Invalid package signature

Problem to solve

I cannot upgrade to 16.9.2 due tio an invalid package signature:

Get:9 https://packages.gitlab.com/gitlab/gitlab-ce/ubuntu bionic InRelease [23.3 kB]
Err:9 https://packages.gitlab.com/gitlab/gitlab-ce/ubuntu bionic InRelease
The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) packages@gitlab.com
Fetched 23.3 kB in 1s (15.9 kB/s)
Reading package lists… Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.gitlab.com/gitlab/gitlab-ce/ubuntu bionic InRelease: The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) packages@gitlab.com
W: Failed to fetch https://packages.gitlab.com/gitlab/gitlab-ce/ubuntu/dists/bionic/InRelease The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) packages@gitlab.com

Describe your question in as much detail as possible:

Steps to reproduce

OnUubuntu 18.04 do:
sudo apt-get update

Versions

Finall found the slution:

2 Likes

This did not work for me. I followed instructions at here and here and I still have the issue on Raspbian Bullseye. It looks like some sort of cache seems to be holding on since one of the steps from the links above lists the key and it indicates that it expires in 2026 (which means the update should’ve worked). Thoughts?

$ sudo apt-get update
Hit:1 http://raspbian.raspberrypi.org/raspbian bullseye InRelease
Hit:4 http://archive.raspberrypi.org/debian bullseye InRelease
Hit:3 https://packages.gitlab.com/gitlab/gitlab-ce/raspbian bullseye InRelease
Hit:2 https://packagecloud.io/ookla/speedtest-cli/debian bullseye InRelease
Get:5 https://packages.gitlab.com/gitlab/raspberry-pi2/raspbian bullseye InRelease [23.3 kB]
Err:5 https://packages.gitlab.com/gitlab/raspberry-pi2/raspbian bullseye InRelease
  The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
Fetched 23.3 kB in 2s (13.5 kB/s)
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.gitlab.com/gitlab/raspberry-pi2/raspbian bullseye InRelease: The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
W: Failed to fetch https://packages.gitlab.com/gitlab/raspberry-pi2/raspbian/dists/bullseye/InRelease  The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
W: Some index files failed to download. They have been ignored, or old ones used instead.

$ sudo apt-key list 3F01618A51312F3F
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
pub   rsa4096 2020-03-02 [SC] [expires: 2026-02-27]
      F640 3F65 44A3 8863 DAA0  B6E0 3F01 618A 5131 2F3F
uid           [ unknown] GitLab B.V. (package repository signing key) <packages@gitlab.com>
sub   rsa4096 2020-03-02 [E] [expires: 2026-02-27]

I ran into the same problem that above solutions didn’t work:
Try
curl -s https://packages.gitlab.com/install/repositories/gitlab/raspberry-pi2/script.deb.sh | sudo bash

that work for me for the raspberry-pi2 version.

This partially worked. I have 4 Raspberry Pi systems with the GitLab repository. This script worked on the first one I tried (the one that I had been trying all sorts of things to fix). However, it did not work on the other 3 systems whose difference is that they have the GitLab Runners repo as well. Is there an equivalent script for GitLab Runners or do I need to hack up the one for “raspberry-pi2”?

There is also a script for installing the runner. You may need to tweak the values you pass to the script.

Prints out current OS version

cat /etc/os-release

Change os and dist variable with values from output above

curl -L “https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh” | sudo os=debian dist=bullseye bash

Have a look at the installation instructions here: Gitlab runner on Raspberry Pi - DEV Community

1 Like

This addressed it. I used the following for Raspberry Pi OS.

curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" \
    | sudo os=raspbian dist=bullseye bash

Thanks @dchtools !

Hello,

I do face the same issue with the invalid key. I tried the steps described above, but it doesn’t work.

I’m on Debian 12, with a self-manager version of Gitlab 16.9. I’m trying to upgrade to 16.10.1 (or 16.11), but the key is invalid.

I tried to update the key using the method described here (Cryptographic details related to `omnibus-gitlab` packages | GitLab), but still the same issue. I also tried the script mentioned above by @dchtools , unsuccessful.

root@server:/home/gitlab/downloads# apt-key del 3F01618A51312F3F
curl -s "https://packages.gitlab.com/gpg.key" | apt-key add -
apt-key list 3F01618A51312F3F
apt update
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
pub   rsa4096 2020-03-02 [SC] [expire : 2026-02-27]
      F640 3F65 44A3 8863 DAA0  B6E0 3F01 618A 5131 2F3F
uid          [ inconnue] GitLab B.V. (package repository signing key) <packages@gitlab.com>
sub   rsa4096 2020-03-02 [E] [expire : 2026-02-27]

Atteint :7 https://packages.gitlab.com/runner/gitlab-runner/debian bookworm InRelease
Réception de :6 https://packages.gitlab.com/gitlab/gitlab-ee/debian bookworm InRelease [23,4 kB]
Err :6 https://packages.gitlab.com/gitlab/gitlab-ee/debian bookworm InRelease
  Les signatures suivantes ne sont pas valables : EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
23,4 ko réceptionnés en 4s (5 733 o/s)
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances... Fait
Lecture des informations d'état... Fait
Tous les paquets sont à jour.
W: Une erreur s'est produite lors du contrôle de la signature. Le dépôt n'est pas mis à jour et les fichiers d'index précédents seront utilisés. Erreur de GPG : https://packages.gitlab.com/gitlab/gitlab-ee/debian bookworm InRelease : Les signatures suivantes ne sont pas valables : EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
W: Impossible de récupérer https://packages.gitlab.com/gitlab/gitlab-ee/debian/dists/bookworm/InRelease  Les signatures suivantes ne sont pas valables : EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
W: Le téléchargement de quelques fichiers d'index a échoué, ils ont été ignorés, ou les anciens ont été utilisés à la place.
root@server:/home/gitlab/downloads#curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" | os=debian dist=bookworm bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  6885  100  6885    0     0   9375      0 --:--:-- --:--:-- --:--:--  9380
Detected operating system as debian/bookworm.
Checking for curl...
Detected curl...
Checking for gpg...
Detected gpg...
Running apt-get update... done.
Installing debian-archive-keyring which is needed for installing
apt-transport-https on many Debian systems.
Installing apt-transport-https... done.
Installing /etc/apt/sources.list.d/runner_gitlab-runner.list...done.
Importing packagecloud gpg key... done.
Running apt-get update... done.

The repository is setup! You can now install packages.
root@server:/home/gitlab/downloads# apt update
Atteint :4 https://packages.gitlab.com/runner/gitlab-runner/debian bookworm InRelease
Réception de :3 https://packages.gitlab.com/gitlab/gitlab-ee/debian bookworm InRelease [23,4 kB]
Err :3 https://packages.gitlab.com/gitlab/gitlab-ee/debian bookworm InRelease
  Les signatures suivantes ne sont pas valables : EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
Atteint :7 http://security.debian.org/debian-security bookworm-security/updates InRelease
23,4 ko réceptionnés en 16s (1 429 o/s)
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances... Fait
Lecture des informations d'état... Fait
Tous les paquets sont à jour.
W: Une erreur s'est produite lors du contrôle de la signature. Le dépôt n'est pas mis à jour et les fichiers d'index précédents seront utilisés. Erreur de GPG : https://packages.gitlab.com/gitlab/gitlab-ee/debian bookworm InRelease : Les signatures suivantes ne sont pas valables : EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
W: Impossible de récupérer https://packages.gitlab.com/gitlab/gitlab-ee/debian/dists/bookworm/InRelease  Les signatures suivantes ne sont pas valables : EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
W: Le téléchargement de quelques fichiers d'index a échoué, ils ont été ignorés, ou les anciens ont été utilisés à la place.
root@server:/home/gitlab/downloads#

Sorry for the messages in French, they’re the same as described above by @FranzRoters .

Thank you in advance for your help.

I struggled a few hours on that issue and decided to post my previous message. And of course, a few minutes later, I solved it. Instead of using the gitlab-runner batch, I should have used the original Omnibus installation script (Download and install GitLab | GitLab). So simple.
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | bash

It solved my key issue and I could upgrade to 16.10.1.

I hope it can help somebody else.

1 Like

Hi !

I solved the problem reimporting the key like it is done in install script
(as root)

gpg_key_url=https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey
gpg_keyring_path=/usr/share/keyrings/gitlab_gitlab-ce-archive-keyring.gpg
curl -fsSL "${gpg_key_url}" | gpg --dearmor > ${gpg_keyring_path}
apt update
1 Like

Thanks this worked for me