Problem to solve
I cannot upgrade to 16.9.2 due tio an invalid package signature:
Get:9 https://packages.gitlab.com/gitlab/gitlab-ce/ubuntu bionic InRelease [23.3 kB]
Err:9 https://packages.gitlab.com/gitlab/gitlab-ce/ubuntu bionic InRelease
The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) packages@gitlab.com
Fetched 23.3 kB in 1s (15.9 kB/s)
Reading package lists… Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.gitlab.com/gitlab/gitlab-ce/ubuntu bionic InRelease: The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) packages@gitlab.com
W: Failed to fetch https://packages.gitlab.com/gitlab/gitlab-ce/ubuntu/dists/bionic/InRelease The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) packages@gitlab.com
Describe your question in as much detail as possible:
Steps to reproduce
OnUubuntu 18.04 do:
sudo apt-get update
Versions
Finall found the slution:
2 Likes
This did not work for me. I followed instructions at here and here and I still have the issue on Raspbian Bullseye. It looks like some sort of cache seems to be holding on since one of the steps from the links above lists the key and it indicates that it expires in 2026 (which means the update should’ve worked). Thoughts?
$ sudo apt-get update
Hit:1 http://raspbian.raspberrypi.org/raspbian bullseye InRelease
Hit:4 http://archive.raspberrypi.org/debian bullseye InRelease
Hit:3 https://packages.gitlab.com/gitlab/gitlab-ce/raspbian bullseye InRelease
Hit:2 https://packagecloud.io/ookla/speedtest-cli/debian bullseye InRelease
Get:5 https://packages.gitlab.com/gitlab/raspberry-pi2/raspbian bullseye InRelease [23.3 kB]
Err:5 https://packages.gitlab.com/gitlab/raspberry-pi2/raspbian bullseye InRelease
The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
Fetched 23.3 kB in 2s (13.5 kB/s)
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.gitlab.com/gitlab/raspberry-pi2/raspbian bullseye InRelease: The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
W: Failed to fetch https://packages.gitlab.com/gitlab/raspberry-pi2/raspbian/dists/bullseye/InRelease The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
W: Some index files failed to download. They have been ignored, or old ones used instead.
$ sudo apt-key list 3F01618A51312F3F
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
pub rsa4096 2020-03-02 [SC] [expires: 2026-02-27]
F640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3F
uid [ unknown] GitLab B.V. (package repository signing key) <packages@gitlab.com>
sub rsa4096 2020-03-02 [E] [expires: 2026-02-27]
I ran into the same problem that above solutions didn’t work:
Try
curl -s https://packages.gitlab.com/install/repositories/gitlab/raspberry-pi2/script.deb.sh | sudo bash
that work for me for the raspberry-pi2 version.
This partially worked. I have 4 Raspberry Pi systems with the GitLab repository. This script worked on the first one I tried (the one that I had been trying all sorts of things to fix). However, it did not work on the other 3 systems whose difference is that they have the GitLab Runners repo as well. Is there an equivalent script for GitLab Runners or do I need to hack up the one for “raspberry-pi2”?
There is also a script for installing the runner. You may need to tweak the values you pass to the script.
Prints out current OS version
cat /etc/os-release
Change os and dist variable with values from output above
curl -L “https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh” | sudo os=debian dist=bullseye bash
Have a look at the installation instructions here: Gitlab runner on Raspberry Pi - DEV Community
1 Like
This addressed it. I used the following for Raspberry Pi OS.
curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" \
| sudo os=raspbian dist=bullseye bash
Thanks @dchtools !
Hello,
I do face the same issue with the invalid key. I tried the steps described above, but it doesn’t work.
I’m on Debian 12, with a self-manager version of Gitlab 16.9. I’m trying to upgrade to 16.10.1 (or 16.11), but the key is invalid.
I tried to update the key using the method described here (Cryptographic details related to `omnibus-gitlab` packages | GitLab), but still the same issue. I also tried the script mentioned above by @dchtools , unsuccessful.
root@server:/home/gitlab/downloads# apt-key del 3F01618A51312F3F
curl -s "https://packages.gitlab.com/gpg.key" | apt-key add -
apt-key list 3F01618A51312F3F
apt update
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
pub rsa4096 2020-03-02 [SC] [expire : 2026-02-27]
F640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3F
uid [ inconnue] GitLab B.V. (package repository signing key) <packages@gitlab.com>
sub rsa4096 2020-03-02 [E] [expire : 2026-02-27]
Atteint :7 https://packages.gitlab.com/runner/gitlab-runner/debian bookworm InRelease
Réception de :6 https://packages.gitlab.com/gitlab/gitlab-ee/debian bookworm InRelease [23,4 kB]
Err :6 https://packages.gitlab.com/gitlab/gitlab-ee/debian bookworm InRelease
Les signatures suivantes ne sont pas valables : EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
23,4 ko réceptionnés en 4s (5 733 o/s)
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances... Fait
Lecture des informations d'état... Fait
Tous les paquets sont à jour.
W: Une erreur s'est produite lors du contrôle de la signature. Le dépôt n'est pas mis à jour et les fichiers d'index précédents seront utilisés. Erreur de GPG : https://packages.gitlab.com/gitlab/gitlab-ee/debian bookworm InRelease : Les signatures suivantes ne sont pas valables : EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
W: Impossible de récupérer https://packages.gitlab.com/gitlab/gitlab-ee/debian/dists/bookworm/InRelease Les signatures suivantes ne sont pas valables : EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
W: Le téléchargement de quelques fichiers d'index a échoué, ils ont été ignorés, ou les anciens ont été utilisés à la place.
root@server:/home/gitlab/downloads#curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" | os=debian dist=bookworm bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 6885 100 6885 0 0 9375 0 --:--:-- --:--:-- --:--:-- 9380
Detected operating system as debian/bookworm.
Checking for curl...
Detected curl...
Checking for gpg...
Detected gpg...
Running apt-get update... done.
Installing debian-archive-keyring which is needed for installing
apt-transport-https on many Debian systems.
Installing apt-transport-https... done.
Installing /etc/apt/sources.list.d/runner_gitlab-runner.list...done.
Importing packagecloud gpg key... done.
Running apt-get update... done.
The repository is setup! You can now install packages.
root@server:/home/gitlab/downloads# apt update
Atteint :4 https://packages.gitlab.com/runner/gitlab-runner/debian bookworm InRelease
Réception de :3 https://packages.gitlab.com/gitlab/gitlab-ee/debian bookworm InRelease [23,4 kB]
Err :3 https://packages.gitlab.com/gitlab/gitlab-ee/debian bookworm InRelease
Les signatures suivantes ne sont pas valables : EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
Atteint :7 http://security.debian.org/debian-security bookworm-security/updates InRelease
23,4 ko réceptionnés en 16s (1 429 o/s)
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances... Fait
Lecture des informations d'état... Fait
Tous les paquets sont à jour.
W: Une erreur s'est produite lors du contrôle de la signature. Le dépôt n'est pas mis à jour et les fichiers d'index précédents seront utilisés. Erreur de GPG : https://packages.gitlab.com/gitlab/gitlab-ee/debian bookworm InRelease : Les signatures suivantes ne sont pas valables : EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
W: Impossible de récupérer https://packages.gitlab.com/gitlab/gitlab-ee/debian/dists/bookworm/InRelease Les signatures suivantes ne sont pas valables : EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
W: Le téléchargement de quelques fichiers d'index a échoué, ils ont été ignorés, ou les anciens ont été utilisés à la place.
root@server:/home/gitlab/downloads#
Sorry for the messages in French, they’re the same as described above by @FranzRoters .
Thank you in advance for your help.
I struggled a few hours on that issue and decided to post my previous message. And of course, a few minutes later, I solved it. Instead of using the gitlab-runner batch, I should have used the original Omnibus installation script (Download and install GitLab | GitLab). So simple.
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | bash
It solved my key issue and I could upgrade to 16.10.1.
I hope it can help somebody else.
1 Like
Hi !
I solved the problem reimporting the key like it is done in install script
(as root)
gpg_key_url=https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey
gpg_keyring_path=/usr/share/keyrings/gitlab_gitlab-ce-archive-keyring.gpg
curl -fsSL "${gpg_key_url}" | gpg --dearmor > ${gpg_keyring_path}
apt update
1 Like
Thanks this worked for me