts to run that perform apt update or install packages

Observe failure due to missing GPG key

Reproducibility:
Always (every deployment with current AMIs)

Additional Information:
The issue is resolved by manually installing the new key as described in the official blog post:

sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpg
sudo apt update

However, this is not feasible for automated deployments at scale. Please update the official AWS Marketplace Kali AMIs to include the new keyring so that new instances work out-of-the-box.

Activities

michiiii

michiiii

2025-05-02 20:43

reporter   ~0020533

sorry, I just read it and it sound a bit rough. I really appreciate all the work you guys are doing. The post was just technical. So don´t take this as aggressive.
arnaudr

arnaudr

2025-05-03 07:08

manager   ~0020534

Heya! So the image was pushed out on AWS some days ago, but it's still under review. It's still going to take a few days until it gets accepted by AWS.

In any case: thanks for the ping!
arnaudr

arnaudr

2025-05-04 14:12

manager   ~0020536

Apparently it's done, the Kali AMIs is up to date now
michiiii

michiiii

2025-05-15 11:15

reporter   ~0020596

I tried it again. 

┌──(michi㉿kali)-[~]
└─$ sudo apt update
Get:1 http://kali.download/kali kali-rolling InRelease [41.5 kB]
Err:1 http://kali.download/kali kali-rolling InRelease
  Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key 827C8569F2518CC677FECA1AED65462EC8D5E4C5, which is needed to verify signature.
Warning: GPG error: http://kali.download/kali kali-rolling InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key 827C8569F2518CC677FECA1AED65462EC8D5E4C5, which is needed to verify signature.
Error: The repository 'http://kali.download/kali kali-rolling InRelease' is not signed.
Notice: Updating from such a repository can't be done securely, and is therefore disabled by default.
Notice: See apt-secure(8) manpage for repository creation and user configuration details.

still getting the error.

This is the AMI I used:

Name
kali-last-snapshot-amd64-dev-manual-2025.05.01-804fcc46-63fc-4eb6-85a1-50e66d6c7215
Description
Kali Linux kali-last-snapshot (development build manual-2025.05.01)
Image ID
ami-078116c11af2eba38
Username
root

Catalog
AWS Marketplace AMIs
Published
2025-05-03T06:23:22.000Z
arnaudr

arnaudr

2025-05-16 02:10

manager   ~0020597

Can you try dpkg -l | grep kali-archive-keyring and paste the output please?

I checked the build logs of the Kali cloud images on my side, and I can confirm that it's the right keyring (version 2025.1) that is installed in it.
arnaudr

arnaudr

2025-05-19 06:20

manager   ~0020604

This time it should be fixed for good, we uploaded a new images and it seems it's public already. Can you please confirm?
michiiii

michiiii

2025-05-19 17:42

reporter   ~0020608

yes! nice thank you. It´s fixed

sudo apt update
Get:1 http://kali.download/kali kali-rolling InRelease [41.5 kB]
Get:2 http://kali.download/kali kali-rolling/main amd64 Packages [21.0 MB]
Get:3 http://kali.download/kali kali-rolling/main amd64 Contents (deb) [52.0 MB]
Get:4 http://kali.download/kali kali-rolling/contrib amd64 Packages [121 kB]
Get:5 http://kali.download/kali kali-rolling/contrib amd64 Contents (deb) [327 kB]
Get:6 http://kali.download/kali kali-rolling/non-free amd64 Packages [204 kB]
Get:7 http://kali.download/kali kali-rolling/non-free amd64 Contents (deb) [915 kB]
Get:8 http://kali.download/kali kali-rolling/non-free-firmware amd64 Packages [10.6 kB]
Get:9 http://kali.download/kali kali-rolling/non-free-firmware amd64 Contents (deb) [24.3 kB]
Fetched 74.6 MB in 9s (8208 kB/s)
218 packages can be upgraded. Run 'apt list --upgradable' to see them.

this is the output of dpkg -l | grep kali-archive-keyring with the new ami:

ii  kali-archive-keyring              2025.1                          all          GnuPG archive keys of the Kali archive
arnaudr

arnaudr

2025-05-20 02:55

manager   ~0020609

Great! Thanks again for the report, and sorry for the disruption. Have a nice day!

Issue History

Date Modified Username Field Change
2025-05-02 13:49 michiiii New Issue
2025-05-02 20:43 michiiii Note Added: 0020533
2025-05-03 07:08 arnaudr Note Added: 0020534
2025-05-04 14:12 arnaudr Note Added: 0020536
2025-05-15 11:15 michiiii Note Added: 0020596
2025-05-16 02:10 arnaudr Note Added: 0020597
2025-05-19 06:20 arnaudr Note Added: 0020604
2025-05-19 17:42 michiiii Note Added: 0020608
2025-05-20 02:55 arnaudr Note Added: 0020609
2025-05-20 02:55 arnaudr Assigned To => arnaudr
2025-05-20 02:55 arnaudr Status new => resolved
2025-05-20 02:55 arnaudr Resolution open => fixed