validate.sh fetches the Codecov GPG signing key from Keybase:
echo "$(curl -s https://keybase.io/codecovsecurity/pgp_keys.asc)" | \
gpg --no-default-keyring --import
As of approximately June 2nd 2026, https://keybase.io/codecovsecurity/pgp_keys.asc returns HTTP 404. The account or key has been removed from Keybase. curl -s silently returns an empty body, GPG fails with:
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
This causes every CI job using the wrapper to fail at the Validate CLI step, with no way to recover short of skipping validation entirely.
Expected behavior: The key is hosted at a stable, Codecov-controlled URL (e.g. keybase.io under Codecov's control, or cli.codecov.io alongside the binary and checksums).
Related: codecov/codecov-action#1876 tracks the intermittent version of this failure; this is the permanent version.
Workaround: Set CODECOV_SKIP_VALIDATION=true (note: skip_validation: true in the CircleCI orb is currently broken — codecov/codecov-circleci-orb#250).
validate.shfetches the Codecov GPG signing key from Keybase:As of approximately June 2nd 2026,
https://keybase.io/codecovsecurity/pgp_keys.ascreturns HTTP 404. The account or key has been removed from Keybase.curl -ssilently returns an empty body, GPG fails with:This causes every CI job using the wrapper to fail at the Validate CLI step, with no way to recover short of skipping validation entirely.
Expected behavior: The key is hosted at a stable, Codecov-controlled URL (e.g.
keybase.iounder Codecov's control, orcli.codecov.ioalongside the binary and checksums).Related: codecov/codecov-action#1876 tracks the intermittent version of this failure; this is the permanent version.
Workaround: Set
CODECOV_SKIP_VALIDATION=true(note:skip_validation: truein the CircleCI orb is currently broken — codecov/codecov-circleci-orb#250).