Introduction
This article addresses a specific error encountered when attempting to add a new GPG key to the Terraform Enterprise Private Registry via the API. It explains why the "Cannot upload more than one key" error occurs and provides the steps to generate a valid single-key export.
Problem
When attempting to upload a GPG key to the Terraform Enterprise Private Registry using the API (specifically the POST /api/registry/private/v2/gpg-keys/ endpoint), the request fails.
The user observes the following error message in the API response:
Cannot upload more than one key
Cause
This error occurs when the GPG key payload sent to the API contains more than one public key block.
This usually happens during the export process if the user exports keys based on an email address or name (e.g., gpg --export user@example.com) while having multiple keys associated with that identity in their local keyring.
Common scenarios include:
- There is an expired key and a new key sharing the same email address.
- There are multiple active keys associated with the same email address.
In these cases, GPG silently exports all matching keys into a single public key block. The Terraform Enterprise API strictly requires a single key per request, resulting in the validation error.
Solution
To resolve this, you must export the specific key using its unique fingerprint rather than the email address or user ID. gpg --list-keys can be used to list all keys and will show the fingerprint.
% gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
[keyboxd]
---------
pub rsa3072 2025-11-21 [SC]
B6DA972B2552E26480004F4A7950E6E24918DC8C
uid [ultimate] $NAME (testing) <$EMAIL>
sub rsa3072 2025-11-21 [E]
In this example, the fingerprint is B6DA972B2552E26480004F4A7950E6E24918DC8C and can be used as shown below:
gpg --armor --export B6DA972B2552E26480004F4A7950E6E24918DC8C
Outcome
When using a single GPG key, the API call should now succeed.