script.deb.sh must set permissions on GPG pub key (#38898) · Issues · GitLab.org / gitlab-runner

script.deb.sh must set permissions on GPG pub key

## Summary script.deb.sh should explicitly set permissions on the gpg key otherwise the apt repo for gitlab-runner is not usable and the GPG key will cause problems. ## Steps to reproduce Follow the [instructions](https://docs.gitlab.com/runner/install/linux-repository/) for installing gitlab-runner via Ubuntu repo ``` curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" | sudo bash sudo apt install gitlab-runner ``` ## Actual behavior The official Ubuntu gitlab-runner package (OLD) from **Canonical** gets found instead of the one from packagecloud.io. ``` ~:quokka2 # curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" | sudo bash ... ~:quokka2 # apt search gitlab-runner Sorting... Done Full Text Search... Done gitlab-runner/focal,now 11.2.0+dfsg-2ubuntu1 amd64 [residual-config] GitLab Runner - runs continuous integration (CI) jobs ~:quokka2 # apt install gitlab-runner=17.7.1-1 gitlab-runner-helper-images=17.7.1-1 Reading package lists... Done Building dependency tree Reading state information... Done E: Version '17.7.1-1' for 'gitlab-runner' was not found E: Unable to locate package gitlab-runner-helper-images ``` That happens because the runner apt repo is not configured properly: ``` ~:quokka2 # apt update Hit:1 http://archive.ubuntu.com/ubuntu focal InRelease Hit:2 http://archive.ubuntu.com/ubuntu focal-updates InRelease Hit:3 http://archive.ubuntu.com/ubuntu focal-backports InRelease Hit:4 http://archive.ubuntu.com/ubuntu focal-security InRelease Hit:5 https://download.docker.com/linux/ubuntu focal InRelease Hit:6 https://apt.releases.hashicorp.com focal InRelease Hit:7 https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/8.0 InRelease Hit:9 https://esm.ubuntu.com/apps/ubuntu focal-apps-security InRelease Hit:10 https://esm.ubuntu.com/apps/ubuntu focal-apps-updates InRelease Hit:8 https://packages.gitlab.com/runner/gitlab-runner/ubuntu focal InRelease Hit:11 https://esm.ubuntu.com/infra/ubuntu focal-infra-security InRelease Hit:12 https://esm.ubuntu.com/infra/ubuntu focal-infra-updates InRelease Hit:13 https://esm.ubuntu.com/fips-updates/ubuntu focal-updates InRelease Hit:14 http://ppa.launchpad.net/ansible/ansible/ubuntu focal InRelease Err:8 https://packages.gitlab.com/runner/gitlab-runner/ubuntu focal InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 3F01618A51312F3F Reading package lists... Done Building dependency tree Reading state information... Done 12 packages can be upgraded. Run 'apt list --upgradable' to see them. W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.gitlab.com/runner/gitlab-runner/ubuntu focal InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 3F01618A51312F3F W: Failed to fetch https://packages.gitlab.com/runner/gitlab-runner/ubuntu/dists/focal/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 3F01618A51312F3F W: Some index files failed to download. They have been ignored, or old ones used instead. ``` ## Expected behavior script.deb.sh should fully configure and integrate and apt repo definition for getting gitlab-runner When the following line in the script.deb.sh is hit... `curl -fsSL "${gpg_key_url}" | gpg --dearmor > ${gpg_keyring_path}` ...the resulting file has mode 640 and it **MUST** be 644 like the other gpg keys or apt update will still not work. See https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/5245#note_1507635782 which is the **only** thing that solved my problem (chmod). Note the lack of any problems after setting the permissions from 640 to 640: ``` ~:quokka2 # chmod 644 /usr/share/keyrings/runner_gitlab-runner-archive-keyring.gpg ~:quokka2 # apt update Hit:1 http://archive.ubuntu.com/ubuntu focal InRelease Hit:2 http://archive.ubuntu.com/ubuntu focal-updates InRelease Hit:3 http://archive.ubuntu.com/ubuntu focal-backports InRelease Hit:4 http://archive.ubuntu.com/ubuntu focal-security InRelease Hit:5 http://ppa.launchpad.net/ansible/ansible/ubuntu focal InRelease Hit:6 https://download.docker.com/linux/ubuntu focal InRelease Hit:7 https://apt.releases.hashicorp.com focal InRelease Hit:8 https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/8.0 InRelease Hit:9 https://esm.ubuntu.com/apps/ubuntu focal-apps-security InRelease Hit:10 https://esm.ubuntu.com/apps/ubuntu focal-apps-updates InRelease Hit:11 https://esm.ubuntu.com/infra/ubuntu focal-infra-security InRelease Hit:12 https://esm.ubuntu.com/infra/ubuntu focal-infra-updates InRelease Hit:13 https://esm.ubuntu.com/fips-updates/ubuntu focal-updates InRelease Hit:14 https://packages.gitlab.com/runner/gitlab-runner/ubuntu focal InRelease Reading package lists... Done Building dependency tree Reading state information... Done 12 packages can be upgraded. Run 'apt list --upgradable' to see them. ~:quokka2 # ``` ## Relevant logs and/or screenshots ## Environment description ### Used GitLab Runner version ## Possible fixes The fix is mentioned above. I cannot for the life of me find the source file for `script.deb.sh`

issue