I’m unable to update my Gitlab-runner install due to bad keys being detected. Is this a Gitlab update issue or something gone wrong on my system? Update and install was working without problems in 2023.
root@gitlab-runner:~# apt-get update
Hit:1 http://security.debian.org bookworm-security InRelease
Hit:2 http://deb.debian.org/debian bookworm InRelease
Get:3 https://packages.gitlab.com/runner/gitlab-runner/debian bookworm InRelease [23.3 kB]
Err:3 https://packages.gitlab.com/runner/gitlab-runner/debian bookworm InRelease
The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
Fetched 23.3 kB in 1s (21.0 kB/s)
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.gitlab.com/runner/gitlab-runner/debian bookworm InRelease: The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
W: Failed to fetch https://packages.gitlab.com/runner/gitlab-runner/debian/dists/bookworm/InRelease The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
W: Some index files failed to download. They have been ignored, or old ones used instead.
Many suggest to add gitlab apt gpg key like this
root@gitlab-runner:~# curl -s https://packages.gitlab.com/gpg.key | apt-key add -
OK
Still it does not resolve the issue on Debian 12 and Ubuntu 22. Same error on apt update.
To resolve this situation in 2024, especially on old installs, first we need to remove already added gitlab apt gpg key (EXPKEYSIG 3F01618A51312F3F).
Run the command:
sudo apt-key del "F640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3F"
and run latest gitlab runner install script:
curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" | sudo bash && sudo apt update
That's it, now you can do apt upgrade.
Update from comment below, if you have the same type of issue with self hosted gitlab-ce, please run this instead:
curl -L "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh" | sudo bash && sudo apt update
More details:
Note that apt-key on Debian 12 is obsolete:
root@gitlab-runner:~# apt-key list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
So proper way in general should be to put dearmored gpg signature to /etc/apt/trusted.gpg.d, but its not a gitlab case.
If you look at /etc/apt/sources.list.d/runner_gitlab-runner.list file, you will notice gpg key mentioned directly:
# this file was generated by packages.gitlab.com for
# the repository at https://packages.gitlab.com/runner/gitlab-runner
deb [signed-by=/usr/share/keyrings/runner_gitlab-runner-archive-keyring.gpg] https://packages.gitlab.com/runner/gitlab-runner/debian/ bookworm main
deb-src [signed-by=/usr/share/keyrings/runner_gitlab-runner-archive-keyring.gpg] https://packages.gitlab.com/runner/gitlab-runner/debian/ bookworm main
This is the reason, why manually adding gpg key with apt-key does not resolve the issue. Executing install script again, would deploy latest key signature.