When installing Cursor IDE from APT, I get GPG signature mismatch

Support Bug Reports
,
1

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

I use a Docker file to prepare a Cursor IDE work environment, but recently I get an APT signature mismatch - see attached pictures.

Here are core error messages (from variation of reproduction steps, eg. using http instead of SSL):

Error 1:

1.755 Error: Failed to fetch /aptrepo/dists/stable/main/binary-amd64/Packages.gz Hash Sum mismatch
1.755 Hashes of expected file:
1.755 - Filesize:1446 [weak]
1.755 - SHA256:e85150dcfba692e3845c929ed0e1de3655ce4fd3da30bfb74c7b0fab683e96f4
1.755 - SHA1:55f56e243977529afda2c40af2bfe1083719c918 [weak]
1.755 - MD5Sum:7cd3228d7b8bf5326e9776b3fafe8f75 [weak]
1.755 Hashes of received file:
1.755 - SHA256:1e760526da3693259b244a9f3d46c62725c605e3201799c8fa43c130dce4dc76
1.755 - SHA1:eb4345fb44c92dea3dcbe012c25a9add518006e6 [weak]
1.755 - MD5Sum:eba76948a09dda489725e9d69c14426b [weak]
1.755 - Filesize:1446 [weak]
1.755 Last modification reported: Fri, 29 May 2026 17:02:48 +0000
1.755 Release file created at: Fri, 29 May 2026 09:28:51 +0000

Error 2:

7.692 Err:1 /aptrepo stable InRelease
7.692 SSL connection failed: error:0A000086:SSL routines::certificate verify failed / Success [IP: 104.18.16.128 443]

Error 3:

3.377 Warning: OpenPGP signature verification failed: /aptrepo stable InRelease: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 42A1772E62E492D6
3.377 Error: The repository ‘ stable InRelease’ is not signed.

Steps to Reproduce

Consider the following Docker file:

FROM ubuntu:26.04

# Add Cursor's GPG key
RUN curl -fsSL https://downloads.cursor.com/keys/anysphere.asc \
  | gpg --dearmor \
  | tee /etc/apt/keyrings/cursor.gpg >/dev/null
RUN chmod 644 /etc/apt/keyrings/cursor.gpg

# Add the Cursor repository
RUN echo 'deb [arch=amd64 signed-by=/etc/apt/keyrings/cursor.gpg] https://downloads.cursor.com/aptrepo stable main' \
 | tee /etc/apt/sources.list.d/cursor.list

# Update and install
RUN apt update && apt install -y cursor

Expected Behavior

I have been using the above Dockerfile sniper for months and it worked. This is a regression bug.

Screenshots / Screen Recordings

Screenshot_20260530_144749.png
Screenshot_20260530_144749.png833×558 80.7 KB

Operating System

Linux

Version Information

Installation issue for APT after following instructions from:
/docs/get-started/quickstart

For AI issues: which model did you use?

N/A

For AI issues: add Request ID with privacy disabled

N/A

Additional Information

Most likely a regression where public GPG key did not get updated. I cannot use standalone DEB files, unless there is an universal URL to download the latest version - need to automate install task.

Does this stop you from using Cursor

Yes - Cursor is unusable

5

Hey, thanks for the detailed report with hashes and the Dockerfile. This is the same known issue on our side as described here: Hash Sum mismatch when apt update

In short, the apt repo metadata got out of sync. InRelease was signed before Packages.gz finished updating, so the hashes don’t match. You’re seeing the same SHA256 values as other reports. This isn’t an issue with your Dockerfile or system, and client-side workarounds like apt clean or wiping /var/lib/apt/lists/* won’t help. This needs a server-side fix. After the next publish cycle, the hashes usually match again, so the apt install path may start working on its own if you retry apt update later.

If you need to automate installation in Docker right now without waiting for the repo, you can pull the binary directly via the download API. Important: the endpoint returns JSON, not the file itself, so you need to extract the URL from the response, for example with jq:

RUN apt-get update && apt-get install -y curl jq \
 && DL_URL=$(curl -fsSL "https://www.cursor.com/api/download?platform=linux-x64&releaseTrack=stable" | jq -r '.downloadUrl') \
 && echo "Resolved download URL: $DL_URL"

For platform=linux-x64, this endpoint returns an AppImage link by default. To get a .deb, in the returned URL on downloads.cursor.com, replace the /appimage/ segment with /deb/. It still stays on official infrastructure:

.../production/client/linux/x64/appimage/Cursor-<ver>-<sha>...
                                ↓
.../production/client/linux/x64/deb/Cursor-<ver>-<sha>...

Then run curl -fsSL "$DEB_URL" -o /tmp/cursor.deb && apt install -y /tmp/cursor.deb. If you prefer the AppImage, you can run it directly, in Docker usually via --appimage-extract or with --no-sandbox.

We’ve logged the bug. I can’t share an ETA yet. Once there’s an update, I’ll reply in the thread.