I followed the instructions to install GitLab runner using from the official GitLab repo. I noticed that GPG signature checking is intentionally disabled for the GitLab runner yum repo. I looked into this further, and also discovered that the RPM download from the repo is not signed. (I can post the verification commands I used upon request).
The fact that there’s no signature seems to conflict with other official documentation at https://packages.gitlab.com/app/runner/gitlab-runner/gpg. This states that using the Bash script to install the repo will automatically install a GPG key.
Is the GitLab runner RPM supposed to be signed?
Disabling GPG signatures conflicts with my organization’s security policy. This causes some of the installation and upgrade steps to become manual for me. I have to override certain settings.
If I were to open a feature request for signing the RPM packages on the GitLab repo, would there be any chance that it would be implemented? I’m a little bit pessimistic, since there are currently 995 open issues with the GitLab runner. I would be happy to help with implementing this if needed.