script.deb.sh must set permissions on GPG pub key

Summary

script.deb.sh should explicitly set permissions on the gpg key otherwise the apt repo for gitlab-runner is not usable and the GPG key will cause problems.

Steps to reproduce

Follow the instructions for installing gitlab-runner via Ubuntu repo

curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" | sudo bash
sudo apt install gitlab-runner

Actual behavior

The official Ubuntu gitlab-runner package (OLD) from Canonical gets found instead of the one from packagecloud.io.

~:quokka2 # curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" | sudo bash
...
~:quokka2 # apt search gitlab-runner
Sorting... Done                                                                                                                                             Full Text Search... Done
gitlab-runner/focal,now 11.2.0+dfsg-2ubuntu1 amd64 [residual-config]                                                                                          GitLab Runner - runs continuous integration (CI) jobs                                                                                                     

~:quokka2 # apt install gitlab-runner=17.7.1-1 gitlab-runner-helper-images=17.7.1-1
Reading package lists... Done
Building dependency tree
Reading state information... Done                                                                                                                           E: Version '17.7.1-1' for 'gitlab-runner' was not found
E: Unable to locate package gitlab-runner-helper-images

That happens because the runner apt repo is not configured properly:

~:quokka2 # apt update
Hit:1 http://archive.ubuntu.com/ubuntu focal InRelease
Hit:2 http://archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:3 http://archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:4 http://archive.ubuntu.com/ubuntu focal-security InRelease
Hit:5 https://download.docker.com/linux/ubuntu focal InRelease
Hit:6 https://apt.releases.hashicorp.com focal InRelease
Hit:7 https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/8.0 InRelease
Hit:9 https://esm.ubuntu.com/apps/ubuntu focal-apps-security InRelease
Hit:10 https://esm.ubuntu.com/apps/ubuntu focal-apps-updates InRelease
Hit:8 https://packages.gitlab.com/runner/gitlab-runner/ubuntu focal InRelease
Hit:11 https://esm.ubuntu.com/infra/ubuntu focal-infra-security InRelease
Hit:12 https://esm.ubuntu.com/infra/ubuntu focal-infra-updates InRelease
Hit:13 https://esm.ubuntu.com/fips-updates/ubuntu focal-updates InRelease
Hit:14 http://ppa.launchpad.net/ansible/ansible/ubuntu focal InRelease
Err:8 https://packages.gitlab.com/runner/gitlab-runner/ubuntu focal InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 3F01618A51312F3F
Reading package lists... Done
Building dependency tree
Reading state information... Done
12 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.gitlab.com/runner/gitlab-runner/ubuntu focal InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 3F01618A51312F3F
W: Failed to fetch https://packages.gitlab.com/runner/gitlab-runner/ubuntu/dists/focal/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 3F01618A51312F3F
W: Some index files failed to download. They have been ignored, or old ones used instead.

Expected behavior

script.deb.sh should fully configure and integrate and apt repo definition for getting gitlab-runner

When the following line in the script.deb.sh is hit...

curl -fsSL "${gpg_key_url}" | gpg --dearmor > ${gpg_keyring_path}

...the resulting file has mode 640 and it MUST be 644 like the other gpg keys or apt update will still not work.

See omnibus-gitlab#5245 (comment 1507635782) which is the only thing that solved my problem (chmod).

Note the lack of any problems after setting the permissions from 640 to 640:

~:quokka2 # chmod 644 /usr/share/keyrings/runner_gitlab-runner-archive-keyring.gpg
~:quokka2 # apt update
Hit:1 http://archive.ubuntu.com/ubuntu focal InRelease
Hit:2 http://archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:3 http://archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:4 http://archive.ubuntu.com/ubuntu focal-security InRelease
Hit:5 http://ppa.launchpad.net/ansible/ansible/ubuntu focal InRelease
Hit:6 https://download.docker.com/linux/ubuntu focal InRelease
Hit:7 https://apt.releases.hashicorp.com focal InRelease
Hit:8 https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/8.0 InRelease
Hit:9 https://esm.ubuntu.com/apps/ubuntu focal-apps-security InRelease
Hit:10 https://esm.ubuntu.com/apps/ubuntu focal-apps-updates InRelease
Hit:11 https://esm.ubuntu.com/infra/ubuntu focal-infra-security InRelease
Hit:12 https://esm.ubuntu.com/infra/ubuntu focal-infra-updates InRelease
Hit:13 https://esm.ubuntu.com/fips-updates/ubuntu focal-updates InRelease
Hit:14 https://packages.gitlab.com/runner/gitlab-runner/ubuntu focal InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
12 packages can be upgraded. Run 'apt list --upgradable' to see them.
~:quokka2 #

Relevant logs and/or screenshots

Environment description

Used GitLab Runner version

Possible fixes

The fix is mentioned above. I cannot for the life of me find the source file for script.deb.sh