gitlab-runner update failed with GPG error signatures were invalid

Question

I’m unable to update my Gitlab-runner install due to bad keys being detected. Is this a Gitlab update issue or something gone wrong on my system? Update and install was working without problems in 2023.

root@gitlab-runner:~# apt-get update
Hit:1 http://security.debian.org bookworm-security InRelease
Hit:2 http://deb.debian.org/debian bookworm InRelease
Get:3 https://packages.gitlab.com/runner/gitlab-runner/debian bookworm InRelease [23.3 kB]
Err:3 https://packages.gitlab.com/runner/gitlab-runner/debian bookworm InRelease
  The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <[email protected]>
Fetched 23.3 kB in 1s (21.0 kB/s)
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.gitlab.com/runner/gitlab-runner/debian bookworm InRelease: The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <[email protected]>
W: Failed to fetch https://packages.gitlab.com/runner/gitlab-runner/debian/dists/bookworm/InRelease  The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <[email protected]>
W: Some index files failed to download. They have been ignored, or old ones used instead.

Many suggest to add gitlab apt gpg key like this

root@gitlab-runner:~# curl -s https://packages.gitlab.com/gpg.key | apt-key add -
OK

Still it does not resolve the issue on Debian 12 and Ubuntu 22. Same error on apt update.

Answer 1

To resolve this situation in 2024, especially on old installs, first we need to remove already added gitlab apt gpg key. Run the command:

sudo apt-key del "F640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3F"

and run latest gitlab runner install script:

curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" | sudo bash && sudo apt update

That's it, now you can do apt upgrade.

Update from comment below, if you have the same type of issue with self hosted gitlab-ce, please run this instead:

gitlab-ce install curl -L "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh" | sudo bash && sudo apt update

More details:

Note that apt-key on Debian 12 is obsolete:

root@gitlab-runner:~# apt-key list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

So proper way in general should be to put dearmored gpg signature to /etc/apt/trusted.gpg.d, but its not a gitlab case.

If you look at /etc/apt/sources.list.d/runner_gitlab-runner.list file, you will notice gpg key mentioned directly:

# this file was generated by packages.gitlab.com for
# the repository at https://packages.gitlab.com/runner/gitlab-runner

deb [signed-by=/usr/share/keyrings/runner_gitlab-runner-archive-keyring.gpg] https://packages.gitlab.com/runner/gitlab-runner/debian/ bookworm main
deb-src [signed-by=/usr/share/keyrings/runner_gitlab-runner-archive-keyring.gpg] https://packages.gitlab.com/runner/gitlab-runner/debian/ bookworm main

This is the reason, why manually adding gpg key with apt-key does not resolve the issue. Executing install script again, would deploy latest key signature.