GPG key used to sign RPMs is expired
Hello, it appears your GPG key is expired:
curl -s https://packages.gitlab.com/gpg.key | gpg2 | grep expires
sub 4096R/5FFF7061 2020-03-02 [expires: 2022-03-02]
My Amazon Linux 2 runners are trying to come online and are running the script at https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.rpm.sh
The script fails with:
failure: repodata/repomd.xml from runner_gitlab-runner: [Errno 256] No more mirrors to try.
https://packages.gitlab.com/runner/gitlab-runner/el/7/x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature could not be verified for runner_gitlab-runner
It appears this is affecting other folks, too: https://twitter.com/agbosteven/status/1499068403826544646
Designs
- Show closed items
Activity
-
Newest first Oldest first
-
Show all activity Show comments only Show history only
- David Norton changed the description
Compare with previous version changed the description
- David Norton changed the description
Compare with previous version changed the description
- Author
This appears to be tracked at omnibus-gitlab#6701 (closed)
1 added [Deprecated] Category:Runner devopsverify grouprunner labels
- 🤖 GitLab Bot 🤖 added sectionops label
added sectionops label
After updating to the new key it works again. Problem solved.
- Darren Eastman removed [Deprecated] Category:Runner label
removed [Deprecated] Category:Runner label
- Darren Eastman added Category:Runner Core label
added Category:Runner Core label
The GitLab Runner GPG key appears to be expired again:
GPG key at https://packages.gitlab.com/runner/gitlab-runner/gpgkey (0x51312F3F) is already installed runner_gitlab-runner 11 kB/s | 3.1 kB 00:00 Importing GPG key 0x35DFA027: Userid : "GitLab, Inc. <support@gitlab.com>" Fingerprint: 09E5 7083 F34C CA94 D541 BC58 A674 BF81 35DF A027 From : https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-4C80FB51394521E9.pub.gpg error: Certificate A674BF8135DFA027: The certificate is expired: The primary key is not live Key import failed (code 2). Failing package is: gitlab-runner-16.2.1-1.x86_64 GPG Keys are configured as: https://packages.gitlab.com/runner/gitlab-runner/gpgkey, https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-4C80FB51394521E9.pub.gpg, https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-49F16C5CC3A0F81F.pub.gpg The downloaded packages were saved in cache until the next successful transaction. You can remove cached packages by executing 'dnf clean packages'. Error: GPG check FAILED
1@DarrenEastman this blocks installation of gitlab-runner on any machine that dares to check signatures
1- Michael Hofmann mentioned in issue cki-project/infrastructure#168 (closed)
mentioned in issue cki-project/infrastructure#168 (closed)
- Darren Eastman mentioned in issue #29487 (closed)
mentioned in issue #29487 (closed)
- Darren Eastman changed milestone to %16.8
changed milestone to %16.8
- 🤖 GitLab Bot 🤖 added sectionci label and removed sectionops label
added sectionci label and removed sectionops label
- Darren Eastman added candidate16.8 label
added candidate16.8 label
- Maintainer
@DarrenEastman - please see the following guidance and update this issue.1 Error Please add typebug typefeature, typemaintenance and a subtype label to this issue. If you do not feel the purpose of this issue matches one of the types, you may apply the typeignore label to exclude it from type tracking metrics and future prompts.
This message was generated automatically. You're welcome to improve it.
- Darren Eastman added typemaintenance label
added typemaintenance label
- Tales da Aparecida mentioned in issue cki-project/infrastructure#238 (closed)
mentioned in issue cki-project/infrastructure#238 (closed)
- John Villalovos mentioned in issue #37235 (closed)
mentioned in issue #37235 (closed)
For my fresh install I ended up using
libfaketime
as a hopefully temporary work-around.Sort of like this:
dnf install -y libfaketime wget wget https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-4C80FB51394521E9.pub.gpg faketime '2023-06-01 00:00:01' rpm --import runner-gitlab-runner-4C80FB51394521E9.pub.gpg
Then I was able to install
gitlab-runner
Collapse replies - Maintainer
@JohnVillalovos Where did you get the
https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-4C80FB51394521E9.pub.gpg
key from?The latest key is specified here https://docs.gitlab.com/runner/install/linux-repository.html -
https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-49F16C5CC3A0F81F.pub.gpg
This one is supposed to expire on
2024-03-01
UPDATE: See Michael Hofmann comment below which shows it is still not working
The key is used when installing the GitLab runner for Fedora 38. More info in #37235 (closed)
But basically follow the steps to install on Fedora 38:
curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.rpm.sh" | sudo bash
But I just did that in a container and seems like the key has magically been updated to not be expired.
<snip> Importing GPG key 0x35DFA027: Userid : "GitLab, Inc. <support@gitlab.com>" Fingerprint: 09E5 7083 F34C CA94 D541 BC58 A674 BF81 35DF A027 From : https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-4C80FB51394521E9.pub.gpg <snip>
Edited by John Villalovosto reproduce, in a FC38 container:
curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.rpm.sh" | sudo bash ... Importing GPG key 0x51312F3F: Userid : "GitLab B.V. (package repository signing key) <packages@gitlab.com>" Fingerprint: F640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3F From : https://packages.gitlab.com/runner/gitlab-runner/gpgkey runner_gitlab-runner-source 9.5 kB/s | 3.1 kB 00:00 Importing GPG key 0x35DFA027: Userid : "GitLab, Inc. <support@gitlab.com>" Fingerprint: 09E5 7083 F34C CA94 D541 BC58 A674 BF81 35DF A027 From : https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-4C80FB51394521E9.pub.gpg runner_gitlab-runner-source 11 kB/s | 3.1 kB 00:00 Importing GPG key 0x6BA75A4E: Userid : "GitLab, Inc. <support@gitlab.com>" Fingerprint: 931D A69C FA3A FEBB C97D AA8C 6C57 C29C 6BA7 5A4E From : https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-49F16C5CC3A0F81F.pub.gpg
This all still looks good, but now:
dnf install gitlab-runner ... Total download size: 480 M Installed size: 557 M Is this ok [y/N]: y ... Importing GPG key 0x51312F3F: Userid : "GitLab B.V. (package repository signing key) <packages@gitlab.com>" Fingerprint: F640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3F From : https://packages.gitlab.com/runner/gitlab-runner/gpgkey Is this ok [y/N]: y Key imported successfully runner_gitlab-runner 8.1 kB/s | 3.1 kB 00:00 Importing GPG key 0x35DFA027: Userid : "GitLab, Inc. <support@gitlab.com>" Fingerprint: 09E5 7083 F34C CA94 D541 BC58 A674 BF81 35DF A027 From : https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-4C80FB51394521E9.pub.gpg Is this ok [y/N]: y error: Certificate A674BF8135DFA027: The certificate is expired: The primary key is not live Key import failed (code 2). Failing package is: gitlab-runner-16.8.0-1.x86_64 GPG Keys are configured as: https://packages.gitlab.com/runner/gitlab-runner/gpgkey, https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-4C80FB51394521E9.pub.gpg, https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-49F16C5CC3A0F81F.pub.gpg The downloaded packages were saved in cache until the next successful transaction. You can remove cached packages by executing 'dnf clean packages'. Error: GPG check FAILED
running this again and skipping the invalid key gives
dnf install gitlab-runner ... GPG key at https://packages.gitlab.com/runner/gitlab-runner/gpgkey (0x51312F3F) is already installed runner_gitlab-runner 8.5 kB/s | 3.1 kB 00:00 Importing GPG key 0x35DFA027: Userid : "GitLab, Inc. <support@gitlab.com>" Fingerprint: 09E5 7083 F34C CA94 D541 BC58 A674 BF81 35DF A027 From : https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-4C80FB51394521E9.pub.gpg Is this ok [y/N]: n runner_gitlab-runner 8.6 kB/s | 3.1 kB 00:00 Importing GPG key 0x6BA75A4E: Userid : "GitLab, Inc. <support@gitlab.com>" Fingerprint: 931D A69C FA3A FEBB C97D AA8C 6C57 C29C 6BA7 5A4E From : https://packages.gitlab.com/runner/gitlab-runner/gpgkey/runner-gitlab-runner-49F16C5CC3A0F81F.pub.gpg Is this ok [y/N]: y Key imported successfully Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction ...
but obviously that fails for
dnf install -y gitlab-runner
as that tries to accept all keys and fails when the 2nd key can't be imported.Edited by Michael Hofmann 1Thanks! For some reason I was thinking it installed the runner with the command I posted.
- Nicole Williams mentioned in issue #30934 (closed)
mentioned in issue #30934 (closed)
- 🤖 GitLab Bot 🤖 changed milestone to %16.9
changed milestone to %16.9
- 🤖 GitLab Bot 🤖 added missed:16.8 label
added missed:16.8 label
- Georgi N. Georgiev assigned to @ggeorgiev_gitlab
assigned to @ggeorgiev_gitlab
- 🤖 GitLab Bot 🤖 changed milestone to %16.10
changed milestone to %16.10
- 🤖 GitLab Bot 🤖 added missed:16.9 label
added missed:16.9 label
- 🤖 GitLab Bot 🤖 changed milestone to %16.11
changed milestone to %16.11
- 🤖 GitLab Bot 🤖 added missed:16.10 label
added missed:16.10 label
- 🤖 GitLab Bot 🤖 changed milestone to %17.0
changed milestone to %17.0
- 🤖 GitLab Bot 🤖 added missed:16.11 label
added missed:16.11 label
- 🤖 GitLab Bot 🤖 changed milestone to %17.1
changed milestone to %17.1
- 🤖 GitLab Bot 🤖 added missed:17.0 label
added missed:17.0 label
- 🤖 GitLab Bot 🤖 changed milestone to %17.2
changed milestone to %17.2
- 🤖 GitLab Bot 🤖 added missed:17.1 label
added missed:17.1 label
- 🤖 GitLab Bot 🤖 changed milestone to %17.3
changed milestone to %17.3
- 🤖 GitLab Bot 🤖 added missed:17.2 label
added missed:17.2 label
- 🤖 GitLab Bot 🤖 changed milestone to %17.4
changed milestone to %17.4
- 🤖 GitLab Bot 🤖 added missed:17.3 label
added missed:17.3 label
- Georgi N. Georgiev closed
closed