Package repository metadata signing keys

Hi all,

I’m attempting to upgrade my CE install of GitLab (I’m a few versions behind). I understand that GitLab updated their signing keys a few years ago. I’ve attempted to update the keys but have been unsuccessful so far. My sources.list.d looks like this:

deb [signed-by=/usr/share/keyrings/gitlab_gitlab-ce-archive-keyring.gpg] bionic main
deb-src [signed-by=/usr/share/keyrings/gitlab_gitlab-ce-archive-keyring.gpg] bionic main

Which I understand means I’m using signed-by rather than apt-key. I’ve run the script provided on GitLab to update it;

 awk '/deb \[signed-by=/{
       pubkey = $2;
       sub(/\[signed-by=/, "", pubkey);
       sub(/\]$/, "", pubkey);
       print pubkey
     }' /etc/apt/sources.list.d/gitlab_gitlab-?e.list | \
   while read line; do
     curl -s "" | gpg --dearmor > $line

My apt-key list contains:

pub   rsa4096 2020-03-02 [SC] [expires: 2024-03-01]
      F640 3F65 44A3 8863 DAA0  B6E0 3F01 618A 5131 2F3F
uid           [ unknown] GitLab B.V. (package repository signing key) <>
sub   rsa4096 2020-03-02 [E] [expires: 2024-03-01]

But still get the following error:
An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: bionic InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 3F01618A51312F3F

Any ideas anyone?

I managed to resolve this. The permissions on the /usr/share/keyrings/gitlab_gitlab-ce-archive-keyring.gpg were incorrect.


maybe its time to switch to the docker version.
Doing an upgrade with:

docker-compose down
(docker rm gitlab)
docker-compose pull
docker-compose up

is very nice,