Linux package signatures

  • Tier: Free, Premium, Ultimate
  • Offering: GitLab Self-Managed

We use a packagecloud instance at https://packages.gitlab.com to share the different OS packages we offer.

The instance uses various cryptographic methods to ensure the integrity of these packages.

Package repository metadata signing keys

The APT and YUM repositories on the packagecloud instance use a GPG key to sign their metadata. This key is automatically installed by the repository setup script specified in the installation instructions.

Current signing key

Key attributeValue
NameGitLab B.V.
EMailpackages@gitlab.com
Commentpackage repository signing key
FingerprintF640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3F
Expiry2026-02-27

This key is active from 2020-04-06.

The key’s expiry was extended from 2024-03-01 to 2026-02-27. If you encounter an expiration of 2024-03-01, follow the instructions below.

packagecloud made used apt-key, which is deprecated . Manually installed or configured repositories from some distributions, such as TurnKey Linux, are already using the signed-by support in Debian package source lists.

  1. Determine if you’re using apt-key or signed-by:

    Copy to clipboard
    grep 'deb \[signed-by=' /etc/apt/sources.list.d/gitlab_gitlab-?e.list

    If this command:

    • Returns any lines, you’re using signed-by, which takes precedence over apt-key.
    • No lines, you’re using apt-key.
  2. If using signed-by, run this script as root to update the public keys for GitLab repositories:

    Copy to clipboard
    awk '/deb \[signed-by=/{
          pubkey = $2;
          sub(/\[signed-by=/, "", pubkey);
          sub(/\]$/, "", pubkey);
          print pubkey
        }' /etc/apt/sources.list.d/gitlab_gitlab-?e.list | \
      while read line; do
        curl -s "https://packages.gitlab.com/gpg.key" | gpg --dearmor > $line
      done
  3. If using apt-key, run this script as root to update the public keys for GitLab repositories:

    Copy to clipboard
    apt-key del 3F01618A51312F3F
    curl -s "https://packages.gitlab.com/gpg.key" | apt-key add -
    apt-key list 3F01618A51312F3F

Fetch latest signing key

To fetch the latest repository signing key:

  1. Download the key:

    Copy to clipboard
    curl "https://packages.gitlab.com/gpg.key" -o /tmp/omnibus_gitlab_gpg.key
  2. Import the key:

    Copy to clipboard
    sudo apt-key add /tmp/omnibus_gitlab_gpg.key
  3. Make sure that the new key has the necessary permissions to be properly recognized by your OS, which should be 644. You can set the permissions by running:

    Copy to clipboard
    chmod 644 <keyfile>

Previous key

Sl. No.Key IDExpiry date
11A4C 919D B987 D435 9396 38B9 1421 9A96 E15E 78F42020-04-15

Package signatures

This section provides methods for verifying the signatures of GitLab-produced packages, both manually and automatically where supported.

RPM-based distributions

The RPM format contains a full implementation of GPG signing functionality and is fully integrated with the package management systems based upon that format.

Verify GitLab public key is present

To verify a package on an RPM based distribution, ensure that the GitLab, Inc. public key is present in the rpm keychain. For example:

Copy to clipboard
rpm -q gpg-pubkey-f27eab47-60d4a67e --qf '%{name}-%{version}-%{release} --> %{summary}'

This command produces either:

  • Information on the public key.
  • A message that the key isn’t installed. For example: gpg-pubkey-f27eab47-60d4a67e is not installed.

If the key is not present, import it. For example:

Copy to clipboard
rpm --import https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey/gitlab-gitlab-ce-3D645A26AB9FBD22.pub.gpg

Verify if signature check is active

To check if package signature checking is active on an existing install, compare the content of the repository file:

  1. Check if the repository file exist: file /etc/yum.repos.d/gitlab_gitlab-ce.repo.

  2. Check that signature checking is active: grep gpgcheck /etc/yum.repos.d/gitlab_gitlab-ce.repo. This command should output:

    Copy to clipboard
    repo_gpgcheck=1
    gpgcheck=1

    or

    Copy to clipboard
    repo_gpgcheck=1
    pkg_gpgcheck=1

If the file does not exist, you don’t have the repository installed. If the file exists, but the output shows gpgpcheck=0, then you must edit that value to enable it.

Verify a Linux package rpm file

After confirming that the public key is present, verify the package:

Copy to clipboard
rpm --checksig gitlab-xxx.rpm

Debian-based distributions

The Debian package format does not officially contain a method for signing packages. We implemented the debsig standard, which is well documented but not enabled by default on most distributions.

You can verify Linux package deb file by either:

  • Using debsig-verify after configuring the necessary debsigs policy and keyring.
  • Manually checking the contained _gpgorigin file with GnuPG.

Configure debsigs

Because configuring a policy and keyring for debsigs can be complicated, we provide the gitlab-debsigs.sh script for configuration. To use this script, you need to download the public key and the script.

Copy to clipboard
curl -JLO "https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey/gitlab-gitlab-ce-3D645A26AB9FBD22.pub.gpg"
curl -JLO "https://gitlab.com/gitlab-org/omnibus-gitlab/raw/master/scripts/gitlab-debsigs.sh"
chmod +x gitlab-debsigs.sh
sudo ./gitlab-debsigs.sh gitlab-gitlab-ce-3D645A26AB9FBD22.pub.gpg

Verify with debsig-verify

To use of debsig-verify:

  1. Configure debsigs.

  2. Install the debsig-verify package.

  3. Run debsig-verify to verify the file:

    Copy to clipboard
    debsig-verify gitlab-xxx.deb

Verify with GnuPG

If you don’t want to install dependencies installed by debsig-verify, you can use GnuPG instead:

  1. Download and import the package signing public key:

    Copy to clipboard
    curl -JLO "https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey/gitlab-gitlab-ee-3D645A26AB9FBD22.pub.gpg"
    gpg --import gitlab-gitlab-ee-3D645A26AB9FBD22.pub.gpg
  2. Extract the signature file _gpgorigin:

    Copy to clipboard
    ar x gitlab-xxx.deb _gpgorigin
  3. Verify the signature matches the content:

    Copy to clipboard
    ar p gitlab-xxx.deb debian-binary control.tar.gz data.tar.gz | gpg --verify _gpgorigin -

    The output of this command should appear like this:

    Copy to clipboard
    gpg: Signature made Tue Aug 01 22:21:11 2017 UTC
    gpg:                using RSA key DBEF89774DDB9EB37D9FC3A03CFCF9BAF27EAB47
    gpg:                issuer "support@gitlab.com"
    gpg: Good signature from "GitLab, Inc. <support@gitlab.com>" [unknown]
    Primary key fingerprint: DBEF 8977 4DDB 9EB3 7D9F  C3A0 3CFC F9BA F27E AB47

If the verification fails with gpg: BAD signature from "GitLab, Inc. <support@gitlab.com>" [unknown], ensure:

  • The file names are written in correct order.
  • The file names match the content of the archive.

Depending on what Linux distribution you use, the content of the archive might have a different suffix. This means you need to adjust the command accordingly. To confirm the content of the archive, run ar t gitlab-xxx.deb.

For example, for Ubuntu Focal (20.04):

Copy to clipboard
$ ar t gitlab-ee_17.4.2-ee.0_amd64.deb
debian-binary
control.tar.xz
data.tar.xz
_gpgorigin