How to renew expired GPG key (EXPKEYSIG 3F01618A51312F3F) for GitLab APT repositories

Written by - 4 comments

Published on - last updated on September 28th 2024 - Listed in Linux Git


It seems that the GPG key used for signing the deb packages in the GitLab repositories has expired:

root@gitlab:~# apt-get update
Hit:1 http://security.debian.org/debian-security buster/updates InRelease
Hit:2 http://deb.debian.org/debian buster InRelease
Get:3 https://packages.gitlab.com/gitlab/gitlab-ce/debian buster InRelease [23.3 kB]
Err:3 https://packages.gitlab.com/gitlab/gitlab-ce/debian buster InRelease
  The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>

Fetched 23.3 kB in 1s (21.0 kB/s)
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.gitlab.com/gitlab/gitlab-ce/debian buster InRelease: The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
W: Failed to fetch https://packages.gitlab.com/gitlab/gitlab-ce/debian/dists/buster/InRelease  The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
W: Some index files failed to download. They have been ignored, or old ones used instead.

Renewing using apt-key

The repository instructions contain a shell script which also installs the (new) key, but you probably don't want to start your car just to cross the street. Simply use the following command to install the new key:

root@gitlab:~# curl -s https://packages.gitlab.com/gpg.key | apt-key add -
OK

And voilĂ , apt is happy again:

root@gitlab:~# apt-get update
Hit:1 http://security.debian.org/debian-security buster/updates InRelease
Hit:2 http://deb.debian.org/debian buster InRelease
Get:3 https://packages.gitlab.com/gitlab/gitlab-ce/debian buster InRelease [23.3 kB]
Get:4 https://packages.gitlab.com/gitlab/gitlab-ce/debian buster/main amd64 Packages [44.3 kB]
Fetched 67.6 kB in 2s (31.3 kB/s)
Reading package lists... Done

Renewing signed-by key

This section was added on September 28th 2024

The method above uses the apt-key method, which is nowadays deprecated and should not be used anymore (although I preferred it).  I just ran into a similar expired key again, this time with the gitlab-runner repository:

root@gitlab:~# apt-get update
[...]
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.gitlab.com/runner/gitlab-runner/debian bullseye InRelease: The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
W: Failed to fetch https://packages.gitlab.com/runner/gitlab-runner/debian/dists/bullseye/InRelease  The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
W: Some index files failed to download. They have been ignored, or old ones used instead.

The gitlab-runner repo is configured to use a signed-by key:

root@gitlab:~# cat /etc/apt/sources.list.d/runner_gitlab-runner.list
# this file was generated by packages.gitlab.com for
# the repository at https://packages.gitlab.com/runner/gitlab-runner

deb [signed-by=/usr/share/keyrings/runner_gitlab-runner-archive-keyring.gpg] https://packages.gitlab.com/runner/gitlab-runner/debian/ bullseye main
deb-src [signed-by=/usr/share/keyrings/runner_gitlab-runner-archive-keyring.gpg] https://packages.gitlab.com/runner/gitlab-runner/debian/ bullseye main

To renew the signed-by key, use this command:

root@gitlab:~# curl -fsSL https://packages.gitlab.com/gpg.key | sudo gpg --dearmor -o /usr/share/keyrings/runner_gitlab-runner-archive-keyring.gpg
File '/usr/share/keyrings/runner_gitlab-runner-archive-keyring.gpg' exists. Overwrite? (y/N) y

And APT is happy again:

root@gitlab:~# apt-get update
Hit:1 http://deb.debian.org/debian bullseye InRelease
Hit:2 http://deb.debian.org/debian bullseye-updates InRelease             
Hit:3 http://security.debian.org/debian-security bullseye-security InRelease
Hit:4 https://packages.gitlab.com/gitlab/gitlab-ce/debian bullseye InRelease
Get:5 https://packages.gitlab.com/runner/gitlab-runner/debian bullseye InRelease [23.5 kB]
Ign:6 https://packages.gitlab.com/runner/gitlab-runner/debian bullseye/main amd64 Packages
Get:6 https://packages.gitlab.com/runner/gitlab-runner/debian bullseye/main amd64 Packages [14.4 kB]
Fetched 37.9 kB in 3s (12.8 kB/s)     
Reading package lists... Done


Add a comment

Show form to leave a comment

Comments (newest first)

Peter from wrote on Apr 8th, 2024:

Thanks a lot. Worked perfect.


Kris from wrote on Feb 15th, 2023:

Worked like a charm,thanks!


Dominic from wrote on Feb 7th, 2023:

Just wanted to say thank you for this. You saved me some time today. :)


Ioan from Germany wrote on May 4th, 2022:

This worked. Thank you.


RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   OpenSearch   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder