Omnibus-gitlab packages gpg key expired

Hi,

I’m not sure if I should post this here or open an issue. This key expired today and yum does not accept the key f640 3f65 44a3 8863 daa0 b6e0 3f01 618a 5131 2f3f anymore.

Best,
Michael

Update, add error msg for search:

runner_gitlab-runner/x86_64/signature                                                                                  |  862 B  00:00:00     
Retrieving key from https://packages.gitlab.com/runner/gitlab-runner/gpgkey
Importing GPG key 0x51312F3F:
 Userid     : "GitLab B.V. (package repository signing key) <packages@gitlab.com>"
 Fingerprint: f640 3f65 44a3 8863 daa0 b6e0 3f01 618a 5131 2f3f
 From       : https://packages.gitlab.com/runner/gitlab-runner/gpgkey
Is this ok [y/N]: y
Retrieving key from https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-4C80FB51394521E9.pub.gpg
1 Like

Just tried this with two Ubuntu focal systems-- they use the same key, so yum and apt package updates are currently broken.

1 Like

To help other people find this by search, here are the errors from apt update:

Err https://packages.gitlab.com/gitlab/gitlab-ee/ubuntu focal InRelease
  The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
Fetched 336 kB in 1s (393 kB/s)
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.gitlab.com/gitlab/gitlab-ee/ubuntu focal InRelease: The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
W: Failed to fetch https://packages.gitlab.com/gitlab/gitlab-ee/ubuntu/dists/focal/InRelease: The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
W: Some index files failed to download. They have been ignored, or old ones used instead.

Incidentally, I was lucky enough to trip over this less than 30 minutes after it expired (at 2022-03-02 15:16:59 UTC), so there weren’t any posts here yet :slight_smile:, and I had to track down the problem.

Edit: For those wishing to bypass the apt signature verification failure until GitLab fixes this (which will require importing a new GPG key to the apt keyring), you can try:

sudo apt -o Acquire::AllowInsecureRepositories=true update
sudo apt upgrade

(…or sudo apt install gitlab-ee in place of ‘upgrade’ if you’re installing for the first time. These apt commands explained/source)

5 Likes

Hi all,

thanks for reporting and flagging. Our teams are aware and looking into fixing the problem. You can follow the progress in GitLab GPG expired today (#6701) · Issues · GitLab.org / omnibus-gitlab · GitLab

Thanks for your patience.

Cheers,
Michael

2 Likes

Thanks!

I see the GPG key has been updated. Users of apt-based distributions can install the updated key like this: curl -L https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey | sudo apt-key add -

9 Likes

Running through the instructions in Cryptographic details related to `omnibus-gitlab` packages | GitLab should get it working again, now that we’ve gotten the refreshed key in place.

4 Likes

This is faster. Thanks!

FYI, @WarheadsSE created an MR for the docs with instructions on how to update expired keys.

I would suggest changing the string to

/var/cache/dnf/*_gitlab-*/pubring

otherwise runner repokeys will not be found

/var/cache/dnf/runner_gitlab-runner-...

edit: @dnsmichi

Or if you want to keep the names, you could do this:

for prod in gitlab runner   # add more if necessary
do
    for pubring in /var/cache/dnf/$prod_gitlab-{$prod,?e}-*/pubring
    do
        gpg --homedir $pubring --delete-key F6403F6544A38863DAA0B6E03F01618A51312F3F
    done
done