Linux package signatures
We use a packagecloud instance at https://packages.gitlab.com to share the different OS packages we offer.
The instance uses various cryptographic methods to ensure the integrity of these packages.
Package repository metadata signing keys
The APT and YUM repositories on the packagecloud instance use a GPG key to sign their metadata. This key is automatically installed by the repository setup script specified in the installation instructions.
Current signing key
Key attribute | Value |
---|---|
Name |
GitLab B.V.
|
packages@gitlab.com
|
|
Comment |
package repository signing key
|
Fingerprint |
F640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3F
|
Expiry |
2026-02-27
|
This key is active from 2020-04-06.
The key’s expiry was extended from 2024-03-01 to 2026-02-27. If you encounter an expiration of 2024-03-01
,
follow the instructions below.
packagecloud made used apt-key
, which is deprecated
. Manually installed or configured repositories from some distributions, such as TurnKey Linux,
are already using the signed-by
support in Debian package source lists.
-
Determine if you’re using
apt-key
orsigned-by
:grep 'deb \[signed-by=' /etc/apt/sources.list.d/gitlab_gitlab-?e.list
If this command:
- Returns any lines, you’re using
signed-by
, which takes precedence overapt-key
. - No lines, you’re using
apt-key
.
- Returns any lines, you’re using
-
If using
signed-by
, run this script as root to update the public keys for GitLab repositories:awk '/deb \[signed-by=/{ pubkey = $2; sub(/\[signed-by=/, "", pubkey); sub(/\]$/, "", pubkey); print pubkey }' /etc/apt/sources.list.d/gitlab_gitlab-?e.list | \ while read line; do curl -s "https://packages.gitlab.com/gpg.key" | gpg --dearmor > $line done
-
If using
apt-key
, run this script as root to update the public keys for GitLab repositories:apt-key del 3F01618A51312F3F curl -s "https://packages.gitlab.com/gpg.key" | apt-key add - apt-key list 3F01618A51312F3F
YUM and DNF have small differences, but the underlying configuration is identical:
-
Remove any existing key from the repository keyrings:
for pubring in /var/cache/dnf/*gitlab*/pubring do gpg --homedir $pubring --delete-key F6403F6544A38863DAA0B6E03F01618A51312F3F done
-
Update the repository data and cache, which asks you to confirm keys:
dnf check-update
Fetch latest signing key
To fetch the latest repository signing key:
-
Download the key:
curl "https://packages.gitlab.com/gpg.key" -o /tmp/omnibus_gitlab_gpg.key
-
Import the key:
Debian/Ubuntu/Raspbiansudo apt-key add /tmp/omnibus_gitlab_gpg.key
CentOS/OpenSUSE/SLESsudo rpm --import /tmp/omnibus_gitlab_gpg.key
-
Make sure that the new key has the necessary permissions to be properly recognized by your OS, which should be
644
. You can set the permissions by running:chmod 644 <keyfile>
Previous key
Sl. No. | Key ID | Expiry date |
---|---|---|
1 |
1A4C 919D B987 D435 9396 38B9 1421 9A96 E15E 78F4
|
2020-04-15
|
Package signatures
This section provides methods for verifying the signatures of GitLab-produced packages, both manually and automatically where supported.
RPM-based distributions
The RPM format contains a full implementation of GPG signing functionality and is fully integrated with the package management systems based upon that format.
Verify GitLab public key is present
To verify a package on an RPM based distribution, ensure that the GitLab, Inc. public key is present in the rpm
keychain. For example:
rpm -q gpg-pubkey-f27eab47-60d4a67e --qf '%{name}-%{version}-%{release} --> %{summary}'
This command produces either:
- Information on the public key.
- A message that the key isn’t installed. For example:
gpg-pubkey-f27eab47-60d4a67e is not installed
.
If the key is not present, import it. For example:
rpm --import https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey/gitlab-gitlab-ce-3D645A26AB9FBD22.pub.gpg
Verify if signature check is active
To check if package signature checking is active on an existing install, compare the content of the repository file:
- Check if the repository file exist:
file /etc/yum.repos.d/gitlab_gitlab-ce.repo
. -
Check that signature checking is active:
grep gpgcheck /etc/yum.repos.d/gitlab_gitlab-ce.repo
. This command should output:repo_gpgcheck=1 gpgcheck=1
or
repo_gpgcheck=1 pkg_gpgcheck=1
If the file does not exist, you don’t have the repository installed. If the file exists, but the output shows
gpgpcheck=0
, then you must edit that value to enable it.
Verify a Linux package rpm
file
After confirming that the public key is present, verify the package:
rpm --checksig gitlab-xxx.rpm
Debian-based distributions
The Debian package format does not officially contain a method for signing packages. We implemented the debsig
standard, which is well documented but not enabled by default on most distributions.
You can verify Linux package deb
file by either:
- Using
debsig-verify
after configuring the necessarydebsigs
policy and keyring. - Manually checking the contained
_gpgorigin
file with GnuPG.
Configure debsigs
Because configuring a policy and keyring for debsigs
can be complicated, we provide the gitlab-debsigs.sh
script
for configuration. To use this script, you need to download the public key and the script.
curl -JLO "https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey/gitlab-gitlab-ce-3D645A26AB9FBD22.pub.gpg"
curl -JLO "https://gitlab.com/gitlab-org/omnibus-gitlab/raw/master/scripts/gitlab-debsigs.sh"
chmod +x gitlab-debsigs.sh
sudo ./gitlab-debsigs.sh gitlab-gitlab-ce-3D645A26AB9FBD22.pub.gpg
Verify with debsig-verify
To use of debsig-verify
:
-
Configure
debsigs
. - Install the
debsig-verify
package. -
Run
debsig-verify
to verify the file:debsig-verify gitlab-xxx.deb
Verify with GnuPG
If you don’t want to install dependencies installed by debsig-verify
, you can use GnuPG instead:
-
Download and import the package signing public key:
curl -JLO "https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey/gitlab-gitlab-ee-3D645A26AB9FBD22.pub.gpg" gpg --import gitlab-gitlab-ee-3D645A26AB9FBD22.pub.gpg
-
Extract the signature file
_gpgorigin
:ar x gitlab-xxx.deb _gpgorigin
-
Verify the signature matches the content:
ar p gitlab-xxx.deb debian-binary control.tar.gz data.tar.gz | gpg --verify _gpgorigin -
The output of this command should appear like this:
gpg: Signature made Tue Aug 01 22:21:11 2017 UTC gpg: using RSA key DBEF89774DDB9EB37D9FC3A03CFCF9BAF27EAB47 gpg: issuer "support@gitlab.com" gpg: Good signature from "GitLab, Inc. <support@gitlab.com>" [unknown] Primary key fingerprint: DBEF 8977 4DDB 9EB3 7D9F C3A0 3CFC F9BA F27E AB47
If the verification fails with gpg: BAD signature from "GitLab, Inc. <support@gitlab.com>" [unknown]
, ensure:
- The file names are written in correct order.
- The file names match the content of the archive.
Depending on what Linux distribution you use, the content of the archive might have a different suffix. This means you
need to adjust the command accordingly. To confirm the content of the archive, run ar t gitlab-xxx.deb
.
For example, for Ubuntu Focal (20.04):
$ ar t gitlab-ee_17.4.2-ee.0_amd64.deb
debian-binary
control.tar.xz
data.tar.xz
_gpgorigin