GitLab Runner packages GPG key expired

mmerdanovic · March 3, 2022, 11:15am

Hello,

After successfully downloading the GitLab Runner package via the yum repository yesterday, i encountered the following error today:

Error: Failed to download metadata for repo ‘runner_gitlab-runner’: repomd.xml GPG signature verification error: Bad GPG signature

I checked my GPG key based on the official docs:

rpm -q gpg-pubkey-35dfa027-60ba0235 --qf '%{name}-%{version}-%{release} --> %{summary}'
gpg-pubkey-35dfa027-60ba0235 --> gpg(GitLab, Inc. <support@gitlab.com>)

The key seems to match the one listed in the docs. Tried re-importing the key and setting up the repo via the downloadable .sh script again, same results.

Noticed that there were 2 topics recently related to key expiry for other packages, but I couldnt find any info on the GitLab Runner package.

Thanks

twk3 · March 3, 2022, 3:52pm

Hi @mmerdanovic

The key that expired was the one used to sign the repo metadata on packages.gitlab.com so it impacts runner as well. This is different than the key used to sign the runner packages themselves, which is what the runner docs were instructing you to check.

Try running the import of the key listed here: Cryptographic details related to `omnibus-gitlab` packages | GitLab and check out some of the community responses in GitLab GPG expired today (#6701) · Issues · GitLab.org / omnibus-gitlab · GitLab where some users are reporting they need to remove the old key first. We are still investigating whether the removal is necessary, and will update our docs accordingly when we have an answer.

Thanks for reaching out about the runner repo!

mmerdanovic · March 6, 2022, 4:04pm

Hey,

I followed the instructions in the updated docs regarding key removal, and used the rpm .sh script to set up the repo again which included adding the new GPG keys for repo metadata signing. After that, runner packages are successfully installed.

Thanks for the help and good luck!