Packagecloud repo signing keys expiring 2020-04-15
The keys used to sign the package repo metadata for all repositories (e.g. gitlab-ce and gitlab-ee) is expiring 2020-04-15
.
This issue initially serves as a reminder with a due date to come up with a plan for migrating to a new key. (The due-date is being used as a reminder to schedule this issue, as an email will be sent out the day before)
This will depend heavily on PackageCloud's own support for this process. (No dual-signing it looks like) Info regarding PackageCloud keys can be found here: https://packagecloud.atlassian.net/wiki/spaces/ENTERPRISE/pages/15269922/GPG
PackageCloud's own SaaS recently implemented changes that required some of their repos to update keys, and they documented a process here: https://blog.packagecloud.io/eng/2018/10/17/gpg-key-migration/#repository-owners-how-can-i-migrate-my-repository-to-the-new-signing-key
There has also been some previous discussion of using a keyring package to help get the new keys to users: gitlab-org/omnibus-gitlab#3897 (closed) and https://wiki.debian.org/DebianRepository/UseThirdParty
Note the the issue linked is for our package signing keys, which is different, but there was some confusion and many of the comments apply more to the repository key
If users don't update the key, apt-get update
and apt-get install
will no longer grab the latest version of GitLab. This will mostly affect users who are doing auto updates. For users who are manually updating, we will have key updating instructions in the upgrade docs.