Linux package signatures

Tier: Free, Premium, Ultimate Offering: Self-managed

We use a packagecloud instance at https://packages.gitlab.com to share the different OS packages we offer.

The instance uses various cryptographic methods to ensure the integrity of these packages.

Package repository metadata signing keys

The APT and YUM repositories on the packagecloud instance use a GPG key to sign their metadata. This key is automatically installed by the repository setup script specified in the installation instructions.

Current signing key

Key attribute Value
Name GitLab B.V.
EMail packages@gitlab.com
Comment package repository signing key
Fingerprint F640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3F
Expiry 2026-02-27

This key is active from 2020-04-06.

The key’s expiry was extended from 2024-03-01 to 2026-02-27. If you encounter an expiration of 2024-03-01, follow the instructions below.

Debian-based distributions

packagecloud made used apt-key, which is deprecated . Manually installed or configured repositories from some distributions, such as TurnKey Linux, are already using the signed-by support in Debian package source lists.

  1. Determine if you’re using apt-key or signed-by:

    grep 'deb \[signed-by=' /etc/apt/sources.list.d/gitlab_gitlab-?e.list
    

    If this command:

    • Returns any lines, you’re using signed-by, which takes precedence over apt-key.
    • No lines, you’re using apt-key.
  2. If using signed-by, run this script as root to update the public keys for GitLab repositories:

    awk '/deb \[signed-by=/{
          pubkey = $2;
          sub(/\[signed-by=/, "", pubkey);
          sub(/\]$/, "", pubkey);
          print pubkey
        }' /etc/apt/sources.list.d/gitlab_gitlab-?e.list | \
      while read line; do
        curl -s "https://packages.gitlab.com/gpg.key" | gpg --dearmor > $line
      done
    
  3. If using apt-key, run this script as root to update the public keys for GitLab repositories:

    apt-key del 3F01618A51312F3F
    curl -s "https://packages.gitlab.com/gpg.key" | apt-key add -
    apt-key list 3F01618A51312F3F
    
RPM-based distributions

YUM and DNF have small differences, but the underlying configuration is identical:

  1. Remove any existing key from the repository keyrings:

    for pubring in /var/cache/dnf/*gitlab*/pubring
    do
      gpg --homedir $pubring --delete-key F6403F6544A38863DAA0B6E03F01618A51312F3F
    done
    
  2. Update the repository data and cache, which asks you to confirm keys:

    dnf check-update
    

Fetch latest signing key

To fetch the latest repository signing key:

  1. Download the key:

    curl "https://packages.gitlab.com/gpg.key" -o /tmp/omnibus_gitlab_gpg.key
    
  2. Import the key:

    Debian/Ubuntu/Raspbian
    sudo apt-key add /tmp/omnibus_gitlab_gpg.key
    
    CentOS/OpenSUSE/SLES
    sudo rpm --import /tmp/omnibus_gitlab_gpg.key
    
  3. Make sure that the new key has the necessary permissions to be properly recognized by your OS, which should be 644. You can set the permissions by running:

    chmod 644 <keyfile>
    

Previous key

Sl. No. Key ID Expiry date
1 1A4C 919D B987 D435 9396 38B9 1421 9A96 E15E 78F4 2020-04-15

Package signatures

This section provides methods for verifying the signatures of GitLab-produced packages, both manually and automatically where supported.

RPM-based distributions

The RPM format contains a full implementation of GPG signing functionality and is fully integrated with the package management systems based upon that format.

Verify GitLab public key is present

To verify a package on an RPM based distribution, ensure that the GitLab, Inc. public key is present in the rpm keychain. For example:

rpm -q gpg-pubkey-f27eab47-60d4a67e --qf '%{name}-%{version}-%{release} --> %{summary}'

This command produces either:

  • Information on the public key.
  • A message that the key isn’t installed. For example: gpg-pubkey-f27eab47-60d4a67e is not installed.

If the key is not present, import it. For example:

rpm --import https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey/gitlab-gitlab-ce-3D645A26AB9FBD22.pub.gpg

Verify if signature check is active

To check if package signature checking is active on an existing install, compare the content of the repository file:

  1. Check if the repository file exist: file /etc/yum.repos.d/gitlab_gitlab-ce.repo.
  2. Check that signature checking is active: grep gpgcheck /etc/yum.repos.d/gitlab_gitlab-ce.repo. This command should output:

    repo_gpgcheck=1
    gpgcheck=1
    

    or

    repo_gpgcheck=1
    pkg_gpgcheck=1
    

If the file does not exist, you don’t have the repository installed. If the file exists, but the output shows gpgpcheck=0, then you must edit that value to enable it.

Verify a Linux package rpm file

After confirming that the public key is present, verify the package:

rpm --checksig gitlab-xxx.rpm

Debian-based distributions

The Debian package format does not officially contain a method for signing packages. We implemented the debsig standard, which is well documented but not enabled by default on most distributions.

You can verify Linux package deb file by either:

  • Using debsig-verify after configuring the necessary debsigs policy and keyring.
  • Manually checking the contained _gpgorigin file with GnuPG.

Configure debsigs

Because configuring a policy and keyring for debsigs can be complicated, we provide the gitlab-debsigs.sh script for configuration. To use this script, you need to download the public key and the script.

curl -JLO "https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey/gitlab-gitlab-ce-3D645A26AB9FBD22.pub.gpg"
curl -JLO "https://gitlab.com/gitlab-org/omnibus-gitlab/raw/master/scripts/gitlab-debsigs.sh"
chmod +x gitlab-debsigs.sh
sudo ./gitlab-debsigs.sh gitlab-gitlab-ce-3D645A26AB9FBD22.pub.gpg

Verify with debsig-verify

To use of debsig-verify:

  1. Configure debsigs.
  2. Install the debsig-verify package.
  3. Run debsig-verify to verify the file:

    debsig-verify gitlab-xxx.deb
    

Verify with GnuPG

If you don’t want to install dependencies installed by debsig-verify, you can use GnuPG instead:

  1. Download and import the package signing public key:

    curl -JLO "https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey/gitlab-gitlab-ee-3D645A26AB9FBD22.pub.gpg"
    gpg --import gitlab-gitlab-ee-3D645A26AB9FBD22.pub.gpg
    
  2. Extract the signature file _gpgorigin:

    ar x gitlab-xxx.deb _gpgorigin
    
  3. Verify the signature matches the content:

    ar p gitlab-xxx.deb debian-binary control.tar.gz data.tar.gz | gpg --verify _gpgorigin -
    

    The output of this command should appear like this:

    gpg: Signature made Tue Aug 01 22:21:11 2017 UTC
    gpg:                using RSA key DBEF89774DDB9EB37D9FC3A03CFCF9BAF27EAB47
    gpg:                issuer "support@gitlab.com"
    gpg: Good signature from "GitLab, Inc. <support@gitlab.com>" [unknown]
    Primary key fingerprint: DBEF 8977 4DDB 9EB3 7D9F  C3A0 3CFC F9BA F27E AB47
    

If the verification fails with gpg: BAD signature from "GitLab, Inc. <support@gitlab.com>" [unknown], ensure:

  • The file names are written in correct order.
  • The file names match the content of the archive.

Depending on what Linux distribution you use, the content of the archive might have a different suffix. This means you need to adjust the command accordingly. To confirm the content of the archive, run ar t gitlab-xxx.deb.

For example, for Ubuntu Focal (20.04):

$ ar t gitlab-ee_17.4.2-ee.0_amd64.deb
debian-binary
control.tar.xz
data.tar.xz
_gpgorigin