Please provide a gitlab keyring package
Hello,
Thank you for signing the gitlab debian package repository with your gpg key. This goes a long way in helping verify the integrity of the package.
However, simply providing a gpg key isn't quite enough. If that key needs to be revoked (compromise, etc.), replaced, re-issued (eg. when people moved from SHA1), or new certifications are necessary (such as expirations), then everyone who has obtained your repository keyring, and installed it in their apt keyring, will not receive any of those criticial updates. Why? Well, that is simple, without a proper method for updating your keyring, you will not get any updates to the keys, either expirations or revocations, both of which are very important! The only way that people will receive updates to your repository keyring right now is if you push an update to the keyservers, and then users somehow refresh their keys from those keyservers.
Debian, ubuntu, and other projects fix this disconnect by providing a debian-archive-keyring package that you install. It provides the repository keyring, installs it into the apt keyring, and then can be easily updated through the debian package updating mechanism to take care of those key updates.
Would gitlab consider providing such a package? The debian-archive-keyring is a simple package that is easily adopted for your purposes, I've done it before for projects I've worked on, it would be easy to swap out the debian pieces with the gitlab pieces and simply install that package in the installation process.