Update expired GPG key via chef
Summary
We download GitLab packages from https://packages.gitlab.com/
and verify the packages via the GPG signature. These signatures have expiry dates, when they expire we have to manually update these which is not ideal, and it should be handled by chef for us.
steve@gitaly-02a-stor-gstg.c.gitlab-gitaly-gstg-380a.internal:~$ sudo apt-key list
...
pub rsa4096 2020-03-02 [SC] [expires: 2026-02-27]
F640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3F
uid [ unknown] GitLab B.V. (package repository signing key) <packages@gitlab.com>
sub rsa4096 2020-03-02 [E] [expires: 2026-02-27]
...
Related Incident(s)
Desired Outcome/Acceptance Criteria
Have a chef recipe that will run every chef-client
where it will check if the packages@gitlab.com
expired or not. If it expires it will follow https://docs.gitlab.com/omnibus/update/package_signatures#fetching-new-keys-after-2020-04-06 to renew the key.
Corrective Action Issue Checklist
-
Link the incident(s) this corrective action arose from -
Give context for what problem this corrective action is trying to prevent re-occurring -
Assign a severity label (this is the highest sev of related incidents, defaults to 'severity::4') -
Assign a priority (this will default to 'Reliability::P4' but should match the severity of the related incident) -
Assign a service label