Skip to content
Databricks CLI·Troubleshooting

Fix: databricks bundle deploy fails with “unable to verify checksums signature: openpgp: key expired”

The one-line fix

Upgrade the Databricks CLI to the patched build in your minor line (e.g. v0.297.1 → v0.297.2). In locked CI, set DATABRICKS_TF_EXEC_PATH to a pre-installed Terraform so the CLI skips its own signed download.

The error

Running databricks bundle deploy or databricks bundle validate fails with:

error downloading Terraform: unable to verify checksums signature: openpgp: key expired

This is not a problem with your bundle, your authentication, or your cloud. The CLI downloads a Terraform binary at deploy time and verifies its checksums against an OpenPGP signature; that signing key expired, so verification fails before any of your resources are touched.

Fix 1 — upgrade the CLI (recommended)

Databricks published patch releases across every supported minor line. The patch updates the verification mechanism to work with the current key, so upgrading to the patched build in your minor line resolves it. Check the CLI releases page for the exact patched build.

# Homebrew (macOS / Linux)
brew upgrade databricks

# Official install script (re-run to get the latest)
curl -fsSL https://raw.githubusercontent.com/databricks/setup-cli/main/install.sh | sh

# GitHub Actions — pin the version input to a patched build
# - uses: databricks/setup-cli@main
#   with:
#     version: 0.297.2   # use the patched build in YOUR minor line

Fix 2 — pin your own Terraform in CI (no CLI upgrade)

If you cannot bump the CLI version right now (pinned images, air-gapped runners), install Terraform yourself and point the CLI at it with DATABRICKS_TF_EXEC_PATH. The CLI then uses your binary instead of downloading and signature-verifying its own, which sidesteps the expired key entirely.

# GitHub Actions: use a pre-installed Terraform instead of the CLI's download
- uses: hashicorp/setup-terraform@v3
  with:
    terraform_wrapper: false          # so DATABRICKS_TF_EXEC_PATH gets a real binary
- name: Point the Databricks CLI at that Terraform
  run: echo "DATABRICKS_TF_EXEC_PATH=$(which terraform)" >> "$GITHUB_ENV"
- name: Deploy
  run: databricks bundle deploy

This is the community mitigation from databricks/cli #5022, not official docs. Upgrading the CLI (Fix 1) is the primary fix; use this for locked environments or to make deploys resilient to the next key expiry.

Why this happens

Databricks Asset Bundles run on Terraform under the hood. Rather than assume Terraform is installed, the CLI downloads a known-good Terraform binary and verifies it — checksum, then an OpenPGP signature over that checksum. OpenPGP keys carry an expiry date. When the key used for that signature passed its expiry, every CLI build still pinned to it started rejecting the (otherwise valid) download. That is why the failure appeared everywhere at once and why upgrading — or bypassing the download — resolves it.

April 2026 incident. This first hit widely on 2026-04-18 (UTC evening), breaking CI deploys globally. Databricks responded with patch releases across all minor lines. If you are seeing it now, you are almost certainly on a pre-patch CLI build — upgrade, or apply Fix 2.

Frequently asked questions

What does "unable to verify checksums signature: openpgp: key expired" mean?

When you run databricks bundle deploy or validate, the CLI downloads a Terraform binary and verifies its checksums against an OpenPGP signature. That signing key expired, so verification fails and the deploy stops before it starts. It is not a problem with your bundle, your auth, or your cloud — it is the CLI's Terraform download step.

What is the fix?

Upgrade the Databricks CLI to the patched build in your minor line (for example v0.297.1 to v0.297.2, or v0.296.0 to v0.296.1). Databricks cut patch releases across every supported minor line; the patch updates the verification mechanism to work with the current key. Check the CLI releases page for the exact patched build matching your version.

How do I fix it in CI/CD without changing my CLI version?

Pre-install Terraform yourself (for example with hashicorp/setup-terraform) and set DATABRICKS_TF_EXEC_PATH to that binary's path. The CLI then uses your Terraform instead of downloading and verifying its own, which sidesteps the expired-key check entirely. This is the community mitigation for pinned/air-gapped pipelines; upgrading the CLI is the primary fix.

Will this happen again?

Yes, this class of failure recurs whenever a signing key expires. The durable protection is to stop relying on the CLI's built-in Terraform download in automation: pre-install Terraform and set DATABRICKS_TF_EXEC_PATH (optionally pin DATABRICKS_TF_VERSION) so deploys do not depend on a live, signature-verified download at all.

Sources

Independent troubleshooting reference by brickster.ai — not affiliated with Databricks. Verified against the sources above on 2026-07-04. Exact patched version numbers change per minor line; always confirm against the official releases page.