I’m unable to update my Gitlab-ce install due to bad keys being detected. Is this a Gitlab update issue or something gone wrong on my system? I had to replace https:// with (url) to get this message to post.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: (url): The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) packages@gitlab.com
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: (url): The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) packages@gitlab.com
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: (url): The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) packages@gitlab.com
W: Failed to fetch (url) The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) packages@gitlab.com
W: Failed to fetch (url) The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) packages@gitlab.com
W: Failed to fetch (url) The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) packages@gitlab.com
W: Some index files failed to download. They have been ignored, or old ones used instead.
@L91 in my post above are links to Gitlab documentation as well as the Gitlab issue where the problem was being looked at. Both are official links. There is also that link as well pulled from the forum post that was also linked: Cryptographic details related to `omnibus-gitlab` packages | GitLab
I found the issue that may happen for some people. My /etc/apt/sources.list.d/gitlab_gitlab-ce.list file contained the following entries:
deb [signed-by=/usr/share/keyrings/gitlab_gitlab-ce-archive-keyring.gpg] https://packages.gitlab.com/gitlab/gitlab-ce/debian/ buster main
deb-src [signed-by=/usr/share/keyrings/gitlab_gitlab-ce-archive-keyring.gpg] https://packages.gitlab.com/gitlab/gitlab-ce/debian/ buster main
As you can see the signing key is specified here and it is the expired one. Removing the [signed-by=...] config or replacing the gpg key file with the proper one fixes the issue.
This resolves gpg error:
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.gitlab.com/runner/gitlab-runner/debian bookworm InRelease: The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) packages@gitlab.com
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead
This approach is indeed depricated. apt-key manages the keyring in /etc/apt/trusted.gpg (for Debian), while Gitlab (provided your installation is a bit more recent) does so in /usr/share/keyrings/gitlab_gitlab-ce-archive-keyring.gpg.
In general as of 2024 all apt-key operations fail to resolve this issue, especially if gitlab was installed some time ago.
As @certifieddook noted, if your /etc/apt/sources.list.d/gitlab_gitlab-ce.list file contains a reference to the Gitlab keyring file, the apt-key command will not work.
To download the new gitlab gpg key and add it to the gitlab keyring in one command use this:
I faced the same problem today and wanted to understand why this keeps happening (rather rarely, but I have seen this kind of error - not for gitlab but other tools - several times over the years. This detailed blogpost about the expired signature key for Gitlab explains it in great detail.
Long story short, apt packages are signed with gpg in order to prevent a man in the middle of exchanging the apt package you want from gitlab with one that contains malicious code. As the workstations used by the Gitlab people are very high value targets, but do get re-installed with new operating systems every now and then, it is common practice to let the private keys that sign the apt packages expire after a few years, and to generate new ones.