For security reasons, the Kubernetes Native Appian license signing key is rotated approximately every two years.
The license appian.lic is digitally signed using a private signing key, while the Appian Operator contains the corresponding public key used to validate those licenses. When the signing key is rotated, the Appian Operator must contain the updated public key to validate licenses signed with the new private key.
As a result, customers must upgrade their Appian Operator before requesting a new license generated after a signing key rotation.
Failed to verify signature #l with key …
Why is the signing key rotated?
Rotating signing keys is a standard security practice that helps maintain the integrity and security of digitally signed licenses.
Do existing licenses stop working after the rotation?
No. Existing licenses continue to function as normal. The change only affects newly generated licenses signed with the new signing key.
Can customers upgrade the Appian Operator before requesting a new license?
Yes. This is the recommended approach. The latest operator trusts both the previous and current signing keys, allowing it to validate both existing licenses and newly generated licenses. Older Appian Operator versions trust only the previous signing key and cannot validate licenses generated after the signing key rotation.
This article applies to all supported versions of Appian on Kubernetes.
Last reviewed: July 2026