Gitlab-runner-16.0.1 upgrade fails with a GPG key error

How to Use GitLab Upgrade
1

Centos 7.9, trying to run “sudo yum upgrade”. Here are the current versions and new versions that I am trying to upgrade to:
—> Package git.x86_64 0:1.8.3.1-24.el7_9 will be updated
—> Package git.x86_64 0:1.8.3.1-25.el7_9 will be an update
—> Package gitlab-ce.x86_64 0:15.11.0-ce.0.el7 will be updated
—> Package gitlab-ce.x86_64 0:16.0.1-ce.0.el7 will be an update
—> Package gitlab-runner.x86_64 0:15.11.0-1 will be updated
—> Package gitlab-runner.x86_64 0:16.0.1-1 will be an update

After yum downloads the packages (along with other packages to be updated), it aborts with an error:

Retrieving key from https://packages.gitlab.com/runner/gitlab-runner/gpgkey
Retrieving key from https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-4C80FB51394521E9.pub.gpg
The GPG keys listed for the “runner_gitlab-runner” repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.
Failing package is: gitlab-runner-16.0.1-1.x86_64
GPG Keys are configured as: https://packages.gitlab.com/runner/gitlab-runner/gpgkey, https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-4C80FB51394521E9.pub.gpg

How to fix this, and what are the correct key URLs?

EDIT: Not sure if this warning during the same yum upgrade run is relevant too:

warning: /var/cache/yum/x86_64/7Server/runner_gitlab-runner/packages/gitlab-runner-16.0.1-1.x86_64.rpm: Header V4 RSA/SHA 512 Signature, key ID 6ba75a4e: NOKEY
Public key for gitlab-runner-16.0.1-1.x86_64.rpm is not installed
(7/8): gitlab-runner-16.0.1-1.x86_64.rpm | 440 MB 00:00:11

2

A workaround of course was to disable gpg key check in the gitlab-ce and runner repo files:

gpgcheck=0

Now the upgrade proceeded, but of course it would be nice to be able to enable the GPG key check again, by fixing the key URLs in those repo files.

3

This key isn’t in use anymore, the current key is documented in Install GitLab Runner using the official GitLab repositories | GitLab

Can you share the yum repository configuration, maybe the GPG key URL is hardcoded in there and needs a replacement? The new key needs to be downloaded and imported in the keyring too.

4

Oh, right, I said this is CentOS 7.9, but actually this is Oracle Linux 7.9. Close enough…

Below is the relevant repo (I changed gpgcheck=0).
Is the correct gpgkey link now https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-49F16C5CC3A0F81F.pub.gpg ?
Does the download and import use the commands in these instructions?

Here is the current runner repo:

cat /etc/yum.repos.d/runner_gitlab-runner.repo

[runner_gitlab-runner]
name=runner_gitlab-runner
baseurl=https://packages.gitlab.com/runner/gitlab-runner/ol/7/$basearch
repo_gpgcheck=1
gpgcheck=0
enabled=1
gpgkey=https://packages.gitlab.com/runner/gitlab-runner/gpgkey
       https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-4C80FB51394521E9.pub.gpg
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300

[runner_gitlab-runner-source]
name=runner_gitlab-runner-source
baseurl=https://packages.gitlab.com/runner/gitlab-runner/ol/7/SRPMS
repo_gpgcheck=1
gpgcheck=0
enabled=1
gpgkey=https://packages.gitlab.com/runner/gitlab-runner/gpgkey
       https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-4C80FB51394521E9.pub.gpg
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300
5

Looks good to me. More recent versions of rpm allow to import via a URL, older versions required to download the GPG key file first.

6

@timppu hit this on RHEL 9 as well.
I deleted the YUM repository and run the install script from runner/gitlab-runner - Installation · packages.gitlab.com again. I noticed new GPG key was imported on upgrade of gitlab-runner package. Did not investigate it deeper.

7

I solved the problem for now doing these steps:

Edited

sudo vi /etc/yum.repos.d/runner_gitlab-runner.repo

and changed the (second) gpg key line as follows:

gpgkey=https://packages.gitlab.com/runner/gitlab-runner/gpgkey
        https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-49F16C5CC3A0F81F.pub.gpg

Also enabled the GPG check as well (I had disabled it before as a workaround):

gpgcheck=1

After that I also ran, just in case:

sudo yum clean all

Then normally:

sudo yum upgrade

And gitlab-runner got updated without issues, along with everything else.

I am unsure if I am missing some relevant steps (I am unsure what it means to “import the key in the keyring”, did I do it already with the above steps, or does it matter?), but at least it works now, without having to disable the GPG check.

1 Like