Blog Security GitLab will extend package signing key expiration by one year
Published on: June 25, 2020
2 min read

GitLab will extend package signing key expiration by one year

Our GPG key will now expire on July 1, 2021. Here's what you need to know.

default-blog-image.png

GitLab has a GPG key used to sign all Omnibus packages created within the CI pipelines. This key is set to expire on 2020-07-01 and will be extended to expire on 2021-07-01.

Why is this being done?

The package signing key is set to a yearly expiration time to limit the exposure should the key be compromised and to comply with GitLab security practices. Generating a new key each year is much more obtrusive than continually extending the expiration time.

What do I need to do?

The only action that needs to be taken is to update your copy of the package signing key if you validate the signatures on the Omnibus packages that GitLab distributes.

The package signing key is not the key that signs the repository metadata used by the OS package managers like apt or yum. Unless you are specifically verifying the package signatures or have configured your package manager to verify the package signatures, there is no action needed on your part to continue installing Omnibus packages.

More information concerning verification of the package signatures can be found in the Omnibus documentation. If you just need to refresh a copy of the public key, then you can find it on any of the GPG keyservers by searching for [email protected] or using the key ID of DBEF 8977 4DDB 9EB3 7D9F C3A0 3CFC F9BA F27E AB47. Alternatively you could download it directly from packages.gitlab.com using the URL:

https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey/gitlab-gitlab-ce-3D645A26AB9FBD22.pub.gpg

I still have problems, what do I do?

Please open an issue in the omnibus-gitlab issue tracker.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

Find out which plan works best for your team

Learn about pricing

Learn about what GitLab can do for your team

Talk to an expert